Re: Blocking DHCP requests of windows clients

Greg Maaaag · ‎11-18-2012

Good day!

We've got 5 remote offices with cisco 881 routers, Win Clients behind them and all routers connected via vpn site-to-site to central software router.

Mostly all clients recieve ip addresses from routers in their subnets 192.168.x.0\24

We have Win DHCP Server in subnet 192.168.181.0\24

The problem is that some of clients,physically sutuated in 192.168.10.0\24 subnet, recieve ip addresses from Win DHCP server from 192.168.181.0\24 subnet.

Here's part of cisco cfg:

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address 89.104.102.226 255.255.255.240

ip flow ingress

ip nat outside

ip virtual-reassembly in

ip route-cache same-interface

ip route-cache policy

duplex auto

speed auto

crypto map vpn

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip address 192.168.110.110 255.255.255.0

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.10.12 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat pool NEW 89.104.102.226 89.104.102.226 prefix-length 24

ip nat inside source list 100 pool NEW overload

ip nat inside source static tcp 192.168.10.4 1723 89.104.102.226 1723 extendable

ip nat inside source static tcp 192.168.10.140 3306 89.104.102.226 3306 extendable

ip nat inside source static tcp 192.168.10.4 3389 89.104.102.226 3389 extendable

ip nat inside source static tcp 192.168.10.11 8081 89.104.102.226 8081 extendable

ip route 0.0.0.0 0.0.0.0 89.104.102.225

!

logging esm config

access-list 100 deny udp any any range bootps bootpc

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.19.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.25.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.181.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 deny udp any any eq bootpc

access-list 102 deny udp any any eq bootps

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.19.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.181.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255

no cdp run

!

route-map IPSEC-TRAF permit 10

match ip address 102

set interface FastEthernet4

!

According to ACL's traffic going from 67 and 68 ports should be blocked but somehow it isn't blocking, what am I doing wrong?

Abzal · ‎11-18-2012

Hi,

If clients on Vlan1 subnet 192.168.10.0/24 then you need to just add under VLAN1 ip helper-address. Because your DHCP server on another subnet.

int Vlan1
ip add 192.168.10.12 255.255.255.0
ip helper-address 192.168.181.x

Please rate helpful posts.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

Abzal · ‎11-18-2012

And if you want to block packets as per ACL 100. Put it under interface VLAN 1.

Int Vlan1
ip access-group 100 in

But in this way clients on subnet 192.168.10.0/24 will not get their IP addresses.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

Greg Maaaag · ‎11-19-2012

hello! thank you for your answer.

I want to block packets from local subnet to DHCP server in 192.168.181.0 subnet because the cisco's routers have functions of dhcp-servers for their subnets..

Maybe it's possible to make some firewall rulle on software router vyatta?

Which ACL we should use for Vlan1 :100 or 102 ?

When i map 100's acl to Vlan 1 interface, i loose connection to this local subnet from other subnets

I actually can't understand how this broadcast requests pass through VPN tunnela and routing?