Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1728
Views
0
Helpful
7
Replies

ACL query and dhcp

Go to solution
jcrow
Level 1
Level 1

‎02-08-2018 11:49 PM - edited ‎03-08-2019 01:46 PM

Hi,

 

A simple query regarding Access Control Lists and dhcp.

 

192.168.1.2 is the dhcp server.

 

Say I have a vlan 101 configured with the following:

 ip access group TEST_IN in

 ip access group TEST_OUT out

 ip helper-address 192.168.1.2

 

Here are the ACL's themselves:

ip access-list extended TEST_IN

 permit udp any host 192.168.1.2 eq bootps

 

ip access-list extended TEST_OUT

 deny ip any any

-------------------------------

In the above would a client connected via the 101 vlan be able to get an IP address via dhcp?  It could send the dhcp request but would 'deny ip any any' block the return packets?

 

Or are the packets allowed because the router acts as a relay for the dhcp server (via ip helper-address) and the router itself allows the return packets regardless of the ACL's?

 

cheers

jcrow

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to jcrow

‎02-09-2018 12:25 AM

Yes, It will block. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-09-2018 12:14 AM

The acl needs to allow the packets before the router can forward the DHCP request. 

 

Note though that you have the direction on your acl wrong ie. inbound is traffic from clients in vlan 101 so the source IP would never be the DHCP server. 

 

Jon

0 Helpful

Go to solution
jcrow
Level 1
Level 1
In response to Jon Marshall

‎02-09-2018 12:22 AM

Thanks for the response.

The clients in vlan 101 can initiate a dhcp request via the following:
ip access-list extended TEST_IN
permit udp any host 192.168.1.2 eq bootps

What I am asking is if the dhcp servers response would be blocked by the out acl:
ip access-list extended TEST_OUT
deny ip any any
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to jcrow

‎02-09-2018 12:25 AM

Yes, It will block. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
jcrow
Level 1
Level 1
In response to Deepak Kumar

‎02-09-2018 02:00 AM

It will block, thanks Deepak.

After some more investigation I could allow responses from the dhcp server by either explicitly permitting on the out acl or a simpler method is applying an ip inspect for the various protocols.
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jcrow

‎02-09-2018 02:13 AM

I have just tested this in a lab and it did not block the IP address assignment. 

 

The lab was using virtual routers but I suspect the same would be seen with real equipment. 

 

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Deepak Kumar

‎02-09-2018 02:14 AM

Deepak 

 

Do you know this for a fact because my test has just shown otherwise but it could be because I am not using real equipment. 

 

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jcrow

‎02-09-2018 12:26 AM

Yes, sorry I misread your acl, it is correct as you say. 

 

As for being blocked on the way back it is a good question because traffic generated by the router itself bypasses any acls and the response is actually generated by the router after it has received a reply from the DHCP server. 

 

To be honest don't know without testing.

 

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card