Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Urgent Help wanted with Blocking DHCP requests - cut myself off!!

This applies to the previous question about blocking DHCP requests/traffic across a Cisco 2611xm router.

HELP!!!! I just applied the ACL to the two FE interfaces and I've lost my connection to the router and can't get back in!!

What I did was:

1) In int FE0/0 typed ip access-group 103 in

In int FE0/1 typed ip access-group 103 in

2) exited to Global Config mode and typed:

access-list 103 deny tcp any any eq 67 log

access-list 103 deny udp any any eq 67 log

access-list 103 deny tcp any any eq 68 log

access-list 103 deny udp any any eq 68 log

access-list 103 deny tcp any any eq 546 log

access-list 103 deny tcp any any eq 547 log

access-list 103 permit ip any any

At this point I lost my connection and I didn't even get a chance to save it with write mem.

What happened and more importantly am I taking a late night drive to fix it?

How could this drop my connection...I did exactly as yourself and some others suggested and also followed the method from my Cisco manual.

What can I do from here to get it right?

Thanks in advance

Paul

6 REPLIES
New Member

Re: Urgent Help wanted with Blocking DHCP requests - cut myself

tcp/udp 67,68 are bootstap protocol client

tcp/udp 546/547 are DHCPv6 client

you deny them and lost the connection, i guess you get the ip from 2611 by dhcp, so lost connection is normal.

you can re-configure the router.

Silver

Re: Urgent Help wanted with Blocking DHCP requests - cut myself

what you did was you applied your ACL before you configured your ACL , as soon as you entered the first line of the ACL the router processed the ACL that was applied to the interface , the first line is a deny and there is an implicit deny at the end. This is why you were locked out. What you can do is console in and remove the access-group from the interface , then finish putting in your ACL , then reapply the ACL to the interface.

If you do not have console access and you have snmp system shutdown configured you may be able to reload remotely.

Are there any other interfaces you can telnet to ? loopback ? serial interface ? if there is telnet using their ip addresses , you should be able to gain access that way also .

New Member

Re: Urgent Help wanted with Blocking DHCP requests - cut myself

Right, exactly what I thought,after applying it..haha

I will go in this morning and try to connect to it via console and hyperterminal and remove the access group on the interface then put in the ACL again, then reapply it to the two FE interfaces.

If I can't get in I think my last resort is a "cold reboot" of the router as I didn't get a chance to write mem so technically the settings should only be active in running config/volatile RAM and will be lost if I reboot it.??

What I don't understand is why it dropped my telnet connection because I didn't block telnet AND there was a last line "permit ip any any" ??

Therefore if it was processed in order the DHCP traffic would be blocked (which shouldn't affect my connection as I've already picked up my ip address from a DHCP server on one of the subnets off one of the FE interfaces), then it should have allowed ALL ip traffic, then implicit deny of any other traffic.

??

At the moment I can VPN into one of the subnets off one FE but from there I can't access servers on the other subnets off the second FE..therefore it seems IP traffic is blocked "across" the router..

Can you confirm that a reboot will get rid of the settings I put in?

Thanks for your help.

Paul

New Member

Re: Urgent Help wanted with Blocking DHCP requests - cut myself

When you reboot the router it will load the last image that was saved. As you did not do a write mem after configuring the ACL when the router reboots that ACL will be lost.

New Member

Re: Urgent Help wanted with Blocking DHCP requests - cut myself

Thanks Chuck, that's what happened and it's OK now. I applied the ACL first then to the two interfaces and it's sweet.

regards

Re: Urgent Help wanted with Blocking DHCP requests - cut myself

To prevent problems like this, there is a couple of nice tricks that you can use. First, if you do a "reload in X", the unit will reload in "X" minutes if you don't do a "reload cancel". If you're ever applying an ACL that might cut you off, or for that matter, doing anything that you think might cut you off from your session, doing this first will save you a trip in. If your modifications fail, the router will reboot and come up with the last saved config - which of course you got cut off before you could save it, so it should be a good config.

The second trick is to "tftp" your ACL changes into your running-config. Just do a "copy tftp run" and answer the prompts. Your ACL will be copies completely into memory and then applied all at once, your traffic might drop for a moment, but since the ACL gets applied quickly it should be only a momentary outage. Be smart and use the first trick with this one.

One word of caution for the second trick. If the ACL already exists, you must first get rid of it before you recreate it, so do a "no ip access-list XXX" to remove the ACL before you put in the new one. Otherwise your changes just get tagged on the end and usually don't do anything.

You can also do some basic editing on acl's. A good article was in a recent issue of packet, go here for the article:

http://www.cisco.com/en/US/customer/about/ac123/ac114/ac173/ac225/about_cisco_packet_department0900aecd800c9136.html

101
Views
0
Helpful
6
Replies
CreatePlease to create content