Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
9129
Views
8
Helpful
3
Replies

WAN interface sending DHCP NAK

Go to solution
davidfield
Level 3
Level 3

ā€Ž03-20-2015 06:52 AM - edited ā€Ž03-07-2019 11:10 PM

Hello Cisco community

 

I have an issue on a recent install where our cisco 867 is connected at site to a carriers wireless bridge to supply internet.  They have bridged a public IP to our WAN G1 interface and we are NATing traffic. Our router is running DHCP scopes for the internal networks.  They have however reported that our router is sending DHCP NAK's our the WAN port back onto their network thus being seen by other customers sites.

I have applied the following Access list but they still say Iā€™m sending NAKā€™s.  I assume due to the NAT it overrides the Access list. 

 

interface GigabitEthernet1

ip address 195.X.X.X 255.255.255.224

ip access-group Deny_DHCP out                                                              <- trying to block DHCP out wan port

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

 

ip access-list extended Deny_DHCP

deny   udp any any eq bootpc

deny   udp any any eq bootps

permit ip any any

 

I have just now applied swapped the ACL so it is blocking DHCP IN requests on the WAN port as I assume my router is sending Nak's because it is processing the inbound requests.

 

Am I on the right path here?  Is there another way to do this?


Regards

Dave

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rade Djurasinovic
Level 1
Level 1

ā€Ž04-15-2015 01:17 AM

Interface access list in out direction does not filter router generated packets (DHCP NAK  in your case).

Your router is sending NAK because it received DHCP request on that interface.

You can filter DHCP requests in inbound direction on WAN interface:

interface GigabitEthernet1

ip access-group Deny_DHCP in

 

Same behavior on 7600 router.

If you have any dhcp pool configured on router (even for different vrf), router sends NAK on all L3 interfaces on which  DHCP request message is received.

View solution in original post

3 Replies 3

Go to solution
Cisco Freak
Level 4
Level 4

ā€Ž03-20-2015 07:43 AM

Dave,

The fundamental question is why your router is sending DHCP NACK in the WAN interface.

Do you see any DHCP request packet hitting the WAN interface? If so, who is requesting DHCP IP on your WAN interface. 

A DHCP NACK is generated as a reply to a DHCP request from a client. We need to identify who is that client that requesting IP from you through the WAN interface. All the LAN DHCP request should hit the LAN interface of the router not the WAN interface.

Go to solution
davidfield
Level 3
Level 3
In response to Cisco Freak

ā€Ž04-19-2015 10:40 AM

Thanks Rade and Cisco Freak,

 

I applied the Access List about a month ago and stopped the packets.  We are sharing a wireless bridge in a rural area from a local ISP. They are using a single AP and antenna setup for a number of clients but there is no isolation between us hence I see their DHCP requests.  

 

Regards


Dave

0 Helpful

Go to solution
Rade Djurasinovic
Level 1
Level 1

ā€Ž04-15-2015 01:17 AM

Interface access list in out direction does not filter router generated packets (DHCP NAK  in your case).

Your router is sending NAK because it received DHCP request on that interface.

You can filter DHCP requests in inbound direction on WAN interface:

interface GigabitEthernet1

ip access-group Deny_DHCP in

 

Same behavior on 7600 router.

If you have any dhcp pool configured on router (even for different vrf), router sends NAK on all L3 interfaces on which  DHCP request message is received.

Customers Also Viewed These Support Documents