catalyst 2950, access list, dhcp

Discussion in 'Cisco' started by Dmitry Melekhov, Mar 19, 2008.

  1. Hello!

    I need to set ip access-group on 2950 interface, so workstation will
    have access only to some addresses.
    It works, but workstation can't get ip address from dhcp server.
    Could you tell me what I have to allow in such list to have dhcp work?

    access-list 101 permit ip any host 192.168.21.220
    access-list 101 permit ip any host 192.168.22.254
    access-list 101 permit ip any host 192.168.22.91
    access-list 101 permit ip any host 192.168.22.92
    access-list 101 deny ip any any


    interface FastEthernet0/16
    description GUEST
    switchport access vlan 300
    ip access-group 101 in
    Dmitry Melekhov, Mar 19, 2008
    #1
    1. Advertising

  2. Dmitry Melekhov

    News Reader Guest

    Dmitry Melekhov wrote:
    > Hello!
    >
    > I need to set ip access-group on 2950 interface, so workstation will
    > have access only to some addresses.
    > It works, but workstation can't get ip address from dhcp server.
    > Could you tell me what I have to allow in such list to have dhcp work?
    >
    > access-list 101 permit ip any host 192.168.21.220
    > access-list 101 permit ip any host 192.168.22.254
    > access-list 101 permit ip any host 192.168.22.91
    > access-list 101 permit ip any host 192.168.22.92
    > access-list 101 deny ip any any
    >
    >
    > interface FastEthernet0/16
    > description GUEST
    > switchport access vlan 300
    > ip access-group 101 in
    >


    Make sure that the IP address of the DHCP server is one of the permitted
    addresses in the ACL. If not, add an additional ACE (Access Control
    Entry) to support the DHCP Server's IP address.

    Make sure that you have defined a DHCP scope (pool of addresses
    available for assignment) from the subnet being used for vlan 300 (i.e.:
    each vlan is on a different subnet and therefore would require a
    distinct scope).

    Best regards,
    News Reader
    News Reader, Mar 19, 2008
    #2
    1. Advertising

  3. On 19 ÍÁÒ, 20:00, News Reader <> wrote:

    > Make sure that the IP address of the DHCP server is one of the permitted
    > addresses in the ACL.


    Yes, it is in list.
    Really, I don't know how dhcp works- do it's packets contain sender's
    ip address?


    > Make sure that you have defined a DHCP scope (pool of addresses
    > available for assignment) from the subnet being used for vlan 300 (i.e.:
    > each vlan is on a different subnet and therefore would require a
    > distinct scope).


    dhcp works without access groups...
    Dmitry Melekhov, Mar 20, 2008
    #3
  4. Dmitry Melekhov

    Trendkill Guest

    On Mar 19, 11:33 pm, Dmitry Melekhov <> wrote:
    > On 19 ÍÁÒ, 20:00, News Reader <> wrote:
    >
    > > Make sure that the IP address of the DHCP server is one of the permitted
    > > addresses in the ACL.

    >
    > Yes, it is in list.
    > Really, I don't know how dhcp works- do it's packets contain sender's
    > ip address?
    >
    > > Make sure that you have defined a DHCP scope (pool of addresses
    > > available for assignment) from the subnet being used for vlan 300 (i.e.:
    > > each vlan is on a different subnet and therefore would require a
    > > distinct scope).

    >
    > dhcp works without access groups...


    What is the IP of your workstation and DHCP server? Do you have ip-
    helpers configured on the workstation vlan? F0/16 is the interface
    that connects to your workstation?

    Technically, dhcp works by the workstation broadcasting for an IP
    address, which the router in your vlan needs to forward to the dhcp
    server via an ip-helper statement. Therefore, the packet does not
    have a destination of the dhcp server because the workstation does not
    have an IP itself, and has no idea what the address of the dhcp server
    is. You need to add a statement that allows this udp/bootpc
    traffic.

    Check this out: http://www.velocityreviews.com/forums/t56116-dhcp-and-accesslist.html
    Trendkill, Mar 20, 2008
    #4
  5. Dmitry Melekhov

    News Reader Guest

    Trendkill wrote:
    > On Mar 19, 11:33 pm, Dmitry Melekhov <> wrote:
    >> On 19 ÍÁÒ, 20:00, News Reader <> wrote:
    >>
    >>> Make sure that the IP address of the DHCP server is one of the permitted
    >>> addresses in the ACL.

    >> Yes, it is in list.
    >> Really, I don't know how dhcp works- do it's packets contain sender's
    >> ip address?
    >>
    >>> Make sure that you have defined a DHCP scope (pool of addresses
    >>> available for assignment) from the subnet being used for vlan 300 (i.e.:
    >>> each vlan is on a different subnet and therefore would require a
    >>> distinct scope).

    >> dhcp works without access groups...

