ZBF and DHCP server on router

Answered Question
Dec 23rd, 2009
User Badges:

Hello all,


On router Cisco 881 with ZBF I have dedicated VLAN for AP connection. AP is getting IP address from router dhcp server, I would like to limit all access to Router "Self" zone to only DHCP traffic if possible. Does anybody have idea how to limit all traffic except DHCP to self zone?What ever I do to traffic to/from self zone I must always specify last statement as "class class-default/inspect" and not drop as I would like to. 



Thank you and kind regards,

Marko

Correct Answer by Panos Kampanakis about 7 years 7 months ago

Please change the ACL a little and it will work.


ip access-list extended dhcp-allow
   permit udp any eq bootps any
   permit udp any any eq bootpc

   permit udp any any eq bootps
   permit udp any eq bootpc any


Now you are not falling into the pass class.


PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Panos Kampanakis Wed, 12/23/2009 - 08:18
User Badges:
  • Cisco Employee,

You can match on udp packet ports 67, 68 in a class-map of type inspect.

The you can inspect these packets in a policy-map of type pass under the above class. The action for the rest of the traffic will be by default denied.

The you can apply that policy-map in the out-to-self and self-to out zone pair.

And that should do it.


ip access-list extended dhcp-acl

   permit udp any eq 67 any

   permit udp any any eq 68


class-map type inspect match-all dhcp-cm

  match access-list name dhscp-acl

policy-map type inspect dhcp-pm

  class dhcp-cm

     pass


zone-pair security source outside destination self

   service-policy type inspect dhcp-cm

zone-pair security source self destination outside

   service-policy type inspect dhcp-cm


I hope it helps.


PK

mocah Thu, 12/24/2009 - 12:37
User Badges:

Hello PK,


I have tried your solution and also a few other options in access list, but unfortunately it is not working.


Here is my config:

ip access-list extended dhcp-allow
permit udp any eq bootps any
permit udp any any eq bootpc

class-map type inspect match-all dhcp-cmap
match access-group name dhcp-allow


policy-map type inspect dhcp-pmap
class type inspect dhcp-cmap
  pass
class class-default
  drop


zone-pair security AP2Self source AP destination self
service-policy type inspect dhcp-pmap
zone-pair security Self2AP source self destination AP
    service-policy type inspect dhcp-pmap


and here is the output from firewall log:


053666: Dec 24 17:34:07.361 CET: %FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair AP2Self class class-default due to  DROP action found in policy-map with ip ident 0
053667: Dec 24 17:34:40.642 CET: %FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair AP2Self class class-default due to  DROP action found in policy-map with ip ident 0

Correct Answer
Panos Kampanakis Thu, 12/24/2009 - 13:25
User Badges:
  • Cisco Employee,

Please change the ACL a little and it will work.


ip access-list extended dhcp-allow
   permit udp any eq bootps any
   permit udp any any eq bootpc

   permit udp any any eq bootps
   permit udp any eq bootpc any


Now you are not falling into the pass class.


PK

mocah Sat, 12/26/2009 - 13:22
User Badges:

Thank you PK it works great I wish you happy 2010.

NISITNETC Thu, 04/28/2011 - 00:45
User Badges:

This is a good solution for a CISCO1921-SEC with CLI configuration - this works well to outside getting the IP from a DOCSIS-DHCP Server and to the own inside dhcp service.


  Thanks !

Actions

This Discussion