Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
20
Helpful
5
Replies

MAC Extended ACL/DHCP not blocked

Go to solution
chrander
Level 1
Level 1

‎12-20-2022 02:41 PM

Hello, I have created an Extended ACL with the primary goal to only allow a specific range of MAC addresses from a specific vendor. The rule functions as intended with 1 caveat. Any host that is connected on the port that is supposed to be denied, is able to handshake with our DHCP server and obtain an IP Address. That host is still blocked via the ACL. It would be ideal if DHCP was also blocked as well. 

mac access-list extended XXXXXX
permit any 0010.6a00.0000 0000.0011.1111
deny any any

interface GigabitEthernet1/7
description RSVD Radio MGMT
port-type eni
switchport access vlan 2
switchport mode access
power inline never
mac access-group XXXXXX in

Any help with this issue would be greatly appreciated! 

Cisco 4010 4S24P Ver 15.2(4r)EC

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
chrander
Level 1
Level 1

‎12-21-2022 09:19 AM

I seem to have found a solution. The below IP access list worked great. 

ip access-list extended Deny_DHCP
deny udp any any eq bootpc
deny udp any any eq bootps
permit ip any any

interface GigabitEthernet1/7
ip access-group Deny_DHCP in

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎12-20-2022 03:04 PM - edited ‎12-20-2022 03:58 PM

check my below comment.

0 Helpful

Go to solution
chrander
Level 1
Level 1

‎12-20-2022 03:56 PM

Our DHCP server needs to stay open for other devices to obtain DHCP on any other port of that vlan. We have a live device on this port with a build in hub, which cannot be disabled. So, I was hoping to limit risk of a host device being connected to this hub and obtaining an IP Address. The access list blocks any host from accessing the network very well, i would just like to block the DHCP somehow. I may try to apply a second Access list to this port just blocking dhcp.

Go to solution
MHM Cisco World
VIP
VIP
In response to chrander

‎12-20-2022 04:02 PM

I will run lab find  way to deny DHCP request

0 Helpful

Go to solution
chrander
Level 1
Level 1

‎12-21-2022 09:19 AM

I seem to have found a solution. The below IP access list worked great. 

ip access-list extended Deny_DHCP
deny udp any any eq bootpc
deny udp any any eq bootps
permit ip any any

interface GigabitEthernet1/7
ip access-group Deny_DHCP in

Go to solution
MHM Cisco World
VIP
VIP
In response to chrander

‎12-21-2022 09:55 AM

first thanks for sharing your config 
second I run lab and indeed the MAC acl can not deny the broadcast. 
I will read more about this issue and update you soon.

 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card