Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
0
Helpful
3
Replies

IP ACL on L2 port on 3750

d.jursik
Level 1
Level 1

‎10-04-2007 02:28 AM - edited ‎03-05-2019 06:52 PM

Hello All,

I need to make sure that on 1 trunk port all DHCP request/responses will not pass. In the documentation for 3750 they say that extended ip ACL can be assigned to L2 port as input ACL, if the port is trunk then traffic for all VLANs will be filtered. To prove it I created following ip extended ACL:

permit udp any eq bootps any

permit ip any any

and I assigned it as ip access-group ACL on L2 trunk port.

However I can not see any match and also permit ip any any hits are far away from all incoming packets counter that interface. Am I missing something?

Thanks and Regards,

Daniel

Labels:
0 Helpful
3 Replies 3

Kevin Dorrell
Level 10
Level 10

‎10-04-2007 02:39 AM

Daniel,

I suspect that the counters are not reliable because most of the processing is being done in the ASIC. I know, for example, that if you put a service policy on an interface and do a show policy-map interface, the counters are rubbish.

I don't know how you would get round this. Perhaps do a service policy with a drop on DHCP class, and then use the QoS accounting tools to view the counters.

Kevin Dorrell

Luxembourg

0 Helpful

d.jursik
Level 1
Level 1
In response to Kevin Dorrell

‎10-04-2007 02:44 AM

Hello,

Thanks, but I do not really care about the counters, I just need confirmation that assigning IP acl to L2 trunk interface with right deny (deny udp any bootps any bootpc) will filter DHCP responses from server on that port.

D.

0 Helpful

slaptijack
Level 1
Level 1
In response to d.jursik

‎11-02-2007 02:40 PM

I've had success blocking NetBIOS like this on Catalyst 2940, 2960, and 3560 switches.

Another option specific to DHCP might be to turn on DHCP snooping and make the specific port untrusted (thus allowing DHCP requests to come from the port, but not DHCP assignments). Hopefully I'm understanding your scenario correctly.

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00808c738a.html#wp1078853

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card