1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ACL - Allow access to DHCP server...

Discussion in 'Routing & Switching' started by albertc30, Nov 18, 2009.

  1. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Hello everybody. Yeah, me again with more questions and a shout for help.

    I have this setup done on P.T.

    I have 3 networks, just for practising so no need for large networks so, I have;

    VLAN-10 = 10.0.0.0/30 - Default-Router = 10.0.0.2
    VLAN-20 = 10.0.0.4/30 - Default-Router = 10.0.0.6
    VLAN-30 = 10.0.0.8/30 - Default-Router = 10.0.0.10

    I want only to allow VLAN-30 to access the DHCP Server to start with so, I was doing the following;

    ip access-list extended 100
    permit udp 10.0.0.8 0.0.0.3 eq 67 host 10.0.0.10 eq 67 (when using this port for inbound, I was using port 68 for outbound)
    permit udp 10.0.0.8 0.0.0.3 eq 68 host 10.0.0.10 eq 68

    ip access-list extended 101
    permit udp host 10.0.0.10 eq 67 10.0.0.8 0.0.0.3 eq 67
    permit udp host 10.0.0.10 eq 68 10.0.0.8 0.0.0.3 eq 68

    int fa0/0.3 - (VLAN-30)
    ip access-group 100 in
    ip access-group 101 out

    I also have tried with no ports being specified and still no communication to the DHCP Server.
    I have been here going over and over this and to be honest, this is starting to do my head in.
    Allot of you guys have indeed mentioned that if you don't do this on a regular basis it will eventually go away, well, you were right guys so, in order not to totally forget here I am busting my b****.

    Here's my conf file for my router;
    ********************************************
    Router#sh run
    Building configuration...

    Current configuration : 1091 bytes
    !
    version 12.2
    no service password-encryption
    !
    hostname Router
    !
    ip ssh version 1
    !
    interface FastEthernet0/0
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.1
    encapsulation dot1Q 10
    ip address 10.0.0.2 255.255.255.252
    !
    interface FastEthernet0/0.2
    encapsulation dot1Q 20
    ip address 10.0.0.6 255.255.255.252
    !
    interface FastEthernet0/0.3
    encapsulation dot1Q 30
    ip address 10.0.0.10 255.255.255.252
    ip access-group 100 in
    ip access-group 101 out
    !
    ip classless
    !
    access-list 100 permit udp 10.0.0.8 0.0.0.3 eq bootps host 10.0.0.10 eq bootps
    access-list 100 permit udp 10.0.0.8 0.0.0.3 eq bootpc host 10.0.0.10 eq bootpc
    access-list 101 permit udp host 10.0.0.10 eq bootps 10.0.0.8 0.0.0.3 eq bootps
    access-list 101 permit udp host 10.0.0.10 eq bootpc 10.0.0.8 0.0.0.3 eq bootpc
    !
    ip dhcp pool 10
    network 10.0.0.0 255.255.255.252
    default-router 10.0.0.2
    ip dhcp pool 20
    network 10.0.0.4 255.255.255.252
    default-router 10.0.0.6
    ip dhcp pool 30
    network 10.0.0.8 255.255.255.252
    default-router 10.0.0.10
    !
    line con 0
    line vty 0 4
    login
    !
    end

    Router#
    *********************************************
    I think I have totally lost the logic of the whole thing.
    Any help appreciated.
    Cheers,
     
    Certifications: CCNA
    WIP: 220-701 - A+
  2. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Another note to this post.
    Would I be wrong in assuming the following?

    Allow traffic from the network (VLAN-30 - 10.0.0.8/30) to the DHCP Server (10.0.0.10) to allow DHCP-Discover/Request; - Going Inbound to sub-intFa0/0.3

    And

    Allow traffic from the DHCP-Server (10.0.0.10) to the network VLAN-30 10.0.0.8/30 to allow DHCP-Offer/Pack; - Going Outbound to sub-intFa0/0.3.

    Is my logical thinking wrong?
    Is it missing something?

    DHCP request goes on port 67 and is broadcasted by the computer, and also broadcasted by the DHCP server when it offers it as the PC asking for an IP hasn't yet got one back to pc on port 68 if memory serves me well...
     
    Certifications: CCNA
    WIP: 220-701 - A+
  3. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Do not apply any ACLS and place the DHCP Server on the correct VLAN.