    >
    > What is the IP of your workstation and DHCP server? Do you have ip-
    > helpers configured on the workstation vlan? F0/16 is the interface
    > that connects to your workstation?
    >
    > Technically, dhcp works by the workstation broadcasting for an IP
    > address, which the router in your vlan needs to forward to the dhcp
    > server via an ip-helper statement. Therefore, the packet does not
    > have a destination of the dhcp server because the workstation does not
    > have an IP itself, and has no idea what the address of the dhcp server
    > is. You need to add a statement that allows this udp/bootpc
    > traffic.
    >
    > Check this out: http://www.velocityreviews.com/forums/t56116-dhcp-and-accesslist.html


    I experienced a bit of tunnel vision when I reviewed the ACL, and forgot
    to think about the workings of DHCP. Sorry!

    Although the DHCP Discover and Request packets sent by the host are
    "broadcasts", the host does send "unicast" packets to the server when
    releasing, renewing, and rebinding.

    Best regards,
    News Reader
    News Reader, Mar 20, 2008
    #5
  6. Dmitry Melekhov

    Guest

    On 20 Mar, 16:26, News Reader <> wrote:
    > Trendkill wrote:
    > > On Mar 19, 11:33 pm, Dmitry Melekhov <> wrote:
    > >> On 19 ÍÁÒ, 20:00, News Reader <> wrote:

    >
    > >>> Make sure that the IP address of the DHCP server is one of the permitted
    > >>> addresses in the ACL.
    > >> Yes, it is in list.
    > >> Really, I don't know how dhcp works- do it's packets contain sender's
    > >> ip address?

    >
    > >>> Make sure that you have defined a DHCP scope (pool of addresses
    > >>> available for assignment) from the subnet being used for vlan 300 (i.e..:
    > >>> each vlan is on a different subnet and therefore would require a
    > >>> distinct scope).
    > >> dhcp works without access groups...

    >
    > > What is the IP of your workstation and DHCP server?  Do you have ip-
    > > helpers configured on the workstation vlan?  F0/16 is the interface
    > > that connects to your workstation?

    >
    > > Technically, dhcp works by the workstation broadcasting for an IP
    > > address, which the router in your vlan needs to forward to the dhcp
    > > server via an ip-helper statement.  Therefore, the packet does not
    > > have a destination of the dhcp server because the workstation does not
    > > have an IP itself, and has no idea what the address of the dhcp server
    > > is.  You need to add a statement that allows this udp/bootpc
    > > traffic.

    >
    > > Check this out:  http://www.velocityreviews.com/forums/t56116-dhcp-and-accesslist.html

    >
    > I experienced a bit of tunnel vision when I reviewed the ACL, and forgot
    > to think about the workings of DHCP. Sorry!
    >
    > Although the DHCP Discover and Request packets sent by the host are
    > "broadcasts", the host does send "unicast" packets to the server when
    > releasing, renewing, and rebinding.
    >
    > Best regards,
    > News Reader- Hide quoted text -


    Does a 2950 really support IP access-lists on its L2 ports?

    I would perhaps expect it to support them on the management
    VLAN interface but not on the L2 ports.

    No reason of course that it could not be implemented but
    not at all what I would expect.

    Suppose I better look it up.

    Oh well wrong again -
    http://www.cisco.com/en/US/docs/swi..._22_ea5/command/reference/cli1.html#wp4213991

    This command is available on physical interfaces only if your switch
    is
    running the enhanced software image (EI).


    Examples
    This example shows how to configure an extended IP ACL that allows
    only
    TCP traffic to the destination IP address 128.88.1.2 with a TCP port
    number of 25 and how to apply it to an interface:

    Switch(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25
    Switch(config)# interface fastethernet0/8
    Switch(config-if)# ip access-group 102 in
    This is an example of an extended ACL that allows TCP traffic
    only from two specified networks. The wildcard bits apply to
    the host portions of the network addresses. Any host with a
    source address that does not match the ACL statements is denied.

    access-list 104 permit tcp 192.5.0.0 0.0.255.255 any
    access-list 104 permit tcp 128.88.0.0 0.0.255.255 any
    , Mar 20, 2008
    #6
  7. In article <>
    Dmitry Melekhov <> writes:

    >Hello!
    >
    >I need to set ip access-group on 2950 interface, so workstation will
    >have access only to some addresses.
    >It works, but workstation can't get ip address from dhcp server.
    >Could you tell me what I have to allow in such list to have dhcp work?
    >
    >access-list 101 permit ip any host 192.168.21.220
    >access-list 101 permit ip any host 192.168.22.254
    >access-list 101 permit ip any host 192.168.22.91
    >access-list 101 permit ip any host 192.168.22.92
    >access-list 101 deny ip any any
    >
    >
    >interface FastEthernet0/16
    > description GUEST
    > switchport access vlan 300
    > ip access-group 101 in
    >


    Try...

    permit udp host 0.0.0.0 any eq bootps

    ....before your default deny rule. (bootps is equivalent to the decimal value
    67.)

