Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3059
Views
15
Helpful
3
Replies

Extended ACL for DHCP

steve.kirk
Level 1
Level 1

‎10-03-2007 04:39 AM - edited ‎02-20-2020 09:39 PM

Hi,

I'm having a problem creating an ACL to allow DHCP.

I want to secure a VLAN running across our Cisco wireless network infrastructure to limit access as much as I can.

Restricting access to limited ip addresses and ports is straightforward, but I can't seem to get the ACL correct to allow clients to obtain ip addresses via DHCP.

I seem to remember that the ACL for DHCP was a little odd -this is what I currently have:

permit udp any host 172.16.30.4 log

permit tcp any host 172.16.30.4 log

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.27 eq 8080 log

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.82 eq 443 log

deny ip any any (28 matches)

172.16.30.4 is the DHCP server, and I would like to limit this to only the ports required for DHCP, but I haven't specified whilst debugging this problem - my inital config was for ports 67 and 68.

I'm seeing traffic being logged against the deny ip any any, so I know the client is trying to send to the correct network etc.

The IP helper address is configured on the interface and is 172.16.30.4.

Can some one let me know what I'm missing.

Cheers,

Steve

1 person had this problem
Labels:
0 Helpful
3 Replies 3

noran01
Level 3
Level 3

‎10-04-2007 04:36 AM

In order to allow DHCP you must add this to your ACL

permit udp any eq 68 host 255.255.255.255 eq 67

permit udp host 0.0.0.0 eq 68 host 172.16.30.4 eq 67

permit udp 172.16.36.0 0.0.0.255 eq 68 host 172.16.30.4 eq 67

I also noticed you have the following line:

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log

I assume you added this for DNS? If so you should change it to udp and drop the established parameter.

steve.kirk
Level 1
Level 1
In response to noran01

‎10-04-2007 06:09 AM

Hi,

Thanks for the response - I'll try the ACL for DHCP shortly.

With regard to the ACL:

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log

you are correct, that is for DNS.

However, on reflection I believe I will need tcp and udp for this rule as the client device will update DNS dynamically when it obtains an IP address from DHCP and I seem to recall DNS updates require tcp port 53?

Cheers,

Steve

0 Helpful

steve.kirk
Level 1
Level 1
In response to noran01

‎10-04-2007 08:16 AM

Hi,

Thanks very much for your help. You were right, it seems that tcp isn't required for the dynamic DNS updates!

I'm also not seeing any matches on these two lines:

permit udp host 0.0.0.0 eq 68 host 172.16.30.4 eq 67

permit udp 172.16.36.0 0.0.0.255 eq 68 host 172.16.30.4 eq 67

I assume that these will be needed for for example clients that need to renew their address leases?

Thanks,

Steve

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents