Re: Blocking DHCP requests on Cisco 2611 xm router

foxgold · ‎01-06-2004

Hi, we have a problem with dhcp traffic crossing a Cisoc 2611xm router to other subnets. We want to stop it ASAP.

Two subnets, (192.168.20.0 + 192.168.40.0) are connected via FE0/1 on the router. The other subnet (192.168.53.0) is connected to FE0/0

When we vpn into the 192.168.53.0 subnet we sometimes pick up an ip address (DHCP) from the 192.168.20.0 or 192.168.40.0 subnet. This is causing us problems and we want to stop it.

I thought the easist way was an extended access-list applied to the FE0/0 and FE0/1 interfaces as follows.

access-list 103 permit tcp any any

access-list 103 permit udp any any

access-list 103 permit ip any any

The above would permit all tcp, udp and ip traffic from any source to any destination. Continue now with blocking all the protocols that dhcp traffic uses ( I found the port/protocol numbers at http://www.iana.org)...

access-list 103 deny tcp any any eq 67

access-list 103 deny udp any any eq 67

access-list 103 deny tcp any any eq 68

access-list 103 deny udp any any eq 68

access-list 103 deny tcp any any eq 546

access-list 103 deny udp any any eq 546

access-list 103 deny tcp any any eq 547

access-list 103 deny udp any any eq 547

The above blocks dhcp traffic outbound(i think??) for:

bootps = 67

bootpd = 68

dhcp client v6 = 546

dhcp server v6 = 547

If I have missed any for dhcp then please let me know. Also would it be better to block it inbound or outbound?

I assume at the end of the access-list there is an implicit "Deny all"

If I apply the above ACL to int FE0/0 and FE0/1 like:

(int 0/0)# ip access-group 103

(int 0/1)# ip access-group 103

then write mem ...this should solve my problem. Tell me what you think. I have to do this today and I'd rather not stuff it up!!!! :)

Thanks in advance.

ps: below is the router config and some access lists defined but not sure if applied to any interface (thou there is reference to ACL 101

Access Lists:

Standard IP access list 1

permit 192.168.53.70

Extended IP access list 101

permit udp any eq 42508 any

permit udp any range 42508 42510 any

Extended IP access list 102

deny udp any any eq bootpc

deny udp any any eq bootps

2611xm Router Config:

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname cisco01

!

boot system flash c2600-i-mz.122-8.T5.bin

aaa new-model

!

aaa authentication login default local

aaa authentication ppp default local

aaa authorization network ppp local

aaa session-id common

enable secret xxx.

enable password xx

!

username admin password xxx

ip subnet-zero

!

ip domain-name scea.wa.edu.au

!

ip vrf sitemap

ip multicast auto-enable

!

controller E1 0/0

channel-group 0 unframed

!

controller E1 0/1

channel-group 0 unframed

!

controller E1 1/0

channel-group 0 unframed

!

controller E1 1/1

channel-group 0 unframed

!

controller E1 1/2

channel-group 0 unframed

!

interface FastEthernet0/0

ip address 192.168.53.240 255.255.255.0

ip directed-broadcast 101

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/0:0

description Beechboro G703

ip address 192.168.200.5 255.255.255.252

ip directed-broadcast 101

!

interface FastEthernet0/1

ip address 192.168.40.240 255.255.255.0 secondary

ip address 192.168.20.230 255.255.254.0

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/1:0

description Ellenbrook G703

ip address 192.168.200.9 255.255.255.252

ip directed-broadcast 101

!

interface Serial0/2

description Armadale DDS

ip address 192.168.210.1 255.255.255.252

ip directed-broadcast 101

encapsulation ppp

no ip mroute-cache

custom-queue-list 1

no cdp enable

!

interface Serial0/3

description 2nd Unused Serial Port

no ip address

!

interface Serial1/0:0

description Mundaring G703

ip address 192.168.200.21 255.255.255.252

ip directed-broadcast 101

!

interface Serial1/1:0

description Kalamunda G703

ip address 192.168.200.13 255.255.255.252

ip directed-broadcast 101

!

interface Serial1/2:0

description Armadale

ip address 192.168.200.1 255.255.255.252

ip directed-broadcast 101

!

ip classless

ip route profile

ip route 0.0.0.0 0.0.0.0 192.168.53.15

ip route 192.168.30.0 255.255.255.0 192.168.200.22

ip route 192.168.50.0 255.255.255.0 192.168.200.14

ip route 192.168.60.0 255.255.255.0 192.168.200.10

ip route 192.168.70.0 255.255.255.0 192.168.200.6

ip route 192.168.100.0 255.255.255.0 192.168.200.2

ip http server

ip pim bidir-enable

!

