02-05-2020 08:27 AM
I have seen posted online several different answers to this often asked question: "How do I allow DHCP through my ACL?"
For example, I tried adding this near the top of an ACL:
permit udp any any eq bootpc permit udp any any eq bootps
Everything was fine until there was a power outage and all the equipment rebooted. The switches came back online, but all my workstations wouldn't DHCP. I have "ip helper-address" defined for each VLAN as the DHCP server lives in another location.
Once I disabled the ACL on the VLAN, DHCP worked again.
Then there's this example:
permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc
And another single line version:
permit udp any eq bootpc any eq bootps
I'm curious to know what is the best configuration to use.
Additionally, when I apply this ACL (numbered 102) to my VLAN interface, I have it configured
ip access-group 102 out
Could I just have the ACL configured properly but I'm applying it incorrectly to the interface?
Solved! Go to Solution.
02-11-2020 07:11 AM
Thanks for the additional information. There are things about your situation that we do not know and that makes it difficult to really understand the problem. From the description I am assuming that the acl that you posted is applied to a single vlan interface and that it is applied out. Is that correct? Is that vlan interface to a single vlan where hosts are connected or is it a transit vlan to a group of remote subnets? Also where is the DHCP server? (in particular is it in a subnet belonging to any of your object groups or is it somewhere else?
Let me try to clarify a bit about in and out in applying an acl. When you apply an acl "in" it filters traffic from connected hosts in a vlan coming into the switch. When you apply an acl "out" it filters traffic going from the switch to the hosts connected in that vlan. The important thing about the direction is which addresses are the source and which addresses are the destination. Your acl specifies various specific addresses as the source. Assuming that those addresses are not reached through this vlan interface it is appropriate for the acl to be applied out (as you have done).
As far as permitting traffic for the DHCP server your statements permitting bootpc and bootps should be sufficient and not need any other acl statements.
I am puzzled by the fact that it seems that at least twice a power cycle or reboot has resulted in DHCP not working until you remove the acl. Are you able to do any testing of this? Or would you need to wait until it happens again? I wonder if there are any log messages generated as the switch reboots that would shed light on what is happening? Or log messages as clients attempt dhcp? Also immediately after the switch has rebooted would you be able to get the output of show access-list so that we can see if the content has changed in any way?
02-05-2020 09:04 AM
>How do I allow DHCP through my ACL
- The question is a bit stange in the sense that if no ACL is used at all, the switch becomes neutral and or pass-thru for DHCP.
M.
02-05-2020 10:38 AM
Perhaps I didn't words properly or give enough information?
What I mean to say is, in our environment, we worked for a time with absolutely no ACLs on any switches. Then, I started implementing some ACLs and learned a lot through trial & error. I have identified a bunch of network objects in the switch config and I use permit or deny where appropriate.
At first I pretty much denied access to everything. Then, I added in "permit icmp any any" just so I could ping devices. Then, I added a "permit ip any any" at the very end of my ACL. Still not sure if that's appropriate or not, but I'm learning.
So, in a particular building, the power goes out. Upon reboot of network and workstations, nothing will DHCP. Turn off the ACLs and sure enough DHCP works as intended. Then I added in "permit udp any any eq bootpc" and "permit udp any any eq bootps" just after my permit icmp statement.
Yet another power outage and once again, when power is restored, still no DHCP for my workstations. I disabled the ACLs, DHCP comes back, and now I'm asking the question: how do I permit DHCP requests in my ACLs? (see original question)
I figured that at the very least the "permit ip any any" would clear that up, but it appears I have oodles to learn when it comes to ACLs.
02-06-2020 03:25 AM
> Then, I started implementing some ACLs and learned a lot through trial & error
I don't like this way of working. You are building a security environment based upon observed events which may lead to holes or things that you are eventually unaware of. Better is to work top-down by specifying the security requirements for the Intranet. And also better is to implement them with Intranet-fire-walling solutions (e.g.). As usually the network will grow and you will get more switches. Another benefit is that you will have more and manageable logging and alerting features which can be set for specific events.
M.
02-08-2020 10:04 AM
There are several things in this post I would like to address. First is the question about the possibility that assigning the ACL as in or as out might impact how it works. And the answer to that depends on which version of the ACL you are using. The first example was
permit udp any any eq bootpc permit udp any any eq bootps
and for this either in or out should work fine.
The next examples were
permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc
and
permit udp any eq bootpc any eq bootps
Both of these are similar in that they are specifying communication to the client or to the server. And for that to work you have to get the in or out correct. If the ACL is specifying client to server and you apply the ACL as out then it does not work.
I would also wonder about the description that after a power outage (or some other reboot) that DHCP did not work till the ACL was removed. My first reaction is that it sounds like the config changes were implemented to filter for DHCP but the config changes were not saved. But if that were the case after reboot it should have reverted to the situation where there was no filtering for DHCP and so I am puzzled why DHCP would have been impacted.
02-10-2020 09:34 AM
Thank you! I shall return my ACL to the version with this -
permit udp any any eq bootpc permit udp any any eq bootps
- as part of the ACL. I understand that I probably did have the ACL "in" and "out" configured incorrectly.
As to the last question/concern you posted, I think the main reason that my DHCP requests did not work is because I did not explicitly permit access to the DHCP server. I've since learned that unless access is explicitly permitted then it falls into implicitly denied. (I hope I got that correct)
Maybe it would help if you just saw the ACL?
100 permit icmp any any 110 permit udp any any eq bootpc 120 permit udp any any eq bootps 130 permit ip object-group CHS-HVAC any 140 permit ip object-group LAF-HVAC any 150 permit ip object-group MAS-HVAC any 160 permit ip object-group SBS-HVAC any 170 permit ip object-group WAS-HVAC any 180 permit ip object-group BOE-HVAC any 190 permit ip object-group MAINTENANCE any 200 permit ip object-group CHS-POS any 210 permit ip object-group LAF-POS any 220 permit ip object-group MAS-POS any 230 permit ip object-group SBS-POS any 240 permit ip object-group WAS-POS any 250 permit ip object-group BOE-POS any 260 deny ip object-group CHS-VLAN any 270 deny ip object-group LAF-VLAN any 280 deny ip object-group MAS-VLAN any 290 deny ip object-group SBS-VLAN any 300 deny ip object-group WAS-VLAN any 310 deny ip object-group BOE-VLAN any 320 permit ip any any
I want to ping and DHCP, which are the opening lines. I want to permit access to the very specific HVAC equipment - all with very specific IP addresses - and the POS terminals in the buildings listed. Then I want to deny access to everything else in those buildings. That's the biggest portion of the ACL with permitting and denying object groups.
Now, there is no place where I have defined the DHCP server in any object group, but I was under the impression that ending with a "permit ip any any" would include the DHCP server.
02-11-2020 07:11 AM
Thanks for the additional information. There are things about your situation that we do not know and that makes it difficult to really understand the problem. From the description I am assuming that the acl that you posted is applied to a single vlan interface and that it is applied out. Is that correct? Is that vlan interface to a single vlan where hosts are connected or is it a transit vlan to a group of remote subnets? Also where is the DHCP server? (in particular is it in a subnet belonging to any of your object groups or is it somewhere else?
Let me try to clarify a bit about in and out in applying an acl. When you apply an acl "in" it filters traffic from connected hosts in a vlan coming into the switch. When you apply an acl "out" it filters traffic going from the switch to the hosts connected in that vlan. The important thing about the direction is which addresses are the source and which addresses are the destination. Your acl specifies various specific addresses as the source. Assuming that those addresses are not reached through this vlan interface it is appropriate for the acl to be applied out (as you have done).
As far as permitting traffic for the DHCP server your statements permitting bootpc and bootps should be sufficient and not need any other acl statements.
I am puzzled by the fact that it seems that at least twice a power cycle or reboot has resulted in DHCP not working until you remove the acl. Are you able to do any testing of this? Or would you need to wait until it happens again? I wonder if there are any log messages generated as the switch reboots that would shed light on what is happening? Or log messages as clients attempt dhcp? Also immediately after the switch has rebooted would you be able to get the output of show access-list so that we can see if the content has changed in any way?
02-21-2020 10:29 AM
Yes, I am applying the ACL to the "out" of the vlan interface. All I did most recently was actually include an object-group for my DHCP server and that seemed to have worked. Again, my ignorance for just assuming that permitting bootpc and bootps would suffice. It wasn't enough as it seems I had to include the actual DHCP server IP in my ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide