01-06-2004 08:28 PM - edited 03-02-2019 12:42 PM
Hi, we have a problem with dhcp traffic crossing a Cisoc 2611xm router to other subnets. We want to stop it ASAP.
Two subnets, (192.168.20.0 + 192.168.40.0) are connected via FE0/1 on the router. The other subnet (192.168.53.0) is connected to FE0/0
When we vpn into the 192.168.53.0 subnet we sometimes pick up an ip address (DHCP) from the 192.168.20.0 or 192.168.40.0 subnet. This is causing us problems and we want to stop it.
I thought the easist way was an extended access-list applied to the FE0/0 and FE0/1 interfaces as follows.
access-list 103 permit tcp any any
access-list 103 permit udp any any
access-list 103 permit ip any any
The above would permit all tcp, udp and ip traffic from any source to any destination. Continue now with blocking all the protocols that dhcp traffic uses ( I found the port/protocol numbers at http://www.iana.org)...
access-list 103 deny tcp any any eq 67
access-list 103 deny udp any any eq 67
access-list 103 deny tcp any any eq 68
access-list 103 deny udp any any eq 68
access-list 103 deny tcp any any eq 546
access-list 103 deny udp any any eq 546
access-list 103 deny tcp any any eq 547
access-list 103 deny udp any any eq 547
The above blocks dhcp traffic outbound(i think??) for:
bootps = 67
bootpd = 68
dhcp client v6 = 546
dhcp server v6 = 547
If I have missed any for dhcp then please let me know. Also would it be better to block it inbound or outbound?
I assume at the end of the access-list there is an implicit "Deny all"
If I apply the above ACL to int FE0/0 and FE0/1 like:
(int 0/0)# ip access-group 103
(int 0/1)# ip access-group 103
then write mem ...this should solve my problem. Tell me what you think. I have to do this today and I'd rather not stuff it up!!!! :)
Thanks in advance.
ps: below is the router config and some access lists defined but not sure if applied to any interface (thou there is reference to ACL 101
Access Lists:
Standard IP access list 1
permit 192.168.53.70
Extended IP access list 101
permit udp any eq 42508 any
permit udp any range 42508 42510 any
Extended IP access list 102
deny udp any any eq bootpc
deny udp any any eq bootps
2611xm Router Config:
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco01
!
boot system flash c2600-i-mz.122-8.T5.bin
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network ppp local
aaa session-id common
enable secret xxx.
enable password xx
!
username admin password xxx
ip subnet-zero
!
!
ip domain-name scea.wa.edu.au
!
!
ip vrf sitemap
ip multicast auto-enable
!
controller E1 0/0
channel-group 0 unframed
!
controller E1 0/1
channel-group 0 unframed
!
controller E1 1/0
channel-group 0 unframed
!
controller E1 1/1
channel-group 0 unframed
!
controller E1 1/2
channel-group 0 unframed
!
!
!
interface FastEthernet0/0
ip address 192.168.53.240 255.255.255.0
ip directed-broadcast 101
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial0/0:0
description Beechboro G703
ip address 192.168.200.5 255.255.255.252
ip directed-broadcast 101
!
interface FastEthernet0/1
ip address 192.168.40.240 255.255.255.0 secondary
ip address 192.168.20.230 255.255.254.0
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial0/1:0
description Ellenbrook G703
ip address 192.168.200.9 255.255.255.252
ip directed-broadcast 101
!
interface Serial0/2
description Armadale DDS
ip address 192.168.210.1 255.255.255.252
ip directed-broadcast 101
encapsulation ppp
no ip mroute-cache
custom-queue-list 1
no cdp enable
!
interface Serial0/3
description 2nd Unused Serial Port
no ip address
!
interface Serial1/0:0
description Mundaring G703
ip address 192.168.200.21 255.255.255.252
ip directed-broadcast 101
!
interface Serial1/1:0
description Kalamunda G703
ip address 192.168.200.13 255.255.255.252
ip directed-broadcast 101
!
interface Serial1/2:0
description Armadale
ip address 192.168.200.1 255.255.255.252
ip directed-broadcast 101
!
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 192.168.53.15
ip route 192.168.30.0 255.255.255.0 192.168.200.22
ip route 192.168.50.0 255.255.255.0 192.168.200.14
ip route 192.168.60.0 255.255.255.0 192.168.200.10
ip route 192.168.70.0 255.255.255.0 192.168.200.6
ip route 192.168.100.0 255.255.255.0 192.168.200.2
ip http server
ip pim bidir-enable
!
