12-23-2009 02:38 AM - edited 03-11-2019 09:51 AM
Hello all,
On router Cisco 881 with ZBF I have dedicated VLAN for AP connection. AP is getting IP address from router dhcp server, I would like to limit all access to Router "Self" zone to only DHCP traffic if possible. Does anybody have idea how to limit all traffic except DHCP to self zone?What ever I do to traffic to/from self zone I must always specify last statement as "class class-default/inspect" and not drop as I would like to.
Thank you and kind regards,
Marko
Solved! Go to Solution.
12-24-2009 01:25 PM
Please change the ACL a little and it will work.
ip access-list extended dhcp-allow
permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any eq bootpc any
Now you are not falling into the pass class.
PK
12-23-2009 08:18 AM
You can match on udp packet ports 67, 68 in a class-map of type inspect.
The you can inspect these packets in a policy-map of type pass under the above class. The action for the rest of the traffic will be by default denied.
The you can apply that policy-map in the out-to-self and self-to out zone pair.
And that should do it.
ip access-list extended dhcp-acl
permit udp any eq 67 any
permit udp any any eq 68
class-map type inspect match-all dhcp-cm
match access-list name dhscp-acl
policy-map type inspect dhcp-pm
class dhcp-cm
pass
zone-pair security
service-policy type inspect dhcp-cm
zone-pair security
service-policy type inspect dhcp-cm
I hope it helps.
PK
12-24-2009 12:37 PM
Hello PK,
I have tried your solution and also a few other options in access list, but unfortunately it is not working.
Here is my config:
ip access-list extended dhcp-allow
permit udp any eq bootps any
permit udp any any eq bootpc
class-map type inspect match-all dhcp-cmap
match access-group name dhcp-allow
policy-map type inspect dhcp-pmap
class type inspect dhcp-cmap
pass
class class-default
drop
zone-pair security AP2Self source AP destination self
service-policy type inspect dhcp-pmap
zone-pair security Self2AP source self destination AP
service-policy type inspect dhcp-pmap
and here is the output from firewall log:
053666: Dec 24 17:34:07.361 CET: %FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair AP2Self class class-default due to DROP action found in policy-map with ip ident 0
053667: Dec 24 17:34:40.642 CET: %FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair AP2Self class class-default due to DROP action found in policy-map with ip ident 0
12-24-2009 01:25 PM
Please change the ACL a little and it will work.
ip access-list extended dhcp-allow
permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any eq bootpc any
Now you are not falling into the pass class.
PK
12-26-2009 01:22 PM
Thank you PK it works great I wish you happy 2010.
04-28-2011 12:45 AM
This is a good solution for a CISCO1921-SEC with CLI configuration - this works well to outside getting the IP from a DOCSIS-DHCP Server and to the own inside dhcp service.
Thanks !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide