Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12204
Views
0
Helpful
7
Replies

Allow DHCP through ACL on Catalyst 3850

Go to solution
stephenauxter
Level 1
Level 1

‎02-05-2020 08:27 AM

I have seen posted online several different answers to this often asked question: "How do I allow DHCP through my ACL?"

For example, I tried adding this near the top of an ACL:

 

permit udp any any eq bootpc
permit udp any any eq bootps

 

Everything was fine until there was a power outage and all the equipment rebooted. The switches came back online, but all my workstations wouldn't DHCP. I have "ip helper-address" defined for each VLAN as the DHCP server lives in another location.

Once I disabled the ACL on the VLAN, DHCP worked again.

 

Then there's this example:

 

permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc

 

 

And another single line version:

 

permit udp any eq bootpc any eq bootps

 

I'm curious to know what is the best configuration to use.

 

Additionally, when I apply this ACL (numbered 102) to my VLAN interface, I have it configured

ip access-group 102 out

Could I just have the ACL configured properly but I'm applying it incorrectly to the interface?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to stephenauxter

‎02-11-2020 07:11 AM

Thanks for the additional information. There are things about your situation that we do not know and that makes it difficult to really understand the problem. From the description I am assuming that the acl that you posted is applied to a single vlan interface and that it is applied out. Is that correct? Is that vlan interface to a single vlan where hosts are connected or is it a transit vlan to a group of remote subnets? Also where is the DHCP server? (in particular is it in a subnet belonging to any of your object groups or is it somewhere else?

 

Let me try to clarify a bit about in and out in applying an acl. When you apply an acl "in" it filters traffic from connected hosts in a vlan coming into the switch. When you apply an acl "out" it filters traffic going from the switch to the hosts connected in that vlan. The important thing about the direction is which addresses are the source and which addresses are the destination. Your acl specifies various specific addresses as the source. Assuming that those addresses are not reached through this vlan interface it is appropriate for the acl to be applied out (as you have done).

 

As far as permitting traffic for the DHCP server your statements permitting bootpc and bootps should be sufficient and not need any other acl statements.

 

I am puzzled by the fact that it seems that at least twice a power cycle or reboot has resulted in DHCP not working until you remove the acl. Are you able to do any testing of this? Or would you need to wait until it happens again? I wonder if there are any log messages generated as the switch reboots that would shed light on what is happening? Or log messages as clients attempt dhcp? Also immediately after the switch has rebooted would you be able to get the output of show access-list so that we can see if the content has changed in any way?

HTH

Rick

View solution in original post

0 Helpful
7 Replies 7

Go to solution
marce1000
VIP
VIP

‎02-05-2020 09:04 AM

 

         >How do I allow DHCP through my ACL

- The question is a bit stange in the sense that if no ACL is used at all, the switch becomes neutral and or pass-thru for DHCP.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
stephenauxter
Level 1
Level 1
In response to marce1000

‎02-05-2020 10:38 AM

Perhaps I didn't words properly or give enough information?

 

What I mean to say is, in our environment, we worked for a time with absolutely no ACLs on any switches. Then, I started implementing some ACLs and learned a lot through trial & error. I have identified a bunch of network objects in the switch config and I use permit or deny where appropriate.

 

At first I pretty much denied access to everything. Then, I added in "permit icmp any any" just so I could ping devices. Then, I added a "permit ip any any" at the very end of my ACL. Still not sure if that's appropriate or not, but I'm learning.

 

So, in a particular building, the power goes out. Upon reboot of network and workstations, nothing will DHCP. Turn off the ACLs and sure enough DHCP works as intended. Then I added in "permit udp any any eq bootpc" and "permit udp any any eq bootps" just after my permit icmp statement.

 

Yet another power outage and once again, when power is restored, still no DHCP for my workstations. I disabled the ACLs, DHCP comes back, and now I'm asking the question: how do I permit DHCP requests in my ACLs? (see original question)

 

I figured that at the very least the "permit ip any any" would clear that up, but it appears I have oodles to learn when it comes to ACLs.

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to stephenauxter

‎02-06-2020 03:25 AM

 

     > Then, I started implementing some ACLs and learned a lot through trial & error

  I don't like this way of working.  You are building a security environment based upon observed events which may lead to holes or things that you are eventually unaware of. Better is to work top-down by specifying the security requirements for the Intranet. And also better is to implement them with Intranet-fire-walling solutions (e.g.).  As usually the network will grow and you will get more switches. Another benefit is that you will have more and manageable logging and alerting features which can be set for specific events.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-08-2020 10:04 AM

There are several things in this post I would like to address. First is the question about the possibility that assigning the ACL as in or as out might impact how it works. And the answer to that depends on which version of the ACL you are using. The first example was 

permit udp any any eq bootpc
permit udp any any eq bootps

and for this either in or out should work fine.

The next examples were

permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc

and

permit udp any eq bootpc any eq bootps

Both of these are similar in that they are specifying communication to the client or to the server. And for that to work you have to get the in or out correct. If the ACL is specifying client to server and you apply the ACL as out then it does not work.

 

I would also wonder about the description that after a power outage (or some other reboot) that DHCP did not work till the ACL was removed. My first reaction is that it sounds like the config changes were implemented to filter for DHCP but the config changes were not saved. But if that were the case after reboot it should have reverted to the situation where there was no filtering for DHCP and so I am puzzled why DHCP would have been impacted.

 

 

 

 

HTH

Rick
0 Helpful

Go to solution
stephenauxter
Level 1
Level 1
In response to Richard Burts

‎02-10-2020 09:34 AM

Thank you! I shall return my ACL to the version with this -

permit udp any any eq bootpc
permit udp any any eq bootps

- as part of the ACL. I understand that I probably did have the ACL "in" and "out" configured incorrectly.

As to the last question/concern you posted, I think the main reason that my DHCP requests did not work is because I did not explicitly permit access to the DHCP server. I've since learned that unless access is explicitly permitted then it falls into implicitly denied. (I hope I got that correct)

Maybe it would help if you just saw the ACL?

 

100 permit icmp any any
110 permit udp any any eq bootpc
120 permit udp any any eq bootps
130 permit ip object-group CHS-HVAC any
140 permit ip object-group LAF-HVAC any
150 permit ip object-group MAS-HVAC any
160 permit ip object-group SBS-HVAC any
170 permit ip object-group WAS-HVAC any
180 permit ip object-group BOE-HVAC any
190 permit ip object-group MAINTENANCE any
200 permit ip object-group CHS-POS any
210 permit ip object-group LAF-POS any
220 permit ip object-group MAS-POS any
230 permit ip object-group SBS-POS any
240 permit ip object-group WAS-POS any
250 permit ip object-group BOE-POS any
260 deny ip object-group CHS-VLAN any
270 deny ip object-group LAF-VLAN any
280 deny ip object-group MAS-VLAN any
290 deny ip object-group SBS-VLAN any
300 deny ip object-group WAS-VLAN any
310 deny ip object-group BOE-VLAN any
320 permit ip any any

I want to ping and DHCP, which are the opening lines. I want to permit access to the very specific HVAC equipment - all with very specific IP addresses - and the POS terminals in the buildings listed. Then I want to deny access to everything else in those buildings. That's the biggest portion of the ACL with permitting and denying object groups.

Now, there is no place where I have defined the DHCP server in any object group, but I was under the impression that ending with a "permit ip any any" would include the DHCP server.

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to stephenauxter

‎02-11-2020 07:11 AM

Thanks for the additional information. There are things about your situation that we do not know and that makes it difficult to really understand the problem. From the description I am assuming that the acl that you posted is applied to a single vlan interface and that it is applied out. Is that correct? Is that vlan interface to a single vlan where hosts are connected or is it a transit vlan to a group of remote subnets? Also where is the DHCP server? (in particular is it in a subnet belonging to any of your object groups or is it somewhere else?

 

Let me try to clarify a bit about in and out in applying an acl. When you apply an acl "in" it filters traffic from connected hosts in a vlan coming into the switch. When you apply an acl "out" it filters traffic going from the switch to the hosts connected in that vlan. The important thing about the direction is which addresses are the source and which addresses are the destination. Your acl specifies various specific addresses as the source. Assuming that those addresses are not reached through this vlan interface it is appropriate for the acl to be applied out (as you have done).

 

As far as permitting traffic for the DHCP server your statements permitting bootpc and bootps should be sufficient and not need any other acl statements.

 

I am puzzled by the fact that it seems that at least twice a power cycle or reboot has resulted in DHCP not working until you remove the acl. Are you able to do any testing of this? Or would you need to wait until it happens again? I wonder if there are any log messages generated as the switch reboots that would shed light on what is happening? Or log messages as clients attempt dhcp? Also immediately after the switch has rebooted would you be able to get the output of show access-list so that we can see if the content has changed in any way?

HTH

Rick
0 Helpful

Go to solution
stephenauxter
Level 1
Level 1
In response to Richard Burts

‎02-21-2020 10:29 AM

Yes, I am applying the ACL to the "out" of the vlan interface. All I did most recently was actually include an object-group for my DHCP server and that seemed to have worked. Again, my ignorance for just assuming that permitting bootpc and bootps would suffice. It wasn't enough as it seems I had to include the actual DHCP server IP in my ACL.

 

0 Helpful
Customers Also Viewed These Support Documents