cisco acl to block dhcp server to hand out ip address to another network

i have two networks connected through a routerA. The dhcp server is located in the 10.100.1.0/24 network. I don't want the dhcp server (10.100.1.2)  to provide addresses to the 192.168.0.0/24 network.

i create an extended access-list in routerA:

ip access-list extended DenyDhcpOut
  deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootps
  deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootpc
  permit ip any any

on the interface:

int fa0/0/0
ip addRESS 192.168.0.0 255.255.255.0
ip access-group DenyDhcpOut in

However, this is not doing anything. DHCP continues to hand out ip addresses to the 192.168.0.0/24 network.  Please help. I tried different combinations but none work.
ShenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
Minor related point:  If you don't define a scope on your DHCP server for the 192.168.0.0/24 network, it won't hand out addresses.

As for your ACL, you need to make a slight change.

1) DHCP requests don't have a source address (that's why you're using DHCP) ;-)

So you can change it to:
  deny udp any 10.100.1.2 0.0.0.0 eq bootps
  deny udp any 10.100.1.2 0.0.0.0 eq bootpc

or
  deny udp 0.0.0.0 0.0.0.0 10.100.1.0 0.0.0.255 eq bootps
  deny udp 0.0.0.0 0.0.0.0 10.100.1.0 0.0.0.255 eq bootpc
0
ShenAuthor Commented:
so this will deny dhcp for the 192.168.0.0 network but still permit dhcp address to the 10.100.1.0 network?
0
Don JohnstonInstructorCommented:
Sorry... Don't understand the question.

The first ACL that I posted will deny DHCP requests from the 192.168.0.0/24 network to the 10.100.1.2 server.

The second ACL will denty DHCP requests from the 192.168.0.0/24 network if the device doesn't have an IP address and it's going to the 10.100.1.0/24 network.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

ShenAuthor Commented:
This is really strange, i put your statements and still the dhcp server on 10.100.1.2 hand out the ip address. I then put only 1 rule in the access-list extended DenyDhcpOut to troubleshoot:  deny ip any any  and still I  get an ip address. I also put the ip access-group extended DenyDhcpOut in the "in" and "out" directions of the interface fa0/0/0, but still hands out address.  

I wonder, if dhcp also does this at layer 2 whcih doesn ot make sense to me.
0
Don JohnstonInstructorCommented:
Please post the config of the router.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ShenAuthor Commented:
I found the problem. It was a physical layer 1 issue.  The connection from the switch in the 192.168.0.0 network was going to another switch in the 10.100.1.0 network.  From this switch then we  connect to the router.  I connected the first switch directly to the router interface fa0/0/0 and your ACLs worked.

I really thank you very much for your help.  Specially the explanation of the client not having an ip initially. Which is obvius but did not occur to me.

Thank you again
0
ShenAuthor Commented:
Excellent help.  

Thank you again
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.