cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1809
Views
0
Helpful
15
Replies

ciro dhcp

nettuno8_20111
Level 1
Level 1

hi I have a router 2901 my problem and this in a 192.168.2.0 network the hosts are all in dhcp and I created a pool that says that the address in dhcp for that host must always be the same, because on that address there I put a deny rule but 'when the host puts the address in a static and change it connects to the internet configuration that I have to do so that even if you put in a static does not connect to the internet?thank you.

1 Accepted Solution

Accepted Solutions

Hello

 


@nettuno8_20111 wrote:

hello yes I know but when the host is in dhcp can not connect to the internet but the problem is when you manually change the ip address that puts another and connects. I would like to make a configuration of the type that even when you change it manually you can not connect to the internet. thank you


 

conf t
mac access-list extended no-internet
deny host a0f3.c100.0175 any
permit any any

int dailer 1
mac-access group  no-internet in



Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

15 Replies 15

Hello,

 

what do you need...a static DHCP mapping ? Post the full config of your 2911...

Hello

so please confirm if I have understood - 

You have create a dhcp static mapping for a host and that host does not connect to the internet

 

However if you put the ip address manually on the host it does connect to the internet?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Alan Ng'ethe
Level 3
Level 3

So, you are saying that if a static address is configured instead of DHCP address, the host is somehow able to bypass the access list and access the internet? You want access to the internet to be denied regardless of DHCP or static configuration on the host?


Could you please elaborate more and post the configs?

 

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

hello sorry if I did not send you the configuration in time I could not send the configuration .. yes anyway and as you say ....

iro(config)#do show running-config
Building configuration...

Current configuration : 3798 bytes
!
! Last configuration change at 15:58:10 UTC Mon Oct 8 2018
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ciro
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.2
ip dhcp excluded-address 192.168.2.17 192.168.2.18
ip dhcp excluded-address 192.168.2.49 192.168.2.50
!
ip dhcp pool vlan-2
network 192.168.2.16 255.255.255.240
default-router 192.168.2.30
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool vlan-1
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.60
lease infinite
!
ip dhcp pool vlan-4
network 192.168.2.48 255.255.255.240
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.2.62
lease infinite
!
ip dhcp pool deny
host 192.168.1.50 255.255.255.0
client-identifier 01a0.f3c1.0001.75
default-router 192.168.1.60
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
ip host ciro-isp 192.168.10.2
ip host voice-voip 192.168.10.1
ip name-server 109.232.88.3
ip name-server 109.232.88.4
ip name-server 192.168.10.2
ip name-server 192.168.10.1
ip ddns update method dyndns
HTTP
add http://ciro15:ciro150182@update.dyndns.it/nic/update?system=dyndns&hostname=vegeta.homepc.it
interval maximum 24 0 0 0
interval minimum 24 0 0 0
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ1523C0C1
!
!
vtp mode transparent
!
!
vlan 2
!
vlan 3
name ciro
!
vlan 4,11
!
!
!
!
!
interface Tunnel0
ip address 192.168.3.2 255.255.255.252
tunnel source Dialer1
tunnel destination 95.250.159.118
!
interface Port-channel2
switchport mode trunk
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
no ip address
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1.11
encapsulation dot1Q 11
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0/0
switchport access vlan 11
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
switchport access vlan 2
!
interface FastEthernet0/0/3
switchport access vlan 4
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
standby version 2
standby 1 ip 192.168.1.60
standby 1 name vlan-1
!
interface Vlan2
ip address 192.168.2.18 255.255.255.240
ip nat inside
ip virtual-reassembly
standby version 2
standby 1 ip 192.168.2.30
standby 1 name vlan-2
!
interface Vlan4
ip address 192.168.2.50 255.255.255.240
ip nat inside
ip virtual-reassembly
standby version 2
standby 1 ip 192.168.2.62
standby 1 name vlan-4
!
interface Vlan11
ip address 192.168.10.2 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Dialer1
mtu 1492
ip ddns update hostname vegeta.homepc.it.dyndns.it
ip ddns update dyndns
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username aliceadsl password 0 aliceadsl
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.30 34599 interface Dialer1 34599
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.2.16 255.255.255.240 Tunnel0
!
access-list 101 deny ip host 192.168.1.50 any
access-list 101 permit tcp host 34.255.218.242 eq www any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
!
!
!
control-plane
!
!
line con 0
password ciro
login
line aux 0
line vty 0
password ciro
login
line vty 1 4
login
!
scheduler allocate 20000 1000
end

