Access List with DHCP

radarbackwards · ‎06-04-2013

Hi Everyone,

We want to set the "deny all" policy on our network and only allowed ports will only be permitted

On my topology , I only put the DHCP Server and the client for the sake of isolation and ease of troubleshooting

I have 3 VLANS,

vlan 200 - dhcp server

vlan 250 - client 1

vlan 210 - client 2

What i want to happen is, only VLAN 250 can obtain dhcp from the server

hostname Switch

spanning-tree mode pvst

interface FastEthernet0/1

switchport access vlan 250

switchport mode access

!

interface FastEthernet0/2

switchport access vlan 200

switchport mode access

!

interface FastEthernet0/3

switchport access vlan 210

switchport mode access

interface Vlan1

no ip address

shutdown

!

interface Vlan200

ip address 192.168.200.10 255.255.255.0

ip access-group FILTER in

!

interface Vlan210

ip address 192.168.210.10 255.255.255.0

ip helper-address 192.168.200.11

!

interface Vlan250

ip address 192.168.250.10 255.255.255.0

ip helper-address 192.168.200.11

!

ip classless

!

ip access-list extended FILTER

permit ip 192.168.250.0 0.0.0.255 192.168.200.0 0.0.0.255

permit udp any any eq bootps

permit udp any any eq bootpc

deny ip any any

line con 0

line vty 0 4

login

!

end

Switch#

cadet alain · ‎06-04-2013

Hi,

the easiest way is not to put a ip helper-address under vlan 250 so the DHCP Discover messages will never get to the server.

The ACL was applied inbound on vlan 200 and so your first permit won't be matched as there will never be a source address inbound in the 192.168.250.0 subnet, second entry won't be matched either.3rd one will be matched by any DHCP server messages to any destination including vlan 250 so you won't achieve what you need.If you still wish to use this ACL then apply it inbound on vlan 250 and edit it like this:

no ip access-list extended FILTER

ip access-list extended FILTER

deny udp any eq bootpc host 192.168.200.11 eq bootps

permit ip any any

Regards

Alain

Don't forget to rate helpful posts.