Solved

cisco acl to block dhcp server to hand out ip address to another network

Posted on 2014-11-05
7
291 Views
Last Modified: 2014-11-06
i have two networks connected through a routerA. The dhcp server is located in the 10.100.1.0/24 network. I don't want the dhcp server (10.100.1.2)  to provide addresses to the 192.168.0.0/24 network.

i create an extended access-list in routerA:

ip access-list extended DenyDhcpOut
  deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootps
  deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootpc
  permit ip any any

on the interface:

int fa0/0/0
ip addRESS 192.168.0.0 255.255.255.0
ip access-group DenyDhcpOut in

However, this is not doing anything. DHCP continues to hand out ip addresses to the 192.168.0.0/24 network.  Please help. I tried different combinations but none work.
0
Comment
Question by:Shen
  • 4
  • 3
7 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40424913
Minor related point:  If you don't define a scope on your DHCP server for the 192.168.0.0/24 network, it won't hand out addresses.

As for your ACL, you need to make a slight change.

1) DHCP requests don't have a source address (that's why you're using DHCP) ;-)

So you can change it to:
  deny udp any 10.100.1.2 0.0.0.0 eq bootps
  deny udp any 10.100.1.2 0.0.0.0 eq bootpc

or
  deny udp 0.0.0.0 0.0.0.0 10.100.1.0 0.0.0.255 eq bootps
  deny udp 0.0.0.0 0.0.0.0 10.100.1.0 0.0.0.255 eq bootpc
0
 

Author Comment

by:Shen
ID: 40424963
so this will deny dhcp for the 192.168.0.0 network but still permit dhcp address to the 10.100.1.0 network?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40424998
Sorry... Don't understand the question.

The first ACL that I posted will deny DHCP requests from the 192.168.0.0/24 network to the 10.100.1.2 server.

The second ACL will denty DHCP requests from the 192.168.0.0/24 network if the device doesn't have an IP address and it's going to the 10.100.1.0/24 network.
0
Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

 

Author Comment

by:Shen
ID: 40426298
This is really strange, i put your statements and still the dhcp server on 10.100.1.2 hand out the ip address. I then put only 1 rule in the access-list extended DenyDhcpOut to troubleshoot:  deny ip any any  and still I  get an ip address. I also put the ip access-group extended DenyDhcpOut in the "in" and "out" directions of the interface fa0/0/0, but still hands out address.  

I wonder, if dhcp also does this at layer 2 whcih doesn ot make sense to me.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 40426520
Please post the config of the router.
0
 

Author Comment

by:Shen
ID: 40426639
I found the problem. It was a physical layer 1 issue.  The connection from the switch in the 192.168.0.0 network was going to another switch in the 10.100.1.0 network.  From this switch then we  connect to the router.  I connected the first switch directly to the router interface fa0/0/0 and your ACLs worked.

I really thank you very much for your help.  Specially the explanation of the client not having an ip initially. Which is obvius but did not occur to me.

Thank you again
0
 

Author Closing Comment

by:Shen
ID: 40426643
Excellent help.  

Thank you again
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question