    Regards,
    Mike
    --
    | Systems Specialist: CBE,MSE
    Michael T. Davis (Mike) | Departmental Networking/Computing
    http://www.ecr6.ohio-state.edu/~davism/ | The Ohio State University
    | 197 Watts, (614) 292-6928
    Michael T. Davis, Mar 20, 2008
    #7
  8. On 20 ÍÁÒ, 23:05, -state.edu (Michael T. Davis) wrote:

    > permit udp host 0.0.0.0 any eq bootps


    This is what I did, but I ghave to allow all udp traffic (this is
    acceptable for me), just because IOS says that I can't mix rules with
    and without ports in the same access-list.
    Dmitry Melekhov, Mar 21, 2008
    #8
  9. On 20 ÍÁÒ, 19:26, News Reader <> wrote:

    >
    > Although the DHCP Discover and Request packets sent by the host are
    > "broadcasts"


    I guess that request doesn't pass in my rules with server address :)
    But if this packets are brodacst which destination ip they have?
    Dmitry Melekhov, Mar 21, 2008
    #9
  10. Dmitry Melekhov

    Merv Guest


    > I guess that request doesn't pass in my rules with server address :)
    > But if this packets are brodacst which destination ip they have?


    try

    access-list 101 permit ip any host 192.168.21.220
    access-list 101 permit ip any host 192.168.22.254
    access-list 101 permit ip any host 192.168.22.91
    access-list 101 permit ip any host 192.168.22.92

    access-list 101 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255
    eq bootps

    access-list 101 deny ip any any
    Merv, Mar 21, 2008
    #10
  11. Dmitry Melekhov

    News Reader Guest

    Dmitry Melekhov wrote:
    > On 20 ÍÁÒ, 19:26, News Reader <> wrote:
    >
    >> Although the DHCP Discover and Request packets sent by the host are
    >> "broadcasts"

    >
    > I guess that request doesn't pass in my rules with server address :)
    > But if this packets are brodacst which destination ip they have?


    DHCP uses a combination of broadcast and unicast for various operations.

    Acquiring an IP address via DHCP requires at minimum, a four packet
    exchange between the host and the server. The host is responsible for
    two of the four packets. These packets are broadcast to 255.255.255.255
    to facilitate a response(s) from potentially more than one DHCP server,
    and because the host doesn't know the IP address of any of the DHCP servers.

    In the process of accepting a lease on an IP address, the host becomes
    aware of the IP address of the offering DHCP server. Now that the
    server's IP address is known, the host will use "unicast" to communicate
    with the server when releasing, renewing, and rebinding.


    You have previously confirmed that your existing ACL includes the
    following entry:

    access-list 101 permit ip any host <dhcp-server-ip-address>

    This would address your DHCP "unicast" requirements, and any other IP
    communications with that server (presumably required).


    Merv's suggestion of:

    access-list 101 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255
    eq bootps

    .... only addresses the "broadcast" requirements of DHCP. Which is fine
    as long as you retain the earlier "IP" ACE in your ACL.


    It may be preferable to use a single ACE:

    access-list 101 permit udp any eq bootpc any eq bootps

    .... which addresses both "broadcast" and "unicast" requirements for DHCP
    communication with the server. This may reduce the possibility of an
    error being introduced later due to changes in the ACL.

    Further more, if you did not have any IP communication requirements with
    the DHCP server other than DHCP, you could then eliminate the earlier
    ACE that matches on "IP".

    Best regards,
    News Reader
    News Reader, Mar 21, 2008
    #11
  12. Dmitry Melekhov

    Merv Guest

    will need to permit DHCP (carried in bootp packets) in both
    directions:

    access-list 101 permit udp any eq bootpc any eq bootps
    access-list 101 permit udp any eq bootps any eq bootpc

    or could similify to:

    access-list 101 permit udp any any eq bootps
    access-list 101 permit udp any any eq bootpc
    Merv, Mar 22, 2008
    #12
  13. Dmitry Melekhov

    News Reader Guest

    No, that's not true.

    The ACL is on the host port, and determines what traffic is allowed to
    "enter" the port (i.e. from host, to server).

    The only DHCP traffic "entering" the host port is bootpc --> bootps.

    If he had an ACL on the port connected to the server, he would need to
    accommodate the return traffic (bootps --> bootpc) in that ACL.

    Best regads,
    News Reader


    Merv wrote:
    >
    > will need to permit DHCP (carried in bootp packets) in both
    > directions:
    >
    > access-list 101 permit udp any eq bootpc any eq bootps
    > access-list 101 permit udp any eq bootps any eq bootpc
    >
    > or could similify to:
    >
    > access-list 101 permit udp any any eq bootps
    > access-list 101 permit udp any any eq bootpc
    >
    >
    News Reader, Mar 22, 2008
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PS2 gamer
    Replies:
    6
    Views:
    6,619
    Hansang Bae
    Jun 9, 2004
  2. Nawak
    Replies:
    1
    Views:
    1,094
    Terry Baranski
    Aug 7, 2004
  3. neo@theone
    Replies:
    1
    Views:
    7,040
    Martin Bilgrav
    Feb 7, 2005
  4. Replies:
    3
    Views:
    1,190
  5. Neddy
    Replies:
    8
    Views:
    1,639
    Doug McIntyre
    May 27, 2009
Loading...

Share This Page