cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3112
Views
0
Helpful
5
Replies

ZBF and DHCP server on router

mocah
Level 1
Level 1

Hello all,

On router Cisco 881 with ZBF I have dedicated VLAN for AP connection. AP is getting IP address from router dhcp server, I would like to limit all access to Router "Self" zone to only DHCP traffic if possible. Does anybody have idea how to limit all traffic except DHCP to self zone?What ever I do to traffic to/from self zone I must always specify last statement as "class class-default/inspect" and not drop as I would like to. 

Thank you and kind regards,

Marko

1 Accepted Solution

Accepted Solutions

Please change the ACL a little and it will work.

ip access-list extended dhcp-allow
   permit udp any eq bootps any
   permit udp any any eq bootpc

   permit udp any any eq bootps
   permit udp any eq bootpc any

Now you are not falling into the pass class.

PK

View solution in original post

5 Replies 5

Panos Kampanakis
Cisco Employee
Cisco Employee

You can match on udp packet ports 67, 68 in a class-map of type inspect.

The you can inspect these packets in a policy-map of type pass under the above class. The action for the rest of the traffic will be by default denied.

The you can apply that policy-map in the out-to-self and self-to out zone pair.

And that should do it.

ip access-list extended dhcp-acl

   permit udp any eq 67 any

   permit udp any any eq 68

class-map type inspect match-all dhcp-cm

  match access-list name dhscp-acl

policy-map type inspect dhcp-pm

  class dhcp-cm

     pass

zone-pair security source outside destination self

   service-policy type inspect dhcp-cm

zone-pair security source self destination outside

   service-policy type inspect dhcp-cm

I hope it helps.

PK

Hello PK,

I have tried your solution and also a few other options in access list, but unfortunately it is not working.

Here is my config:

ip access-list extended dhcp-allow
permit udp any eq bootps any
permit udp any any eq bootpc

class-map type inspect match-all dhcp-cmap
match access-group name dhcp-allow


policy-map type inspect dhcp-pmap
class type inspect dhcp-cmap
  pass
class class-default
  drop


zone-pair security AP2Self source AP destination self
service-policy type inspect dhcp-pmap
zone-pair security Self2AP source self destination AP
    service-policy type inspect dhcp-pmap

and here is the output from firewall log:

053666: Dec 24 17:34:07.361 CET: %FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair AP2Self class class-default due to  DROP action found in policy-map with ip ident 0
053667: Dec 24 17:34:40.642 CET: %FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair AP2Self class class-default due to  DROP action found in policy-map with ip ident 0

Please change the ACL a little and it will work.

ip access-list extended dhcp-allow
   permit udp any eq bootps any
   permit udp any any eq bootpc

   permit udp any any eq bootps
   permit udp any eq bootpc any

Now you are not falling into the pass class.

PK

Thank you PK it works great I wish you happy 2010.

This is a good solution for a CISCO1921-SEC with CLI configuration - this works well to outside getting the IP from a DOCSIS-DHCP Server and to the own inside dhcp service.

  Thanks !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: