cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
522
Views
0
Helpful
7
Replies

Denying DHCP requests on my bridge network, 7206

ktcisg
Level 1
Level 1

Hello all. I have a 7206 VXR with a G1 processor unit. It is the gateway router for my Cable TV network and is connected to the network via OC3. This router is also the DHCP server for my Bridge group (BVI) on this ATM interface.

Problem: If one of my customers buys a low end router, like a Linksys, and plugs the Ethernet from the DSL modem into the LAN side (instead of the internet port) of the Linksys, it starts responding to DHCP requests on my network. I know this because I can receive a private IP address and normally login to the Linksys and turn off DHCP. Then I release and renew and receive a public address form the 7206 and get out to the internet.

Is there a way to write an access list to deny DCHP requests to the low end routers? This would help me tramendously. Thanks.

7 Replies 7

gpulos
Level 8
Level 8

create an IP ACL and apply it to your ATM interface that deny's DHCP/BOOTP (68) requests inbound or replys outbound. (if this is what you're attempting to accomplish)

see the following link for configuring IP ACLs:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080430e5b.html

Thanks for the reply. I am kinda familiar with configuring access lists. Let me explain my problem a little further:

My 7206 is the DHCP server for all of my DSL network. I am running a bridge group so the ATM network is like a big ethernet to the end users.

The problem is that these end users are hooking up their Linksys, Netgear, etc routers backwards and their DHCP servers are responding to my DSL customers DHCP requests. Therefore, my DSL customers are obtaining the private IP addresses from these routers, instead of a CORRECT public address from the 7206.

I would like to block DHCP traffic to just the 192.168.1.0 255.255.255.0 network so that the backwards routers do not respond and my 7206 does.

Confusing isnt it? :-)

Thanks again.

I was thinking of applying something like this to the outbound of the ATM interface:

access-list 110 deny udp any eq 67 192.168.1.0 255.255.255.0 any

DHCP uses UDP ports 67 and 68 right? This would not allow the linksys's private network to receive DHCP broadcasts from other end users?

I wrote 2 versions:

access-list 110 deny udp host 192.168.2.1 eq bootpc any

access-list 110 deny udp host 192.168.2.1 eq bootps any

access-list 110 permit tcp any any

access-list 110 permit udp any any

access-list 110 permit ip any any

access-list 110 deny tcp host 192.168.2.1 any

access-list 110 deny udp host 192.168.2.1 any

access-list 110 deny ip host 192.168.2.1 any

access-list 110 permit tcp any any

access-list 110 permit udp any any

access-list 110 permit ip any any

This is what I get when I do a sh access-lists 110:

Extended IP access list 110

10 deny udp host 192.168.2.1 eq bootpc any

20 deny udp host 192.168.2.1 eq bootps any (12 matches)

30 permit tcp any any (188206 matches)

40 permit udp any any (34148 matches)

50 permit ip any any (1650 matches)

AND

10 deny tcp host 192.168.2.1 any

20 deny udp host 192.168.2.1 any (6 matches)

30 deny ip host 192.168.2.1 any

40 permit tcp any any (333125 matches)

50 permit udp any any (61369 matches)

60 permit ip any any (3752 matches)

But my modem is STILL receiving a 192.168.2.28 regardless of the matches on the access lists.

Any ideas?

Now my knowledge how cable modems work at the head end is limited but this sounds like a normal bridging problem.

Lets assume that you have all the end user bridged as it sounds like if you are using BVI interfaces. The DHCP broadcast do not enter your router as layer 3 requests. If you can filter them you must do it at layer 2. This brings up the issue of how you actually connect them together. If you have some form of switch in front of your router the DHCP request will pass between the users at that point. That will be the point you must attempt to filter this.

The only time I have done something like this is on a layer 3 switch where I could apply vlan access lists.

The DHCP server is once of the hardest denial of service attacks to prevent. You really don't want broadcast of any kind going between your users. Someone could use a arp spoofing attack at compromise your gateway... or even just configure their IP as the default gate which would cause major issue.

Your best bet is to attempt to get a layer 2 access list that prevents all forms of broadcast between the users but allows the router to see the broadcasts.

It is basically layer 2. All of my remote sites are fed via Fiber, but the DSL traffic is 1483 Bridge so I have to a BVI 1 on the ATM interface on the router. Its almost like a big ethernet. This means the only place to apply any ACL is on the BVI, which sux. Only 1 VLAN.

yes I still want the users to be able to obtain automatically from the 7206 but deny and cross traffic broadcasts to the 192.168.2.1 DHCP server. Its really a pain. I wish my company would get a radius server.

Any other ideas?

I did a little more investgating this morning. I used ethereal on a bridge modem and captured some DHCP events. I also did a debug on the 7206 DHCP server. I found that a Belkin Router with IP address 192.168.2.1 was responding to DHCP requests on my network. I was able to assign my PC with an IP address within the Belkin's scope, login to the router, and disable DHCP. This is fine for a temperary fix. But I would still like to see something more permanent from Cisco to resolve this issue. Any more input is appreciated.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: