On router Cisco 881 with ZBF I have dedicated VLAN for AP connection. AP is getting IP address from router dhcp server, I would like to limit all access to Router "Self" zone to only DHCP traffic if possible. Does anybody have idea how to limit all traffic except DHCP to self zone?What ever I do to traffic to/from self zone I must always specify last statement as "class class-default/inspect" and not drop as I would like to.
I have tried your solution and also a few other options in access list, but unfortunately it is not working.
Here is my config:
ip access-list extended dhcp-allow permit udp any eq bootps any permit udp any any eq bootpc
class-map type inspect match-all dhcp-cmap match access-group name dhcp-allow
policy-map type inspect dhcp-pmap class type inspect dhcp-cmap pass class class-default drop
zone-pair security AP2Self source AP destination self service-policy type inspect dhcp-pmap zone-pair security Self2AP source self destination AP service-policy type inspect dhcp-pmap
and here is the output from firewall log:
053666: Dec 24 17:34:07.361 CET: %FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair AP2Self class class-default due to DROP action found in policy-map with ip ident 0 053667: Dec 24 17:34:40.642 CET: %FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair AP2Self class class-default due to DROP action found in policy-map with ip ident 0
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...