Hi, two subnets, (192.168.20.0 + 192.168.40.0) are connected via FE0/1 on the router. The other subnet (192.168.53.0) is connected to FE0/0

When we vpn into the 192.168.53.0 subnet we sometimes pick up an ip address (DHCP) from the 192.168.20.0 or 192.168.40.0 subnet. This is causing us problems and we want to stop it.

I'm still a bit of a novice with this but I thought the easist way was an extended access-list applied to the FE0/0 and FE0/1 interfaces as follows.

access-list 103 permit tcp any any

access-list 103 permit udp any any

access-list 103 permit ip any any

The above would permit all tcp, udp and ip traffic from any source to any destination. Continue now with blocking all the protocols that dhcp traffic uses ( I found the port/protocol numbers at www.iana.org)...

access-list 103 deny tcp any any eq 67

access-list 103 deny udp any any eq 67

access-list 103 deny tcp any any eq 68

access-list 103 deny udp any any eq 68

access-list 103 deny tcp any any eq 546

access-list 103 deny udp any any eq 546

access-list 103 deny tcp any any eq 547

access-list 103 deny udp any any eq 547

The above blocks dhcp traffic outbound(i think??) for:

bootps = 67

bootpd = 68

dhcp client v6 = 546

dhcp server v6 = 547

If I have missed any for dhcp then please let me know. Also would it be better to block it inbound or outbound?

I assume at the end of the access-list there is an implicit "Deny all"

If I apply the above ACL to int FE0/0 and FE0/1 like:

(int 0/0)# ip access-group 103

(int 0/1)# ip access-group 103

then write mem ...this should solve my problem. Tell me what you think. I have to do this today and I'd rather not stuff it up!!!! :)

Thanks in advance.

Paul

Perth

WA

Oh, one last thing. I've noticed we have an existing access list as follows:

access-list 102 deny udp any any eq bootpc

access-list 102 deny udp any any eq bootps

Which probably does the trick (except wouldn't it block all other traffic if applied to an interface?)

However I haven't seen it applied to an interface as I'm not sure how to tell that. Below is the show config for the two FE interfaces..can you determine if access list 102 is applied? What should it look like and where should you see it?

interface FastEthernet0/0

ip address 192.168.53.240 255.255.255.0

ip directed-broadcast 101

no ip mroute-cache

duplex auto

speed auto

no cdp enable

interface FastEthernet0/1

ip address 192.168.40.240 255.255.255.0 secondary

ip address 192.168.20.230 255.255.254.0

no ip mroute-cache

duplex auto

speed auto

no cdp enable

Then right at the bottom we have the access list info and queue stuff?

access-list 1 permit 192.168.53.70

access-list 101 permit udp any eq 42508 any

access-list 101 permit udp any range 42508 42510 any

access-list 102 deny udp any any eq bootpc

access-list 102 deny udp any any eq bootps

queue-list 1 protocol ip 1 tcp 1494

queue-list 1 protocol ip 1 tcp 1604

queue-list 1 protocol ip 1 tcp 3389

queue-list 1 protocol ip 1 udp 1494

queue-list 1 protocol ip 1 udp 1604

queue-list 1 protocol ip 1 udp 3389

queue-list 1 protocol ip 2 udp domain

queue-list 1 protocol ip 2 tcp domain

queue-list 1 protocol ip 3 tcp www

queue-list 1 protocol ip 3 tcp 8080

queue-list 1 protocol ip 3 tcp 443

queue-list 1 protocol ip 3 tcp pop3

queue-list 1 protocol ip 3 tcp smtp

queue-list 1 default 4

queue-list 1 queue 1 byte-count 4500

queue-list 2 protocol ip 1 tcp 1494

queue-list 2 protocol ip 1 tcp 1604

queue-list 2 protocol ip 1 tcp 3389

queue-list 2 protocol ip 1 udp 1494

queue-list 2 protocol ip 1 udp 1604

queue-list 2 protocol ip 1 udp 3389

queue-list 2 default 2

queue-list 2 queue 1 byte-count 30000

Thanks in advance

Paul

Perth

WA

See my reply to your post in the "WAN, Routing and Switching" section:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.eea77c0/0#selected_message

HELP!!!! I just applied the ACL to the two FE interfaces and I've lost my connection to the router and can't get back in!!

