Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ip dhcp relay and mac access-list on Nexus

Running NXOS 4.2(3) on 7K x2 with hsrp between the two each has two identical VDC.

VLAN 162 supports a network with a /23 DHCP scope.  VLAN interfaces both have 'ip dhcp relay address X.X.X.X' configured.

Current scope exhausted and looking for a short term fix to limit devices based on vendor mac addresses.  (WIFI network)

Created port based mac access-lists and applied to physical ports that connect to WLC.  Added mac packet-classify.

This works to block the vendor macs I targeted from communicating only after they get an IP address.  It doesn't stop them from getting an IP address initially.  Manual client exclusion is a pain on the WLC.

I think the DHCP RELAY process must be served before the access-list is inspected. 

Has anyone else run into this or can think of a work-around?

oh, I couldn't get vlan filter to work either.

Everyone's tags (3)
1 REPLY
New Member

Re: ip dhcp relay and mac access-list on Nexus

Hi Adam,

Can you be a little clearer on the symptoms you are seeing? Is DHCP succeeding and IP being blocked? Or is the ACL not working at all?

DHCP packets should be blocked as they are non-IP packets. Using MAC ACL with the packet classify disabled should block DHCP and allow you to preserve your scoped addresses.

The only other option would be MAB, but this is not a short term solution.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_2/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_4.2_chapter13.html

/ijay

770
Views
0
Helpful
1
Replies
CreatePlease to create content