ciro(config)#            

 
198/5000
 
here is the configuration .... when the host user 192.168.1.50 when changing ip connects to the internet. I have to make sure that even when host changes ip you do not have to connect to the internet. thank you

Thanks for the config.

 

Firstly, you might want to unmark the question as resolved so that someone else may be able to assist you.

 

Secondly, what IP address does the host 192.168.1.50 have when it is able to connect to the internet?

 

I do see this line:

access-list 101 deny ip host 192.168.1.50 any; 

and this:

ip nat inside source list 101 interface Dialer1 overload

which i presume, not 100% sure at the moment, would prevent the translation of host 192.168.1.50 by the nat process, thereby denying internet access.

 

If that does not deny the translation, then you would probably realize your objective by taking the appropriate measures on the host i.e. denying local users the the ability to change the host's ip address.

 

I stand to be corrected.

 

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

hello thanks for answering me the rule deny 101 192.168.1.50 the setting to prevent that host not to connect to the internet I have also created an ip dhcp pool deny so that the host when receiving the address in dhcp does not connect to internet but 'when the host in question changes the ip address and it takes one free connects to the internet I would like to make sure that even if the address does not change to the internet. for nat 101 it translates other hosts that must be connected to internet.

hello thanks for answering me, the rule 101 deny 192.168.1.50 the setting to prevent that host from not connecting to the internet I have also created an ip dhcp pool deny so that the host when receiving the address in dhcp does not connect to the internet, however, when the host in question changes the ip address and takes one free connection to the internet I would like to make sure that even if the address changes, do not connect to the internet. for nat 101 it translates other hosts that must be connected to internet.

You seem to have done it the right way. In your 'deny' DHCP pool have you tried the hardware-address command instead of the client-identifier command?

 

 

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

hello yes I know thanks .. when the host is in dhcp can not connect to the internet but the problem is when you change it manually, which puts another and connects I would like to make a configuration of the types that even when you change it manually can connect to the internet. thank you

Hello

 


@nettuno8_20111 wrote:

ip dhcp excluded-address 192.168.1.1 192.168.1.2
ip dhcp excluded-address 192.168.2.17 192.168.2.18
ip dhcp excluded-address 192.168.2.49 192.168.2.50
!
ip dhcp pool vlan-2
network 192.168.2.16 255.255.255.240
default-router 192.168.2.30
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool vlan-1
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.60
lease infinite
!
ip dhcp pool vlan-4
network 192.168.2.48 255.255.255.240
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.2.62
lease infinite
!
ip dhcp pool deny
host 192.168.1.50 255.255.255.0
client-identifier 01a0.f3c1.0001.75
default-router 192.168.1.60
dns-server 8.8.8.8 8.8.4.4
lease infinite

ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.30 34599 interface Dialer1 34599
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.2.16 255.255.255.240 Tunnel0

access-list 101 deny ip host 192.168.1.50 any

 
here is the configuration .... when the host user 192.168.1.50 when changing ip connects to the internet. I have to make sure that even when host changes ip you do not have to connect to the internet. thank you

 

This because you have excluded that host from your NAT translation hence when you change its ip address its able to get natted and access the internet


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

hello yes I know but when the host is in dhcp can not connect to the internet but the problem is when you manually change the ip address that puts another and connects. I would like to make a configuration of the type that even when you change it manually you can not connect to the internet. thank you

Hello

 


@nettuno8_20111 wrote:

hello yes I know but when the host is in dhcp can not connect to the internet but the problem is when you manually change the ip address that puts another and connects. I would like to make a configuration of the type that even when you change it manually you can not connect to the internet. thank you


 

conf t
mac access-list extended no-internet
deny host a0f3.c100.0175 any
permit any any

int dailer 1
mac-access group  no-internet in



Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

iro(config)#do show running-config

Building configuration...