!
access-list 1 permit 192.168.53.70
access-list 101 permit udp any eq 42508 any
access-list 101 permit udp any range 42508 42510 any
access-list 102 deny udp any any eq bootpc
access-list 102 deny udp any any eq bootps
queue-list 1 protocol ip 1 tcp 1494
queue-list 1 protocol ip 1 tcp 1604
queue-list 1 protocol ip 1 tcp 3389
queue-list 1 protocol ip 1 udp 1494
queue-list 1 protocol ip 1 udp 1604
queue-list 1 protocol ip 1 udp 3389
queue-list 1 protocol ip 2 udp domain
queue-list 1 protocol ip 2 tcp domain
queue-list 1 protocol ip 3 tcp www
queue-list 1 protocol ip 3 tcp 8080
queue-list 1 protocol ip 3 tcp 443
queue-list 1 protocol ip 3 tcp pop3
queue-list 1 protocol ip 3 tcp smtp
queue-list 1 default 4
queue-list 1 queue 1 byte-count 4500
queue-list 2 protocol ip 1 tcp 1494
queue-list 2 protocol ip 1 tcp 1604
queue-list 2 protocol ip 1 tcp 3389
queue-list 2 protocol ip 1 udp 1494
queue-list 2 protocol ip 1 udp 1604
queue-list 2 protocol ip 1 udp 3389
queue-list 2 default 2
queue-list 2 queue 1 byte-count 30000
snmp-server community sceait RO
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password xx
!
!
end
Thanks
01-06-2004 10:24 PM
Make sure those "access-list 103 deny" commands precede those three "access-list 103 permit" commands you show above. Or else the DHCP traffic will be matched and permitted before it ever gets to the deny statements.
Also, if you permit TCP (all ports) and UDP (all ports) in the order shown, then the subsequent permit of IP will effectively only catch ICMP traffic and pass it along. (Permitting IP covers TCP, UDP, and ICMP all at the same time.) You can drop the lines permitting TCP and UDP, and leave the one permitting IP in, and it will accomplish the same thing.
You are correct in assuming that there is an implicit "deny ip any any" at the end of each extended IP access-list. Sometimes it is helpful to explicitly put it at the end of an access-list, just so you can see if the list is being processed down that far. CAUTION: if it's not at the end of the list, then any access-list commands that follow it (for that particular list) will never get processed.
I would recommend applying the "ip access-group 103 inbound" on an interface.
Hope this helps.
UPDATED TO ADD: Do you know how the DHCP requests are being forwarded across the subnets? It doesn't look like you're using the "ip helper-address x.x.x.x" command on any LAN interfaces on the Cisco router. Also doesn't look like you're bridging anything. Do you have DHCP relay agents set up on machines? If you put the access-list command option "log" (without quotes) at the end of each of your deny commands, you can then "show log" at the console or via telnet session and see where the DHCP traffic is coming from and going to.
Good luck!
01-07-2004 12:08 AM
Hi, that's helpful and I'll change the order as now I understand why.
I'll apply it inbound on both FE interfaces to hopefully block DHCP requests and assignements crossing the network.
I don't know how the DHCP requests are being forwarded across the subnet I just know machines on the 192.168.53.0 subnet are getting assigned ip addresses from either the 192.168.20.0 or 40.0 subnets and we need to stop it.
This is way I thought would do it.
I'll make the following:
access-list 103 deny tcp any any eq 67 log
access-list 103 deny udp any any eq 67 log
access-list 103 deny tcp any any eq 68 log
access-list 103 deny udp any any eq 68 log
access-list 103 deny tcp any any eq 546 log
access-list 103 deny tcp any any eq 547 log
access-list 103 permit ip any any
I have no idea what the ip helper-address x.x.x.x command is? What does it do?
Anyway thanks for your help. If I send a desparate email later tonight then you know it's been stuffed....:)
Paul
Perth
01-07-2004 05:09 AM
The "ip helper-address x.x.x.x" command (where x.x.x.x is the IP address of a DHCP server) is an interface configuration command that takes DHCP broadcast requests heard on that interface and relays or forwards them to the specified DHCP server.
This command is often used when different subnets don't have DHCP servers locally, and/or the DHCP server is centrally located and has multiple scopes defined (one for each of the subnets needing IP addresses).
By default, there are six or seven different UDP broadcast types that Cisco IOS forwards when you use this command. Some of these impact Microsoft-based networking in particular. So there's a related global configuration command, "no ip forward-protocol udp" that allows you to turn off forwarding for specific UDP services/port numbers.
If you need to know more, search the NetProf forums for "no ip forward-protocol udp" and you'll find several posts about this.
Let us know how it goes...
01-07-2004 05:23 AM
Thanks mate, that sounds helpful. I'll take a gander at the forum list for it.
regards
Paul
01-07-2004 05:53 AM
HELP!!!! I just applied the ACL to the two FE interfaces and I've lost my connection to the router and can't get back in!!
What I did was:
1) In int FE0/0 typed ip access-group 103 in
In int FE0/1 typed ip access-group 103 in
2) exited to Global Config mode and typed:
access-list 103 deny tcp any any eq 67 log
access-list 103 deny udp any any eq 67 log
access-list 103 deny tcp any any eq 68 log
access-list 103 deny udp any any eq 68 log
access-list 103 deny tcp any any eq 546 log
access-list 103 deny tcp any any eq 547 log
access-list 103 permit ip any any
At this point I lost my connection and I didn't even get a chance to save it with write mem.
What happened and more importantly am I taking a late night drive to fix it?
How could this drop my connection...I did exactly as yourself and some others suggested and also followed the method from my Cisco manual.
What can I do from here it right?
Thanks in advance
Paul
01-07-2004 02:44 PM
Did you apply the "ip access-group 103 in" to the interfaces before you entered the "access-list 103" commands into the configuration? If so, the interfaces were referencing a non-existant access-list, and the only command they would be able to match against is the implicit "deny ip any any". Rule of thumb is, input the access-list first, then apply it to an interface.
I assume your access into the router in question is/was via one of the two FastEthernet router interfaces. If not, did you try to get in from one of the serial interfaces? If not directly, then indirectly (via telnet from another router to which you still have telnet or console access, that connects to it serially)?
See my more detailed reply to your post in the "LAN, Switching and Routing" section:
01-08-2004 07:18 PM
Hi all,
I have Cisco 3640 attached to a modem bank. The objective is to
connect from Windows platform clinet to this modem and establish a PPP
connection to the network.
I have configured the routes as below:-
Current configuration:
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
aaa new-model
aaa authentication ppp default local
!
interface Serial2/0
physical-layer async
description **dial-ppp port Tel #
ip address 10.1.1.7 255.255.255.252
encapsulation ppp
ip tcp header-compression passive
async mode interactive
no snmp trap link-status
peer default ip address 10.1.1.6
no cdp enable
ppp authentication chap
The problem is when I use dial up on Win2K with a after dial terminal,
it got:
username challage, and after I entered the correct username and
password, I got the router> prompt and I typed PPP at the prompt and
pressed done.
After that I will get Window pop out of veryfing username and password
and disconnect.
Please help, and many thanks in advance
rgds,
c0rum_z
01-19-2004 10:46 PM
Hi, thanks for the reply. I've applied a new access-list and it's still not blocking DHCP traffic.
I really don't want to go down the Vlan/trunking route to block the DHCP traffic across the LAN.
This is getting vital for me (have to get it fixed in 24 hours) to fix so I'll give the whole setup again.
The Cisco router has two FE interfaces.
Int 0/0) has an ip address from subnet A with a DHCP server on it
Int 0/1) has two ip addresses from two subnets B and C with a DHCP server on them.
Both these interfaces plug into a 3com switch at our (192.168.53.0 end) From there it's a 100mb link thru to a switch at the subnet B and C end.
The router also has a few serial interfaces which are linked thru to 2mb links to out lying schools but I can't see this affecting anything. (see config below)
People on one subnet are logging in and getting ip adddresses and scope info from a DHCP server on the other subnet and this is causing issues.
ie: Clients dialing in to us should get a 192.168.53.x ip address and access all their resources ok but they are receiving an ip address etc from the DHCP server on the 192.168.20.0 subnet.
This is also stuffing our RIS work as we have pxe clients on the 192.168.53.0 subnet getting ip info from the 192.168.20.0 subnet etc etc...
We just want the easiest way to keep DHCP traffic to it's own subnet and blocking inbound + outbound DHCP traffic on both interfaces of the router seems to be the best option. This I have done with access-list 103 (see below)
BUT THIS IS STILL NOT WORKING AND I CAN'T FIGURE OUT WHY!!!!!
