ACL - Allow access to DHCP server...

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hello everybody. Yeah, me again with more questions and a shout for help.

I have this setup done on P.T.

I have 3 networks, just for practising so no need for large networks so, I have;

VLAN-10 = 10.0.0.0/30 - Default-Router = 10.0.0.2
VLAN-20 = 10.0.0.4/30 - Default-Router = 10.0.0.6
VLAN-30 = 10.0.0.8/30 - Default-Router = 10.0.0.10

I want only to allow VLAN-30 to access the DHCP Server to start with so, I was doing the following;

ip access-list extended 100
permit udp 10.0.0.8 0.0.0.3 eq 67 host 10.0.0.10 eq 67 (when using this port for inbound, I was using port 68 for outbound)
permit udp 10.0.0.8 0.0.0.3 eq 68 host 10.0.0.10 eq 68

ip access-list extended 101
permit udp host 10.0.0.10 eq 67 10.0.0.8 0.0.0.3 eq 67
permit udp host 10.0.0.10 eq 68 10.0.0.8 0.0.0.3 eq 68

int fa0/0.3 - (VLAN-30)
ip access-group 100 in
ip access-group 101 out

I also have tried with no ports being specified and still no communication to the DHCP Server.
I have been here going over and over this and to be honest, this is starting to do my head in.
Allot of you guys have indeed mentioned that if you don't do this on a regular basis it will eventually go away, well, you were right guys so, in order not to totally forget here I am busting my b****.

Here's my conf file for my router;
********************************************
Router#sh run
Building configuration...

Current configuration : 1091 bytes
!
version 12.2
no service password-encryption
!
hostname Router
!
ip ssh version 1
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 10.0.0.2 255.255.255.252
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 10.0.0.6 255.255.255.252
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
ip address 10.0.0.10 255.255.255.252
ip access-group 100 in
ip access-group 101 out
!
ip classless
!
access-list 100 permit udp 10.0.0.8 0.0.0.3 eq bootps host 10.0.0.10 eq bootps
access-list 100 permit udp 10.0.0.8 0.0.0.3 eq bootpc host 10.0.0.10 eq bootpc
access-list 101 permit udp host 10.0.0.10 eq bootps 10.0.0.8 0.0.0.3 eq bootps
access-list 101 permit udp host 10.0.0.10 eq bootpc 10.0.0.8 0.0.0.3 eq bootpc
!
ip dhcp pool 10
network 10.0.0.0 255.255.255.252
default-router 10.0.0.2
ip dhcp pool 20
network 10.0.0.4 255.255.255.252
default-router 10.0.0.6
ip dhcp pool 30
network 10.0.0.8 255.255.255.252
default-router 10.0.0.10
!
line con 0
line vty 0 4
login
!
end

Router#
*********************************************
I think I have totally lost the logic of the whole thing.
Any help appreciated.
Cheers,

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Another note to this post.
Would I be wrong in assuming the following?

Allow traffic from the network (VLAN-30 - 10.0.0.8/30) to the DHCP Server (10.0.0.10) to allow DHCP-Discover/Request; - Going Inbound to sub-intFa0/0.3

And

Allow traffic from the DHCP-Server (10.0.0.10) to the network VLAN-30 10.0.0.8/30 to allow DHCP-Offer/Pack; - Going Outbound to sub-intFa0/0.3.

Is my logical thinking wrong?
Is it missing something?

DHCP request goes on port 67 and is broadcasted by the computer, and also broadcasted by the DHCP server when it offers it as the PC asking for an IP hasn't yet got one back to pc on port 68 if memory serves me well...

 

Do not apply any ACLS and place the DHCP Server on the correct VLAN.

Do you get DHCP Addresses? If not then your DHCP Server is not configured correctly.

 

Yes mate, if no ACL is in place I do get an IP address and communication with the router

 

can you upload the packet tracer file?

 

Yes mate, here it is.

 

Can i just clarify, you are trying to only allow DHCP to be assigned on vlan 30? If that is the case, rather than permitting it on vlan 30 sub-interfaace, you want to block it on the other two vlan sub interfaces.

interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 10.0.0.2 255.255.255.252
ip access-group 100 in
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 10.0.0.6 255.255.255.252
ip access-group 100 in
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
ip address 10.0.0.10 255.255.255.252


access-list 100 deny udp any any eq bootps
access-list 100 permit ip any any

ip access-group 100 in

I also noticed you haven't enabled any vlans on your trunk port on the switch.

 

albertc30,

One important thing to remember, when making access-lsits for dhcp, is that the client does not initially have an ip address. Your acl 100 and 101 are only of use if the client already has a valid ip address.

For learning purposes I suggest using lines such as:

permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps log
permit udp host 0.0.0.0 host 255.255.255.255 eq bootps log
permit udp any any eq bootps log

- and see which lines get hits. And of course debug dhcp for a good view of the dhcp packet exhange.

Spice_Weasel

 

This is right on the money.

Albert, this is slightly unrelated to your question, but you've got a bunch of things going on in your config - VLANs, subinterfaces, ACLs, small subnetted ranges, etc... the sum total of which can be intimidating to someone just starting to learn this stuff... and adds to the difficulty when trying to troubleshoot your configs.

My suggestion would be to take a step back and simplify. Learn each nugget individually before trying to mash it all together. Otherwise, you aren't sure what's gone wrong. Get rid of the VLANs and sub-ifs, and just use a plain-old /24 range for each interface. Using a two-address /30 range for a DHCP scope is just asking for trouble, what with one address consumed by the router interface (which you didn't exclude from the scope) and the other address reserved for the lease duration. Switch devices, and you'll either get a conflict or no address at all.

Simplify.

 

Hello mate.
Trunk is there and working as you cann see bellow,
**********************************************
Switch#sh in trunk
Port Mode Encapsulation Status Native vlan
Fa9/1 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa9/1 1-1005

Port Vlans allowed and active in management domain
Fa9/1 1,10,20,30,1002,1003,1004,1005

Port Vlans in spanning tree forwarding state and not pruned
Fa9/1 1,10,20,30,1002,1003,1004,1005
Switch#
**********************************************
What I was trying to do was having the other networks .0 and .4 to see each other and block network .8 from reaching them but offcourse reaching out for the DHCP server.
Thanks for your input mate, well appreciatted.
Sorry if my setup is a bit confusing.

 

BosonMichael, this is from far the best advise ever from you mate. Thanks ever so much for your advice as it will be taken onboard and you are right about my setup, it is a bit confusing I must admit. I just thought that I was keepping it simple for me.
I'm just going over all this stuff yet again as I do not want to forget them so best way is to keep practising.
I could have always done just 3 networks and no VLANS involved and I could get in the end the result I was looking for.
And thanks for the pointer about the addresses to remove from the DHCP pool; it was just me being lazy as I do have them set on my Cisco 1721 here at home with BT Broadband. I'm excluding IPs like my router's own IP, my WAP, my NAS, and my own machine to which I use static configuration.
Once again thanks for the help BosonMichale and all of you guys and girls.

I shall have a go at the example mentioned in one of the posts and see how it goes.

Cheers everybody.

 

I knew I was negleting something, I knew about the PC sending out a broadcast for a DHCPRequest has no IP and yet it fail to come to thought.
Thanks mate. I shall have a go at it and let you know the results.
Cheers,

 

Just didn't want you banging your head thinking it might be "all the other stuff" instead of what it truly was, know what I mean? After you get the individual pieces working... THEN put it all together, complete with VLANs, ACLs, sub-ifs, DHCP, QoS, routing protocols, everything.

Very glad to be of assistance.

 

Hello everybody.
Following your advice I done the following;

3 Networks - 192.168.1.0/24-192.168.2.0/24-192.168.3.0/24;
1 DNS/WWW Server on network 192.168.3.0/24 - IP address 192.168.3.253;
DHCP pools on the router;

ACLs to allow access to DHCP server in router, DNS and WWW on network 192.168.3.0/24.
Deny access to any workstations on network 192.168.3.0/24;

So my setup is as follows;

*******************************************
Router#sh run
Building configuration...

Current configuration : 1065 bytes
!
version 12.2
no service password-encryption
!
hostname Router
!
ip ssh version 1
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.2.254 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 192.168.3.254 255.255.255.0
duplex auto
speed auto
!
ip classless
!!
access-list 100 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
access-list 100 permit ip any host 192.168.3.253
!
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.2.254
ip dhcp excluded-address 192.168.3.254
ip dhcp excluded-address 192.168.3.253
!
ip dhcp pool 1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 192.168.3.253
ip dhcp pool 2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
dns-server 192.168.3.253
ip dhcp pool 3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.254
dns-server 192.168.3.253
!
line con 0
line vty 0 4
login
!
end

Router#
****************************************
In order to allow access to the routers DHCP server the line permit udp host 0.0.0.0 eq bootpc host bootps done it's job as it was mentioned here before, thanks mate;

I wanted to allow access to the WWW & DNS server by adding the following lines;

permit udp any eq 53 host 192.168.3.253 eq 53 - (access to the DNS server)
and
permit tcp any eq 80 host 192.168.3.253 eq 80 - (access to the www server)

but they were not gettings any hits on the acls at all as I could not access the www by typing it in the webbrowser nor by typing the www server's IP address.

The thing of it is that, the way it is done I can also ping the server. I just wanted to target ports and have it working like that. I can always edit the ACLS and add a deny icmp requests to the router's interface for the inbound traffic.

*****************************************
Router#sh access-lists
Extended IP access list 100
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps (2 match(es))
permit ip any host 192.168.3.253 (15 match(es))
Router#
****************************************
Any comments well appreciated guys and girls.
To all of you a very nice weekend.

 

I'm not sure I understand the question...

 

Hello.

What I am trying to achieve is the following;

Network 192.168.2.0/24 is not to access/communicate to any of the hosts on network 192.168.3.0/24 apart from the www/dns server 192.168.3.253 and also, it needs to access the router's DHCP server for an IP lease.

I have tried to do this on a port based extended acl but wasn't getting any hits on the dns and www lines.
I was also, when using ports, not reaching the DNS or the WWW server.

It was so late "02:00" that I forgot to provide a network diagram and P.T for those who'd like to take a look at.

Hope I have been clearer.

Thanks

 

Kill the first eq 53 and eq 80 in each ACL. See if that helps.