access-list 1 permit 192.168.53.70

access-list 101 permit udp any eq 42508 any

access-list 101 permit udp any range 42508 42510 any

access-list 102 deny udp any any eq bootpc

access-list 102 deny udp any any eq bootps

queue-list 1 protocol ip 1 tcp 1494

queue-list 1 protocol ip 1 tcp 1604

queue-list 1 protocol ip 1 tcp 3389

queue-list 1 protocol ip 1 udp 1494

queue-list 1 protocol ip 1 udp 1604

queue-list 1 protocol ip 1 udp 3389

queue-list 1 protocol ip 2 udp domain

queue-list 1 protocol ip 2 tcp domain

queue-list 1 protocol ip 3 tcp www

queue-list 1 protocol ip 3 tcp 8080

queue-list 1 protocol ip 3 tcp 443

queue-list 1 protocol ip 3 tcp pop3

queue-list 1 protocol ip 3 tcp smtp

queue-list 1 default 4

queue-list 1 queue 1 byte-count 4500

queue-list 2 protocol ip 1 tcp 1494

queue-list 2 protocol ip 1 tcp 1604

queue-list 2 protocol ip 1 tcp 3389

queue-list 2 protocol ip 1 udp 1494

queue-list 2 protocol ip 1 udp 1604

queue-list 2 protocol ip 1 udp 3389

queue-list 2 default 2

queue-list 2 queue 1 byte-count 30000

snmp-server community sceait RO

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password xx

!

end

Thanks

konigl · ‎01-06-2004

Make sure those "access-list 103 deny" commands precede those three "access-list 103 permit" commands you show above. Or else the DHCP traffic will be matched and permitted before it ever gets to the deny statements.

Also, if you permit TCP (all ports) and UDP (all ports) in the order shown, then the subsequent permit of IP will effectively only catch ICMP traffic and pass it along. (Permitting IP covers TCP, UDP, and ICMP all at the same time.) You can drop the lines permitting TCP and UDP, and leave the one permitting IP in, and it will accomplish the same thing.

You are correct in assuming that there is an implicit "deny ip any any" at the end of each extended IP access-list. Sometimes it is helpful to explicitly put it at the end of an access-list, just so you can see if the list is being processed down that far. CAUTION: if it's not at the end of the list, then any access-list commands that follow it (for that particular list) will never get processed.

I would recommend applying the "ip access-group 103 inbound" on an interface.

Hope this helps.

UPDATED TO ADD: Do you know how the DHCP requests are being forwarded across the subnets? It doesn't look like you're using the "ip helper-address x.x.x.x" command on any LAN interfaces on the Cisco router. Also doesn't look like you're bridging anything. Do you have DHCP relay agents set up on machines? If you put the access-list command option "log" (without quotes) at the end of each of your deny commands, you can then "show log" at the console or via telnet session and see where the DHCP traffic is coming from and going to.

Good luck!

foxgold · ‎01-07-2004

Hi, that's helpful and I'll change the order as now I understand why.

I'll apply it inbound on both FE interfaces to hopefully block DHCP requests and assignements crossing the network.

I don't know how the DHCP requests are being forwarded across the subnet I just know machines on the 192.168.53.0 subnet are getting assigned ip addresses from either the 192.168.20.0 or 40.0 subnets and we need to stop it.

This is way I thought would do it.

I'll make the following:

access-list 103 deny tcp any any eq 67 log

access-list 103 deny udp any any eq 67 log

access-list 103 deny tcp any any eq 68 log

access-list 103 deny udp any any eq 68 log

access-list 103 deny tcp any any eq 546 log

access-list 103 deny tcp any any eq 547 log

access-list 103 permit ip any any

I have no idea what the ip helper-address x.x.x.x command is? What does it do?

Anyway thanks for your help. If I send a desparate email later tonight then you know it's been stuffed....:)

Paul

Perth

konigl · ‎01-07-2004

The "ip helper-address x.x.x.x" command (where x.x.x.x is the IP address of a DHCP server) is an interface configuration command that takes DHCP broadcast requests heard on that interface and relays or forwards them to the specified DHCP server.

This command is often used when different subnets don't have DHCP servers locally, and/or the DHCP server is centrally located and has multiple scopes defined (one for each of the subnets needing IP addresses).

By default, there are six or seven different UDP broadcast types that Cisco IOS forwards when you use this command. Some of these impact Microsoft-based networking in particular. So there's a related global configuration command, "no ip forward-protocol udp" that allows you to turn off forwarding for specific UDP services/port numbers.

If you need to know more, search the NetProf forums for "no ip forward-protocol udp" and you'll find several posts about this.

Let us know how it goes...

foxgold · ‎01-07-2004

Thanks mate, that sounds helpful. I'll take a gander at the forum list for it.

regards

Paul

foxgold · ‎01-07-2004

HELP!!!! I just applied the ACL to the two FE interfaces and I've lost my connection to the router and can't get back in!!

What I did was:

1) In int FE0/0 typed ip access-group 103 in

In int FE0/1 typed ip access-group 103 in

2) exited to Global Config mode and typed:

access-list 103 deny tcp any any eq 67 log

access-list 103 deny udp any any eq 67 log

access-list 103 deny tcp any any eq 68 log

access-list 103 deny udp any any eq 68 log

access-list 103 deny tcp any any eq 546 log

access-list 103 deny tcp any any eq 547 log

access-list 103 permit ip any any

At this point I lost my connection and I didn't even get a chance to save it with write mem.

What happened and more importantly am I taking a late night drive to fix it?

How could this drop my connection...I did exactly as yourself and some others suggested and also followed the method from my Cisco manual.

What can I do from here it right?

Thanks in advance

Paul

konigl · ‎01-07-2004

Did you apply the "ip access-group 103 in" to the interfaces before you entered the "access-list 103" commands into the configuration? If so, the interfaces were referencing a non-existant access-list, and the only command they would be able to match against is the implicit "deny ip any any". Rule of thumb is, input the access-list first, then apply it to an interface.

I assume your access into the router in question is/was via one of the two FastEthernet router interfaces. If not, did you try to get in from one of the serial interfaces? If not directly, then indirectly (via telnet from another router to which you still have telnet or console access, that connects to it serially)?

See my more detailed reply to your post in the "LAN, Switching and Routing" section:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.eea77a8/8#selected_message

zulfikri · ‎01-08-2004

Hi all,

I have Cisco 3640 attached to a modem bank. The objective is to

connect from Windows platform clinet to this modem and establish a PPP

connection to the network.

I have configured the routes as below:-

Current configuration:

!

version 11.3

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

aaa new-model

aaa authentication ppp default local

!

interface Serial2/0

physical-layer async

description **dial-ppp port Tel #

ip address 10.1.1.7 255.255.255.252

encapsulation ppp

ip tcp header-compression passive

async mode interactive

no snmp trap link-status

peer default ip address 10.1.1.6

no cdp enable

ppp authentication chap

The problem is when I use dial up on Win2K with a after dial terminal,

it got:

username challage, and after I entered the correct username and

password, I got the router> prompt and I typed PPP at the prompt and

pressed done.

After that I will get Window pop out of veryfing username and password

and disconnect.

Please help, and many thanks in advance

rgds,

c0rum_z

foxgold · ‎01-19-2004

Hi, thanks for the reply. I've applied a new access-list and it's still not blocking DHCP traffic.

I really don't want to go down the Vlan/trunking route to block the DHCP traffic across the LAN.

This is getting vital for me (have to get it fixed in 24 hours) to fix so I'll give the whole setup again.

The Cisco router has two FE interfaces.

Int 0/0) has an ip address from subnet A with a DHCP server on it

Int 0/1) has two ip addresses from two subnets B and C with a DHCP server on them.

Both these interfaces plug into a 3com switch at our (192.168.53.0 end) From there it's a 100mb link thru to a switch at the subnet B and C end.

The router also has a few serial interfaces which are linked thru to 2mb links to out lying schools but I can't see this affecting anything. (see config below)

People on one subnet are logging in and getting ip adddresses and scope info from a DHCP server on the other subnet and this is causing issues.

ie: Clients dialing in to us should get a 192.168.53.x ip address and access all their resources ok but they are receiving an ip address etc from the DHCP server on the 192.168.20.0 subnet.

This is also stuffing our RIS work as we have pxe clients on the 192.168.53.0 subnet getting ip info from the 192.168.20.0 subnet etc etc...

We just want the easiest way to keep DHCP traffic to it's own subnet and blocking inbound + outbound DHCP traffic on both interfaces of the router seems to be the best option. This I have done with access-list 103 (see below)

BUT THIS IS STILL NOT WORKING AND I CAN'T FIGURE OUT WHY!!!!!

If anyone could help or give any pointers quickly I'd appreciate it. To me , the two subnets join at the Cisco 2611 router and that's where I've blocked DHCP traffic (tell me if Ive blocked all the correct protocol numbers?)

Thanks in advance

Paul

Using 3902 out of 29688 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname cisco01

!

boot system flash c2600-i-mz.122-8.T5.bin

aaa new-model

!

aaa authentication login default local

aaa authentication ppp default local

aaa authorization network ppp local

aaa session-id common

enable secret 5 $1$obNG$1sxmuUmoeW8VglTWlPzOd.

enable password 7 0317580E070635

!

username admin password 7 105D0A1C041E06

ip subnet-zero

!

ip domain-name scea.wa.edu.au

!

ip vrf sitemap

ip multicast auto-enable

!

controller E1 0/0

channel-group 0 unframed

!

controller E1 0/1

channel-group 0 unframed

!

controller E1 1/0

channel-group 0 unframed

!

controller E1 1/1

channel-group 0 unframed

!

controller E1 1/2

channel-group 0 unframed

!

interface FastEthernet0/0

ip address 192.168.53.240 255.255.255.0

ip access-group 103 in

ip access-group 103 out

ip directed-broadcast 101

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/0:0

description Beechboro G703

ip address 192.168.200.5 255.255.255.252

ip directed-broadcast 101

!

interface FastEthernet0/1

ip address 192.168.40.240 255.255.255.0 secondary

ip address 192.168.20.230 255.255.252.0

ip access-group 103 in

ip access-group 103 out

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/1:0

description Ellenbrook G703

ip address 192.168.200.9 255.255.255.252

ip directed-broadcast 101

!

interface Serial0/2

description Armadale DDS

ip address 192.168.210.1 255.255.255.252

ip directed-broadcast 101

encapsulation ppp

no ip mroute-cache

custom-queue-list 1

no cdp enable

!

interface Serial0/3

description 2nd Unused Serial Port

no ip address

!

interface Serial1/0:0

description Mundaring G703

ip address 192.168.200.21 255.255.255.252

ip directed-broadcast 101

!

interface Serial1/1:0

description Kalamunda G703

ip address 192.168.200.13 255.255.255.252

ip directed-broadcast 101

!

interface Serial1/2:0

description Armadale

ip address 192.168.200.1 255.255.255.252

ip directed-broadcast 101

!

ip classless

ip route profile

ip route 0.0.0.0 0.0.0.0 192.168.53.15

ip route 192.168.30.0 255.255.255.0 192.168.200.22

ip route 192.168.50.0 255.255.255.0 192.168.200.14

ip route 192.168.60.0 255.255.255.0 192.168.200.10

ip route 192.168.70.0 255.255.255.0 192.168.200.6

ip route 192.168.100.0 255.255.255.0 192.168.200.2

ip http server

ip pim bidir-enable

!

access-list 1 permit 192.168.53.70

access-list 101 permit udp any eq 42508 any

access-list 101 permit udp any range 42508 42510 any

access-list 102 deny udp any any eq bootpc

access-list 102 deny udp any any eq bootps

access-list 103 deny tcp any any eq 67 log

access-list 103 deny udp any any eq bootps log

access-list 103 deny tcp any any eq 68 log

access-list 103 deny udp any any eq bootpc log

access-list 103 deny tcp any any eq 546 log

access-list 103 deny tcp any any eq 547 log

access-list 103 permit ip any any

queue-list 1 protocol ip 1 tcp 1494

queue-list 1 protocol ip 1 tcp 1604

queue-list 1 protocol ip 1 tcp 3389

queue-list 1 protocol ip 1 udp 1494

queue-list 1 protocol ip 1 udp 1604

queue-list 1 protocol ip 1 udp 3389

queue-list 1 protocol ip 2 udp domain

queue-list 1 protocol ip 2 tcp domain

queue-list 1 protocol ip 3 tcp www

queue-list 1 protocol ip 3 tcp 8080

queue-list 1 protocol ip 3 tcp 443

queue-list 1 protocol ip 3 tcp pop3

queue-list 1 protocol ip 3 tcp smtp

queue-list 1 default 4

queue-list 1 queue 1 byte-count 4500

queue-list 2 protocol ip 1 tcp 1494

queue-list 2 protocol ip 1 tcp 1604

queue-list 2 protocol ip 1 tcp 3389

queue-list 2 protocol ip 1 udp 1494

queue-list 2 protocol ip 1 udp 1604

queue-list 2 protocol ip 1 udp 3389

queue-list 2 default 2

queue-list 2 queue 1 byte-count 30000

snmp-server community sceait RO

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password 7 071C22494F000D

!

end