?
Solved

cisco acl to block dhcp server to hand out ip address to another network

Posted on 2014-11-05
7
Medium Priority
?
368 Views
Last Modified: 2014-11-06
i have two networks connected through a routerA. The dhcp server is located in the 10.100.1.0/24 network. I don't want the dhcp server (10.100.1.2)  to provide addresses to the 192.168.0.0/24 network.

i create an extended access-list in routerA:

ip access-list extended DenyDhcpOut
  deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootps
  deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootpc
  permit ip any any

on the interface:

int fa0/0/0
ip addRESS 192.168.0.0 255.255.255.0
ip access-group DenyDhcpOut in

However, this is not doing anything. DHCP continues to hand out ip addresses to the 192.168.0.0/24 network.  Please help. I tried different combinations but none work.
0
Comment
Question by:Shen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40424913
Minor related point:  If you don't define a scope on your DHCP server for the 192.168.0.0/24 network, it won't hand out addresses.

As for your ACL, you need to make a slight change.

1) DHCP requests don't have a source address (that's why you're using DHCP) ;-)

So you can change it to:
  deny udp any 10.100.1.2 0.0.0.0 eq bootps
  deny udp any 10.100.1.2 0.0.0.0 eq bootpc

or
  deny udp 0.0.0.0 0.0.0.0 10.100.1.0 0.0.0.255 eq bootps
  deny udp 0.0.0.0 0.0.0.0 10.100.1.0 0.0.0.255 eq bootpc
0
 

Author Comment

by:Shen
ID: 40424963
so this will deny dhcp for the 192.168.0.0 network but still permit dhcp address to the 10.100.1.0 network?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40424998
Sorry... Don't understand the question.

The first ACL that I posted will deny DHCP requests from the 192.168.0.0/24 network to the 10.100.1.2 server.

The second ACL will denty DHCP requests from the 192.168.0.0/24 network if the device doesn't have an IP address and it's going to the 10.100.1.0/24 network.
0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 

Author Comment

by:Shen
ID: 40426298
This is really strange, i put your statements and still the dhcp server on 10.100.1.2 hand out the ip address. I then put only 1 rule in the access-list extended DenyDhcpOut to troubleshoot:  deny ip any any  and still I  get an ip address. I also put the ip access-group extended DenyDhcpOut in the "in" and "out" directions of the interface fa0/0/0, but still hands out address.  

I wonder, if dhcp also does this at layer 2 whcih doesn ot make sense to me.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 2000 total points
ID: 40426520
Please post the config of the router.
0
 

Author Comment

by:Shen
ID: 40426639
I found the problem. It was a physical layer 1 issue.  The connection from the switch in the 192.168.0.0 network was going to another switch in the 10.100.1.0 network.  From this switch then we  connect to the router.  I connected the first switch directly to the router interface fa0/0/0 and your ACLs worked.

I really thank you very much for your help.  Specially the explanation of the client not having an ip initially. Which is obvius but did not occur to me.

Thank you again
0
 

Author Closing Comment

by:Shen
ID: 40426643
Excellent help.  

Thank you again
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
In this article, we’ll look at how to deploy ProxySQL.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question