What I did was:

1) In int FE0/0 typed ip access-group 103 in

In int FE0/1 typed ip access-group 103 in

2) exited to Global Config mode and typed:

access-list 103 deny tcp any any eq 67 log

access-list 103 deny udp any any eq 67 log

access-list 103 deny tcp any any eq 68 log

access-list 103 deny udp any any eq 68 log

access-list 103 deny tcp any any eq 546 log

access-list 103 deny tcp any any eq 547 log

access-list 103 permit ip any any

At this point I lost my connection and I didn't even get a chance to save it with write mem.

What happened and more importantly am I taking a late night drive to fix it?

How could this drop my connection...I did exactly as yourself and some others suggested and also followed the method from my Cisco manual.

What can I do from here it right?

Thanks in advance

Paul

HELP!!!! I just applied the ACL to the two FE interfaces and I've lost my connection to the router and can't get back in!!

What I did was:

1) In int FE0/0 typed ip access-group 103 in

In int FE0/1 typed ip access-group 103 in

2) exited to Global Config mode and typed:

access-list 103 deny tcp any any eq 67 log

access-list 103 deny udp any any eq 67 log

access-list 103 deny tcp any any eq 68 log

access-list 103 deny udp any any eq 68 log

access-list 103 deny tcp any any eq 546 log

access-list 103 deny tcp any any eq 547 log

access-list 103 permit ip any any

At this point I lost my connection and I didn't even get a chance to save it with write mem.

What happened and more importantly am I taking a late night drive to fix it?

How could this drop my connection...I did exactly as yourself and some others suggested and also followed the method from my Cisco manual.

What can I do from here it right?

Thanks in advance

Paul

paul, i think u'll have to drive to the location and remove the ACLs. I don't understand why you can't access the router, but without understanding exactly how to you access it, its tough to say what to do.

About the DHCP issue, I see a problem using DHCP on a broadcast domain with 2 subnets. (fe0/1).

DHCP uses broadcasts and i'm wondering how dhcp works properly in a LAN environment with 2 subnets.

I'd separate the subnets on fe0/1 into 2 unique broadcast domains ( vlans ) using trunking.

From what I know DHCP shouldn't work right on a lan with 2 subnets.

Hi, it's a drive this morning. I will try to remove settings via console connection and hyperterminal. If not a reboot should cancel the ACL settings as they weren't written to mem or copied to Start config.

The router has two FE interfaces.

Int 1) has a subnet with a DHCP server

Int 2) has two subnets with a DHCP server.

People on one subnet are logging in and getting ip adddresses from a DHCP server on the other subnet and this is causing issues.

I thinnk my ACL will work (when I apply it in correct order :)

We just want the easiest way to keep DHCP traffic to it's own subnet and blocking inbound DHCP traffic on both interfaces of the router seems to be the best (when done correctly)

I need to upgrade the ios version to do the vlan on the 2611xm and that's a last resort.

Thanks for your help

Paul

If you didn't get a chance to "write mem", is there someone at the remote site who can reboot the router for you? No "write mem" of the running-config means those changes won't be saved when you reboot the router, and it will come up with it's previous startup-config. Which should be a good thing.

Can you telnet to the IP addresses of the serial interfaces? They may still be accessible, even though the FastEthernet ones are denying you.

If you did the steps in the order that you listed above, then you told the two Fast Ethernet interfaces to filter traffic against an "access-list 103" before you actually had input the access-list 103 commands. So, the only command that would be in effect is the implicit "deny ip any any". That's probably why you got cut off.

Best practice is to input the access-list commands first, THEN apply the access-group command to the interface. (I usually add two extra steps for safety: I add the access-list commands first, then save the configuration, then verify what's been saved is what I want saved, and only then do I apply them to the interfaces. If you have to reboot or access the router via another interface, at least you don't have to re-enter the access-list commands. And if you have problems, you can study exactly what commands were used and in what sequence, to determine why it didn't do what you wanted it to.)

If you have to modify an access-list, first remove it from any interfaces where it has been applied. Then delete the old list, re-enter the complete updated list, then re-apply it to the necessary interfaces. Not following this procedure may result in the same situation: interfaces actively referencing an access-list that doesn't exist, resulting in "deny ip any any".