    Do you get DHCP Addresses? If not then your DHCP Server is not configured correctly.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  4. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Yes mate, if no ACL is in place I do get an IP address and communication with the router
     
    Last edited: Nov 18, 2009
    Certifications: CCNA
    WIP: 220-701 - A+
  5. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    can you upload the packet tracer file?
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  6. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Yes mate, here it is.
     

    Attached Files:

    Certifications: CCNA
    WIP: 220-701 - A+
  7. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    Can i just clarify, you are trying to only allow DHCP to be assigned on vlan 30? If that is the case, rather than permitting it on vlan 30 sub-interfaace, you want to block it on the other two vlan sub interfaces.

    interface FastEthernet0/0.1
    encapsulation dot1Q 10
    ip address 10.0.0.2 255.255.255.252
    ip access-group 100 in
    !
    interface FastEthernet0/0.2
    encapsulation dot1Q 20
    ip address 10.0.0.6 255.255.255.252
    ip access-group 100 in
    !
    interface FastEthernet0/0.3
    encapsulation dot1Q 30
    ip address 10.0.0.10 255.255.255.252


    access-list 100 deny udp any any eq bootps
    access-list 100 permit ip any any

    ip access-group 100 in

    I also noticed you haven't enabled any vlans on your trunk port on the switch.
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  8. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    albertc30,

    One important thing to remember, when making access-lsits for dhcp, is that the client does not initially have an ip address. Your acl 100 and 101 are only of use if the client already has a valid ip address.

    For learning purposes I suggest using lines such as:

    permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps log
    permit udp host 0.0.0.0 host 255.255.255.255 eq bootps log
    permit udp any any eq bootps log

    - and see which lines get hits. And of course debug dhcp for a good view of the dhcp packet exhange.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  9. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    This is right on the money. :)

    Albert, this is slightly unrelated to your question, but you've got a bunch of things going on in your config - VLANs, subinterfaces, ACLs, small subnetted ranges, etc... the sum total of which can be intimidating to someone just starting to learn this stuff... and adds to the difficulty when trying to troubleshoot your configs.

    My suggestion would be to take a step back and simplify. Learn each nugget individually before trying to mash it all together. Otherwise, you aren't sure what's gone wrong. Get rid of the VLANs and sub-ifs, and just use a plain-old /24 range for each interface. Using a two-address /30 range for a DHCP scope is just asking for trouble, what with one address consumed by the router interface (which you didn't exclude from the scope) and the other address reserved for the lease duration. Switch devices, and you'll either get a conflict or no address at all.

    Simplify. :)
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  10. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Hello mate.
    Trunk is there and working as you cann see bellow,
    **********************************************
    Switch#sh in trunk
    Port Mode Encapsulation Status Native vlan
    Fa9/1 on 802.1q trunking 1

    Port Vlans allowed on trunk
    Fa9/1 1-1005

    Port Vlans allowed and active in management domain
    Fa9/1 1,10,20,30,1002,1003,1004,1005

    Port Vlans in spanning tree forwarding state and not pruned
    Fa9/1 1,10,20,30,1002,1003,1004,1005
    Switch#
    **********************************************
    What I was trying to do was having the other networks .0 and .4 to see each other and block network .8 from reaching them but offcourse reaching out for the DHCP server.
    Thanks for your input mate, well appreciatted.
    Sorry if my setup is a bit confusing.
     
    Certifications: CCNA
    WIP: 220-701 - A+
  11. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    BosonMichael, this is from far the best advise ever from you mate. Thanks ever so much for your advice as it will be taken onboard and you are right about my setup, it is a bit confusing I must admit. I just thought that I was keepping it simple for me.:oops:
    I'm just going over all this stuff yet again as I do not want to forget them so best way is to keep practising.
    I could have always done just 3 networks and no VLANS involved and I could get in the end the result I was looking for.
    And thanks for the pointer about the addresses to remove from the DHCP pool; it was just me being lazy as I do have them set on my Cisco 1721 here at home with BT Broadband. I'm excluding IPs like my router's own IP, my WAP, my NAS, and my own machine to which I use static configuration.
    Once again thanks for the help BosonMichale and all of you guys and girls.

    I shall have a go at the example mentioned in one of the posts and see how it goes.

    Cheers everybody.
     
    Certifications: CCNA
    WIP: 220-701 - A+
  12. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    I knew I was negleting something, I knew about the PC sending out a broadcast for a DHCPRequest has no IP and yet it fail to come to thought.
    Thanks mate. I shall have a go at it and let you know the results.
    Cheers,
     
    Certifications: CCNA
    WIP: 220-701 - A+
  13. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Just didn't want you banging your head thinking it might be "all the other stuff" instead of what it truly was, know what I mean? After you get the individual pieces working... THEN put it all together, complete with VLANs, ACLs, sub-ifs, DHCP, QoS, routing protocols, everything.

    Very glad to be of assistance. :)
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  14. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Hello everybody.
    Following your advice I done the following;

    3 Networks - 192.168.1.0/24-192.168.2.0/24-192.168.3.0/24;
    1 DNS/WWW Server on network 192.168.3.0/24 - IP address 192.168.3.253;
    DHCP pools on the router;

    ACLs to allow access to DHCP server in router, DNS and WWW on network 192.168.3.0/24.
    Deny access to any workstations on network 192.168.3.0/24;

    So my setup is as follows;

    *******************************************
    Router#sh run
    Building configuration...

    Current configuration : 1065 bytes
    !
    version 12.2
    no service password-encryption
    !
    hostname Router
    !
    ip ssh version 1
    !
    interface FastEthernet0/0
    ip address 192.168.1.254 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    ip address 192.168.2.254 255.255.255.0
    ip access-group 100 in
    duplex auto
    speed auto
    !
    interface FastEthernet2/0
    ip address 192.168.3.254 255.255.255.0
    duplex auto
    speed auto
    !
    ip classless
    !!
    access-list 100 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
    access-list 100 permit ip any host 192.168.3.253
    !
    ip dhcp excluded-address 192.168.1.254
    ip dhcp excluded-address 192.168.2.254
    ip dhcp excluded-address 192.168.3.254
    ip dhcp excluded-address 192.168.3.253
    !
    ip dhcp pool 1
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.254
    dns-server 192.168.3.253
    ip dhcp pool 2
    network 192.168.2.0 255.255.255.0
    default-router 192.168.2.254
    dns-server 192.168.3.253
    ip dhcp pool 3
    network 192.168.3.0 255.255.255.0
    default-router 192.168.3.254
    dns-server 192.168.3.253
    !
    line con 0
    line vty 0 4
    login
    !
    end

    Router#
    ****************************************
    In order to allow access to the routers DHCP server the line permit udp host 0.0.0.0 eq bootpc host bootps done it's job as it was mentioned here before, thanks mate;

    I wanted to allow access to the WWW & DNS server by adding the following lines;

    permit udp any eq 53 host 192.168.3.253 eq 53 - (access to the DNS server)
    and
    permit tcp any eq 80 host 192.168.3.253 eq 80 - (access to the www server)

    but they were not gettings any hits on the acls at all as I could not access the www by typing it in the webbrowser nor by typing the www server's IP address.

    The thing of it is that, the way it is done I can also ping the server. I just wanted to target ports and have it working like that. I can always edit the ACLS and add a deny icmp requests to the router's interface for the inbound traffic.

    *****************************************
    Router#sh access-lists
    Extended IP access list 100
    permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps (2 match(es))
    permit ip any host 192.168.3.253 (15 match(es))
    Router#
    ****************************************
    Any comments well appreciated guys and girls.
    To all of you a very nice weekend.:)
     
    Certifications: CCNA
    WIP: 220-701 - A+
  15. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    I'm not sure I understand the question...
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  16. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Hello.

    What I am trying to achieve is the following;

    Network 192.168.2.0/24 is not to access/communicate to any of the hosts on network 192.168.3.0/24 apart from the www/dns server 192.168.3.253 and also, it needs to access the router's DHCP server for an IP lease.

    I have tried to do this on a port based extended acl but wasn't getting any hits on the dns and www lines.
    I was also, when using ports, not reaching the DNS or the WWW server.

    It was so late "02:00" that I forgot to provide a network diagram and P.T for those who'd like to take a look at.

    Hope I have been clearer.

    Thanks
     

    Attached Files:

    Certifications: CCNA
    WIP: 220-701 - A+
  17. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Kill the first eq 53 and eq 80 in each ACL. See if that helps.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!

Share This Page

Loading...