Solved: DHCP ACL

D@1984 · ‎01-25-2025

Hi,

any acl that Ive seen for dhcp is usually as below:

permit udp any any eq bootpc
permit udp any any eq bootps

what if I want to restrict dhcp messages even more between lan and the server?

so lets say I have a dhcp server: 172.16.1.3 and I have a user in vlan 10: 172.16.20.0/24, vlan 10 is connected to the router that Im adding acl on( int address:172.16.20.1). what should I put as source and destination address?

permit udp host 0.0.0.0 eq bootpc 255.255.255.255 bootps (to allow discovery message)

permit udp host 172.16.1.3 bootps host 172.16.20.1 bootpc (or should I leave this as the whole network: 172.16.20.0 0.0.0.255) (to allow offer-ack froms server)

do I need anotehr permit for request messages from users, also woule the acl be different if I had a dhcp-relay.

Thanks

M02@rt37 · ‎01-26-2025

Hello D@1984

DHCP messages such as Discover and Request are initiated by clients, while Offer and Acknowledgment messages are sent by the server in response. Each message has specific source and destination IP addresses and UDP port numbers (BootPC - port 68, BootPS - port 67). So, rzegarding your config, with a DHCP server at 172.16.1.3 and VLAN 10 configured as 172.16.20.0/24, you must carefully define ACL rules that allow only the required trafic.

If the network does not use DHCP relay, DHCP clients in VLAN 10 will send Discover and Request messages with a source IP of 0.0.0.0 (since the client does not yet have an IP address) and a destination IP of 255.255.255.255 (broadcast). To allow these, the ACL should include a rule permitting UDP traffic from 0.0.0.0 (source) to 255.255.255.255 (destination) with source port 68 and destination port 67. Similarly, the server will respond with Offer and Acknowledgment messages, which may be broadcast to 255.255.255.255 or sent directly to the client. To handle this, the ACL should permit UDP traffic from 172.16.1.3 (source) to 172.16.20.0/24 (destination) with source port 67 and destination port 68.

If the router at m 172.16.20.1 is acting as a DHCP relay, the communication flows change slightly. The router will encapsulate Discover and Request messages from clients and forward them to the DHCP server as unicast traffic, using the router’s IP (172.16.20.1) as the source address. The server will respond to the router, which will then forward the messages to the clients. In this case, the ACL should include rules to allow UDP traffic between the relay agent (172.16.20.1) and the DHCP server (172.16.1.3) on ports 67 and 68. Additionally, traffic between the relay agent and the clients in VLAN 10 must also be permitted.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

Flavio Miranda · ‎01-25-2025

D@1984

Depending on where the ACL is applied, the Access-list should have the Router interface IP address as source and the DHCP server as destination.

Another ACL should permit from DHCP server to Router IP add interface.

access-list 100 extended permit udp "Router interface" eq bootpc host "DHCP server" eq bootps

access-list 100 extended permit udp host "DHCP server eq bootps "Router IP address" eq bootpc

MHM Cisco World · ‎01-26-2025

You can not do

The whole idea of dhcp is assign IP to host, if host have IP why it need dhcp server? That why we use any any

But what we can control is l4 port and dhcp server IP (not host IP)

MHM

M02@rt37 · ‎01-26-2025

Hello D@1984

DHCP messages such as Discover and Request are initiated by clients, while Offer and Acknowledgment messages are sent by the server in response. Each message has specific source and destination IP addresses and UDP port numbers (BootPC - port 68, BootPS - port 67). So, rzegarding your config, with a DHCP server at 172.16.1.3 and VLAN 10 configured as 172.16.20.0/24, you must carefully define ACL rules that allow only the required trafic.

If the network does not use DHCP relay, DHCP clients in VLAN 10 will send Discover and Request messages with a source IP of 0.0.0.0 (since the client does not yet have an IP address) and a destination IP of 255.255.255.255 (broadcast). To allow these, the ACL should include a rule permitting UDP traffic from 0.0.0.0 (source) to 255.255.255.255 (destination) with source port 68 and destination port 67. Similarly, the server will respond with Offer and Acknowledgment messages, which may be broadcast to 255.255.255.255 or sent directly to the client. To handle this, the ACL should permit UDP traffic from 172.16.1.3 (source) to 172.16.20.0/24 (destination) with source port 67 and destination port 68.

If the router at m 172.16.20.1 is acting as a DHCP relay, the communication flows change slightly. The router will encapsulate Discover and Request messages from clients and forward them to the DHCP server as unicast traffic, using the router’s IP (172.16.20.1) as the source address. The server will respond to the router, which will then forward the messages to the clients. In this case, the ACL should include rules to allow UDP traffic between the relay agent (172.16.20.1) and the DHCP server (172.16.1.3) on ports 67 and 68. Additionally, traffic between the relay agent and the clients in VLAN 10 must also be permitted.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Joseph W. Doherty · ‎01-26-2025

BTW, if looking to better secure DHCP, rather than using an improved ACL, you might consider using DHCP snooping.