 

Current configuration : 3798 bytes

!

! Last configuration change at 15:58:10 UTC Mon Oct 8 2018

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ciro

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

!

ip dhcp excluded-address 192.168.1.1 192.168.1.2

ip dhcp excluded-address 192.168.2.17 192.168.2.18

ip dhcp excluded-address 192.168.2.49 192.168.2.50

!

ip dhcp pool vlan-2

network 192.168.2.16 255.255.255.240

default-router 192.168.2.30

dns-server 8.8.8.8 8.8.4.4

lease infinite

!

ip dhcp pool vlan-1

network 192.168.1.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.1.60

lease infinite

!

ip dhcp pool vlan-4

network 192.168.2.48 255.255.255.240

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.2.62

lease infinite

!

ip dhcp pool deny

host 192.168.1.50 255.255.255.0

client-identifier 01a0.f3c1.0001.75

default-router 192.168.1.60

dns-server 8.8.8.8 8.8.4.4

lease infinite

!

!

ip host ciro-isp 192.168.10.2

ip host voice-voip 192.168.10.1

ip name-server 109.232.88.3

ip name-server 109.232.88.4

ip name-server 192.168.10.2

ip name-server 192.168.10.1

ip ddns update method dyndns

HTTP

add http://ciro15:ciro150182@update.dyndns.it/nic/update?system=dyndns&hostname=vegeta.homepc.it

interval maximum 24 0 0 0

interval minimum 24 0 0 0

!

multilink bundle-name authenticated

!

!

!

!

license udi pid CISCO2901/K9 sn FCZ1523C0C1

!

!

vtp mode transparent

!

!

vlan 2

!

vlan 3

name ciro

!

vlan 4,11

!

!

!

!

!

interface Tunnel0

ip address 192.168.3.2 255.255.255.252

tunnel source Dialer1

tunnel destination 95.250.159.118

!

interface Port-channel2

switchport mode trunk

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface GigabitEthernet0/1

no ip address

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1.11

encapsulation dot1Q 11

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0/0

switchport access vlan 11

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

switchport access vlan 2

!

interface FastEthernet0/0/3

switchport access vlan 4

!

interface Vlan1

ip address 192.168.1.2 255.255.255.0

ip nat inside

ip virtual-reassembly

standby version 2

standby 1 ip 192.168.1.60

standby 1 name vlan-1

!

interface Vlan2

ip address 192.168.2.18 255.255.255.240

ip nat inside

ip virtual-reassembly

standby version 2

standby 1 ip 192.168.2.30

standby 1 name vlan-2

!

interface Vlan4

ip address 192.168.2.50 255.255.255.240

ip nat inside

ip virtual-reassembly

standby version 2

standby 1 ip 192.168.2.62

standby 1 name vlan-4

!

interface Vlan11

ip address 192.168.10.2 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface Dialer1

mtu 1492

ip ddns update hostname vegeta.homepc.it.dyndns.it

ip ddns update dyndns

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

ppp pap sent-username aliceadsl password 0 aliceadsl

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source list 101 interface Dialer1 overload

ip nat inside source static tcp 192.168.1.30 34599 interface Dialer1 34599

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.2.16 255.255.255.240 Tunnel0

!

access-list 101 deny ip host 192.168.1.50 any

access-list 101 permit tcp host 34.255.218.242 eq www any

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

!

!

!

control-plane

!

!

line con 0

password ciro

login

line aux 0

line vty 0

password ciro

login

line vty 1 4

login

!

scheduler allocate 20000 1000

end

 

ciro(config)#

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco