Extended ACL for DHCP

Unanswered Question
Oct 3rd, 2007

Hi,

I'm having a problem creating an ACL to allow DHCP.

I want to secure a VLAN running across our Cisco wireless network infrastructure to limit access as much as I can.

Restricting access to limited ip addresses and ports is straightforward, but I can't seem to get the ACL correct to allow clients to obtain ip addresses via DHCP.

I seem to remember that the ACL for DHCP was a little odd -this is what I currently have:

permit udp any host 172.16.30.4 log

permit tcp any host 172.16.30.4 log

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.27 eq 8080 log

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.82 eq 443 log

deny ip any any (28 matches)

172.16.30.4 is the DHCP server, and I would like to limit this to only the ports required for DHCP, but I haven't specified whilst debugging this problem - my inital config was for ports 67 and 68.

I'm seeing traffic being logged against the deny ip any any, so I know the client is trying to send to the correct network etc.

The IP helper address is configured on the interface and is 172.16.30.4.

Can some one let me know what I'm missing.

Cheers,

Steve

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
noran01@icansp.com Thu, 10/04/2007 - 04:36

In order to allow DHCP you must add this to your ACL

permit udp any eq 68 host 255.255.255.255 eq 67

permit udp host 0.0.0.0 eq 68 host 172.16.30.4 eq 67

permit udp 172.16.36.0 0.0.0.255 eq 68 host 172.16.30.4 eq 67

I also noticed you have the following line:

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log

I assume you added this for DNS? If so you should change it to udp and drop the established parameter.

steve.kirk Thu, 10/04/2007 - 06:09

Hi,

Thanks for the response - I'll try the ACL for DHCP shortly.

With regard to the ACL:

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log

you are correct, that is for DNS.

However, on reflection I believe I will need tcp and udp for this rule as the client device will update DNS dynamically when it obtains an IP address from DHCP and I seem to recall DNS updates require tcp port 53?

Cheers,

Steve

steve.kirk Thu, 10/04/2007 - 08:16

Hi,

Thanks very much for your help. You were right, it seems that tcp isn't required for the dynamic DNS updates!

I'm also not seeing any matches on these two lines:

permit udp host 0.0.0.0 eq 68 host 172.16.30.4 eq 67

permit udp 172.16.36.0 0.0.0.255 eq 68 host 172.16.30.4 eq 67

I assume that these will be needed for for example clients that need to renew their address leases?

Thanks,

Steve

Actions

Login or Register to take actions

This Discussion

Posted October 3, 2007 at 4:39 AM
Stats:
Replies:3 Avg. Rating:5
Views:1424 Votes:1
Shares:0
Tags: No tags.

Discussions Leaderboard