Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Extended ACL for DHCP

Hi,

I'm having a problem creating an ACL to allow DHCP.

I want to secure a VLAN running across our Cisco wireless network infrastructure to limit access as much as I can.

Restricting access to limited ip addresses and ports is straightforward, but I can't seem to get the ACL correct to allow clients to obtain ip addresses via DHCP.

I seem to remember that the ACL for DHCP was a little odd -this is what I currently have:

permit udp any host 172.16.30.4 log

permit tcp any host 172.16.30.4 log

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.27 eq 8080 log

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.82 eq 443 log

deny ip any any (28 matches)

172.16.30.4 is the DHCP server, and I would like to limit this to only the ports required for DHCP, but I haven't specified whilst debugging this problem - my inital config was for ports 67 and 68.

I'm seeing traffic being logged against the deny ip any any, so I know the client is trying to send to the correct network etc.

The IP helper address is configured on the interface and is 172.16.30.4.

Can some one let me know what I'm missing.

Cheers,

Steve

  • Other Security Subjects
3 REPLIES
New Member

Re: Extended ACL for DHCP

In order to allow DHCP you must add this to your ACL

permit udp any eq 68 host 255.255.255.255 eq 67

permit udp host 0.0.0.0 eq 68 host 172.16.30.4 eq 67

permit udp 172.16.36.0 0.0.0.255 eq 68 host 172.16.30.4 eq 67

I also noticed you have the following line:

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log

I assume you added this for DNS? If so you should change it to udp and drop the established parameter.

New Member

Re: Extended ACL for DHCP

Hi,

Thanks for the response - I'll try the ACL for DHCP shortly.

With regard to the ACL:

permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log

you are correct, that is for DNS.

However, on reflection I believe I will need tcp and udp for this rule as the client device will update DNS dynamically when it obtains an IP address from DHCP and I seem to recall DNS updates require tcp port 53?

Cheers,

Steve

New Member

Re: Extended ACL for DHCP

Hi,

Thanks very much for your help. You were right, it seems that tcp isn't required for the dynamic DNS updates!

I'm also not seeing any matches on these two lines:

permit udp host 0.0.0.0 eq 68 host 172.16.30.4 eq 67

permit udp 172.16.36.0 0.0.0.255 eq 68 host 172.16.30.4 eq 67

I assume that these will be needed for for example clients that need to renew their address leases?

Thanks,

Steve

2256
Views
15
Helpful
3
Replies
This widget could not be displayed.