Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocking DHCP over bridged 1720

I have a 1720 which is running in bridged mode at a client site. It is required that they be bridged due to a non-routable protocol.

The problem is that each side is owned by a different group and use different IP subnets. Both groups would like to do DHCP for ease of management, but there has been no way to prevent each client from obtaining addresses from the other's DHCP server.

Is there a command that will block specifically DHCP and still allow all other broadcasts?

6 REPLIES

Re: Blocking DHCP over bridged 1720

I'm shooting from the hip here but I'll give you two Ideas to try.

Option 1 is to create a normal access-list and try denying dhcp on the ethernet bridged interfaces.

Option 2 is to create a mac access-list and deny the mac address's of the dhcp servers if they don't need to talk across the bridge for any other reason than DHCP. Place the Mac access-list on your switch port connected to the bridging router.

Sample Config

Option 1

access-list 100 deny udp any any eq 67

access-list 100 deny udp any any eq 68

interface x0/0

access-group 100 in

access-group 100 out

Option 2

mac access-list extended DENYDHCP

deny cccc.aaaa.1111 ffff.ffff.ffff any

interface fa0/1

mac access-group out DENYDHCP

I haven't had a chance to test either of these so if it works and my syntax might be off on this so look up the mac access-list in the command referece.

Patrick

Hall of Fame Super Silver

Re: Blocking DHCP over bridged 1720

Patrick

I like the thought process here but I do not believe that either of these are likely to solve the problem. I believe that if the router is configured with no ip routing as the original post implied, then the router is not likely to accept an extended IP access list on the Ethernet interface. The MAC address filter might work if the DHCP server is connected on the local broadcast domain and if there is no other need for the server to communicate with anything through the router. But if the server is not connected on the local broadcast domain then the MAC address in the DHCP frame will not be the address of the server. And if the server needs to communicate with anything through the router then the MAC filter will not work.

I am puzzled by the explanation in the original post about the need for bridging everything. It mentions some unroutable protocol but does not provide any specifics. The router is quite capable of routing IP and bridging some other protocol (perhaps NetBIOS or SNA or whatever non-routable protocol) at the same time. I do not understand why it is not possible to route IP and bridge the other protocol. This would automatically provide the separation of DHCP that they want.

Perhaps the original post can provide some more details about this environment.

HTH

Rick

New Member

Re: Blocking DHCP over bridged 1720

Thanks Rick. I orininally was looking for the integrated solution so that I could route IP and bridge the DECLat traffic. I was probably misinformed about being able to do this on the cisco 1721 running 11.3. I have no previous experience using the DECLat protocol, but configuring this router to only bridge the DECLat would solve my problem.

On the flipside, it does appear that I could use a MAC filter as long as I move the DHCP server to some other machine.

Can you point me to an example of routing IP and bridging a protocol like DECLat?

Thanks,

Michael

Hall of Fame Super Silver

Re: Blocking DHCP over bridged 1720

Michael

I am not sure what you were told, but I am not aware of any reason that the 1721 could not route IP and bridge DECLat. The essentials of the configuration would look something like this:

ip routing

interface Ethernet0

ip address 172.16.1.1 255.255.255.0

bridge-group 1

!

interface FastEthernet0

ip address 172.16.2.1 255.255.255.0

bridge-group 1

!

bridge 1 protocol ieee

!

obviously you would need to adjust things like interface id and IP address to fit your situation. But this configuration will route on each interface for IP and will bridge between the two LAN interfaces for DECLat.

HTH

Rick

New Member

Re: Blocking DHCP over bridged 1720

Thanks Rick!

I had forgotten to mention that the two sites are separated on a serial interface rather than just by the router.

LAN<--->[1700]<----T1---->[1700]<--->LAN

This would be a bit different. Is it still possible in this scenario?

Thanks,

Michael

Hall of Fame Super Silver

Re: Blocking DHCP over bridged 1720

Michael

This certainly changes and complicates the situation. In general bridging over a WAN is considered a sub-optimal solution. There might be a couple of options that you could consider. There was a feature for doing protocol translation which would transport DEC over a WAN as an IP packet and translate it back. I looked in Software Advisor on CCO and I do not see this feature in the 1700 software. I am not sure whether that means it is not in the 1700 software or if it is a flaw in the Software Advisor (it would be quite easy to miss this one). You might check to see if the translate command is supported in your version of IOS.

Another possibility exists if the serial connection between the routers can be treated as Frame Relay (either it can be a real Frame Relay connection from a service provider or it can be using frame-relay encapsulation router to router back to back over the T1). If the serial can be treated as Frame Relay then you can configure two PVCs. On one PVC you configure routing for the IP traffic and on the other PVC you configure bridging for the DECLat traffic.

HTH

Rick

164
Views
0
Helpful
6
Replies
CreatePlease login to create content