As far as DHCP on an interface supporting more than one IP subnet using the "secondary" command option (some people call this "multinetting"), if you use "ip helper-address" on the router interface to do your DHCP relay the router will only include its primary IP address in the unicast packet it sends to the DHCP server. The DHCP server references the interface that the router says it heard the DHCP address request on (that's what the inclusion of the primary IP address is for), looks in its scope definitions for a match with that primary IP address, and sends an appropriate address offer back to the router. The router sends the offer along to the client. So, you will not be able to get DHCP addresses assigned in the secondary IP subnet.

If you need to get IP addresses assigned in that secondary IP subnet range, you're better off doing what Stanley (skarundi) suggested, creating two VLANs on that LAN interface using sub-interfaces, and doing VLAN trunking. Note: the ability to do sub-interfaces on a router's LAN interface is only possible with a "Plus" version of IOS, which may require more RAM and/or flash memory in your router.

Hope this helps.

Paul, no update with me, I completely agree with the previously posted suggestions, just thought you might want to know why you got locked out of your router. The first thing you did when you telneted to your router was apply an access-list to your FE interfaces. Once you created the access list in step two, that access-list has an explicit deny ip any any at the bottom and took a second to apply but booted you out of your own session. Im surprised it let you paste as much as you did. So just in the future, always create your access-list first and apply them to the interface when complete. When modifying existing access-lists, I usually create a new one and increment the number so I have an ACL to roll back too if anything fails. Hope you called and had someone reboot like the previous message said, I know how greiving it can be to drive out to sights for these kinds of matters.

Cheers :)

Hi, thanks for the reply. I've applied a new access-list and it's still not blocking DHCP traffic.

I really don't want to go down the Vlan/trunking route to block the DHCP traffic across the LAN.

This is getting vital for me (have to get it fixed in 24 hours) to fix so I'll give the whole setup again.

The Cisco router has two FE interfaces.

Int 0/0) has an ip address from subnet A with a DHCP server on it

Int 0/1) has two ip addresses from two subnets B and C with a DHCP server on them.

Both these interfaces plug into a 3com switch at our (192.168.53.0 end) From there it's a 100mb link thru to a switch at the subnet B and C end.

The router also has a few serial interfaces which are linked thru to 2mb links to out lying schools but I can't see this affecting anything. (see config below)

People on one subnet are logging in and getting ip adddresses and scope info from a DHCP server on the other subnet and this is causing issues.

ie: Clients dialing in to us should get a 192.168.53.x ip address and access all their resources ok but they are receiving an ip address etc from the DHCP server on the 192.168.20.0 subnet.

This is also stuffing our RIS work as we have pxe clients on the 192.168.53.0 subnet getting ip info from the 192.168.20.0 subnet etc etc...

We just want the easiest way to keep DHCP traffic to it's own subnet and blocking inbound + outbound DHCP traffic on both interfaces of the router seems to be the best option. This I have done with access-list 103 (see below)

BUT THIS IS STILL NOT WORKING AND I CAN'T FIGURE OUT WHY!!!!!

If anyone could help or give any pointers quickly I'd appreciate it. To me , the two subnets join at the Cisco 2611 router and that's where I've blocked DHCP traffic (tell me if Ive blocked all the correct protocol numbers?)

Thanks in advance

Paul

Using 3902 out of 29688 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname cisco01

!

boot system flash c2600-i-mz.122-8.T5.bin

aaa new-model

!

!

aaa authentication login default local

aaa authentication ppp default local

aaa authorization network ppp local

aaa session-id common

enable secret 5 $1$obNG$1sxmuUmoeW8VglTWlPzOd.

enable password 7 0317580E070635

!

username admin password 7 105D0A1C041E06

ip subnet-zero

!

!

ip domain-name scea.wa.edu.au

!

!

ip vrf sitemap

ip multicast auto-enable

!

controller E1 0/0

channel-group 0 unframed

!

controller E1 0/1

channel-group 0 unframed

!

controller E1 1/0

channel-group 0 unframed

!

controller E1 1/1

channel-group 0 unframed

!

controller E1 1/2

channel-group 0 unframed

!

!

!

interface FastEthernet0/0

ip address 192.168.53.240 255.255.255.0

ip access-group 103 in

ip access-group 103 out

ip directed-broadcast 101

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/0:0

description Beechboro G703

ip address 192.168.200.5 255.255.255.252

ip directed-broadcast 101

!

interface FastEthernet0/1

ip address 192.168.40.240 255.255.255.0 secondary

ip address 192.168.20.230 255.255.252.0

ip access-group 103 in

ip access-group 103 out

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/1:0

description Ellenbrook G703

ip address 192.168.200.9 255.255.255.252

ip directed-broadcast 101

!

interface Serial0/2

description Armadale DDS

ip address 192.168.210.1 255.255.255.252

ip directed-broadcast 101

encapsulation ppp

no ip mroute-cache

custom-queue-list 1

no cdp enable

!

interface Serial0/3

description 2nd Unused Serial Port

no ip address

!

interface Serial1/0:0

description Mundaring G703

ip address 192.168.200.21 255.255.255.252

ip directed-broadcast 101

!

interface Serial1/1:0

description Kalamunda G703

ip address 192.168.200.13 255.255.255.252

ip directed-broadcast 101

!

interface Serial1/2:0

description Armadale

ip address 192.168.200.1 255.255.255.252

ip directed-broadcast 101

!

ip classless

ip route profile

ip route 0.0.0.0 0.0.0.0 192.168.53.15

ip route 192.168.30.0 255.255.255.0 192.168.200.22

ip route 192.168.50.0 255.255.255.0 192.168.200.14

ip route 192.168.60.0 255.255.255.0 192.168.200.10

ip route 192.168.70.0 255.255.255.0 192.168.200.6

ip route 192.168.100.0 255.255.255.0 192.168.200.2

ip http server

ip pim bidir-enable

!

!

access-list 1 permit 192.168.53.70

access-list 101 permit udp any eq 42508 any

access-list 101 permit udp any range 42508 42510 any

access-list 102 deny udp any any eq bootpc

access-list 102 deny udp any any eq bootps

access-list 103 deny tcp any any eq 67 log

access-list 103 deny udp any any eq bootps log

access-list 103 deny tcp any any eq 68 log

access-list 103 deny udp any any eq bootpc log

access-list 103 deny tcp any any eq 546 log

access-list 103 deny tcp any any eq 547 log

access-list 103 permit ip any any

queue-list 1 protocol ip 1 tcp 1494

queue-list 1 protocol ip 1 tcp 1604

queue-list 1 protocol ip 1 tcp 3389

queue-list 1 protocol ip 1 udp 1494

queue-list 1 protocol ip 1 udp 1604

queue-list 1 protocol ip 1 udp 3389

queue-list 1 protocol ip 2 udp domain

queue-list 1 protocol ip 2 tcp domain

queue-list 1 protocol ip 3 tcp www

queue-list 1 protocol ip 3 tcp 8080

queue-list 1 protocol ip 3 tcp 443

queue-list 1 protocol ip 3 tcp pop3

queue-list 1 protocol ip 3 tcp smtp

queue-list 1 default 4

queue-list 1 queue 1 byte-count 4500

queue-list 2 protocol ip 1 tcp 1494

queue-list 2 protocol ip 1 tcp 1604

queue-list 2 protocol ip 1 tcp 3389

queue-list 2 protocol ip 1 udp 1494

queue-list 2 protocol ip 1 udp 1604

queue-list 2 protocol ip 1 udp 3389

queue-list 2 default 2

queue-list 2 queue 1 byte-count 30000

snmp-server community sceait RO

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password 7 071C22494F000D

!

!

end

Hey,

You wrote:

Int 0/0) has an ip address from subnet A with a DHCP server on it

Int 0/1) has two ip addresses from two subnets B and C with a DHCP server on them.

Both these interfaces plug into a 3com switch at our (192.168.53.0 end) From there it's a 100mb link thru to a switch at the subnet B and C end.

From what this sounds like, you have both physical interfaces tied into a single switch. If you are not using VLAN's to segment your broadcast domains then your problem is not at the router. A dhcp request is a broadcast that does not care what subnet it is on. A switch (not configured for VLAN's) is a single broadcast domain. So unless you configure vlans on that switch, when a client comes on board and issues a DHCP request, it will get flooded out every switchport (doesnt matter if the router is there or not) and wait for the first DHCP server to respond. If my hunch is correct, you need to either configure vlans or place a different switch there for the different subnet you want to contain and move the physical interface of the router to the new switch.