If anyone could help or give any pointers quickly I'd appreciate it. To me , the two subnets join at the Cisco 2611 router and that's where I've blocked DHCP traffic (tell me if Ive blocked all the correct protocol numbers?)
Thanks in advance
Paul
Using 3902 out of 29688 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco01
!
boot system flash c2600-i-mz.122-8.T5.bin
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network ppp local
aaa session-id common
enable secret 5 $1$obNG$1sxmuUmoeW8VglTWlPzOd.
enable password 7 0317580E070635
!
username admin password 7 105D0A1C041E06
ip subnet-zero
!
!
ip domain-name scea.wa.edu.au
!
!
ip vrf sitemap
ip multicast auto-enable
!
controller E1 0/0
channel-group 0 unframed
!
controller E1 0/1
channel-group 0 unframed
!
controller E1 1/0
channel-group 0 unframed
!
controller E1 1/1
channel-group 0 unframed
!
controller E1 1/2
channel-group 0 unframed
!
!
!
interface FastEthernet0/0
ip address 192.168.53.240 255.255.255.0
ip access-group 103 in
ip access-group 103 out
ip directed-broadcast 101
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial0/0:0
description Beechboro G703
ip address 192.168.200.5 255.255.255.252
ip directed-broadcast 101
!
interface FastEthernet0/1
ip address 192.168.40.240 255.255.255.0 secondary
ip address 192.168.20.230 255.255.252.0
ip access-group 103 in
ip access-group 103 out
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial0/1:0
description Ellenbrook G703
ip address 192.168.200.9 255.255.255.252
ip directed-broadcast 101
!
interface Serial0/2
description Armadale DDS
ip address 192.168.210.1 255.255.255.252
ip directed-broadcast 101
encapsulation ppp
no ip mroute-cache
custom-queue-list 1
no cdp enable
!
interface Serial0/3
description 2nd Unused Serial Port
no ip address
!
interface Serial1/0:0
description Mundaring G703
ip address 192.168.200.21 255.255.255.252
ip directed-broadcast 101
!
interface Serial1/1:0
description Kalamunda G703
ip address 192.168.200.13 255.255.255.252
ip directed-broadcast 101
!
interface Serial1/2:0
description Armadale
ip address 192.168.200.1 255.255.255.252
ip directed-broadcast 101
!
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 192.168.53.15
ip route 192.168.30.0 255.255.255.0 192.168.200.22
ip route 192.168.50.0 255.255.255.0 192.168.200.14
ip route 192.168.60.0 255.255.255.0 192.168.200.10
ip route 192.168.70.0 255.255.255.0 192.168.200.6
ip route 192.168.100.0 255.255.255.0 192.168.200.2
ip http server
ip pim bidir-enable
!
!
access-list 1 permit 192.168.53.70
access-list 101 permit udp any eq 42508 any
access-list 101 permit udp any range 42508 42510 any
access-list 102 deny udp any any eq bootpc
access-list 102 deny udp any any eq bootps
access-list 103 deny tcp any any eq 67 log
access-list 103 deny udp any any eq bootps log
access-list 103 deny tcp any any eq 68 log
access-list 103 deny udp any any eq bootpc log
access-list 103 deny tcp any any eq 546 log
access-list 103 deny tcp any any eq 547 log
access-list 103 permit ip any any
queue-list 1 protocol ip 1 tcp 1494
queue-list 1 protocol ip 1 tcp 1604
queue-list 1 protocol ip 1 tcp 3389
queue-list 1 protocol ip 1 udp 1494
queue-list 1 protocol ip 1 udp 1604
queue-list 1 protocol ip 1 udp 3389
queue-list 1 protocol ip 2 udp domain
queue-list 1 protocol ip 2 tcp domain
queue-list 1 protocol ip 3 tcp www
queue-list 1 protocol ip 3 tcp 8080
queue-list 1 protocol ip 3 tcp 443
queue-list 1 protocol ip 3 tcp pop3
queue-list 1 protocol ip 3 tcp smtp
queue-list 1 default 4
queue-list 1 queue 1 byte-count 4500
queue-list 2 protocol ip 1 tcp 1494
queue-list 2 protocol ip 1 tcp 1604
queue-list 2 protocol ip 1 tcp 3389
queue-list 2 protocol ip 1 udp 1494
queue-list 2 protocol ip 1 udp 1604
queue-list 2 protocol ip 1 udp 3389
queue-list 2 default 2
queue-list 2 queue 1 byte-count 30000
snmp-server community sceait RO
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password 7 071C22494F000D
!
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide