Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

usc_trojans

3 Posts

50299

July 19th, 2005 16:00

3348: ACL to block DHCP

I have a 3348 with my router(10.0.0.0/22) on port 1. My customers connect on the other ports using PCs/Routers. Once in a while I will have a customer plugging their router the wrong way, ie connect the LAN(192.168.0.0/24) of their router into my switch. This results in all our customers gettting the 192.168 network address.

Is their a way I can use ACL to block DHCP offerings to come from any port other than port 1.

I guess it can be done using port 67 & 68 but what I tried hasnt worked.

Heres what I tried,
ACE 1. udp - src port 67, dest prt 68 - src ip 10.0.0.1 src mask 0.0.0.0, dst ip 0.0.0.0
dst mask 255.255.255.255 - PERMIT
ACE 2. udp - src port 67, dest prt 68 - src ip 0.0.0.0 src mask 255.255.255.255,
dst ip 0.0.0.0 dst mask 255.255.255.255 - DENY
ACE 3. any,any -PERMIT

I applied this to port 3 where I plugged in my laptop. It prevented me from getting an IP address at all.

DELL-Randy

132 Posts

July 21st, 2005 14:00

This can easily be achieved via ACLs, however, there are certain aspects that must be considered.
 
ACLs are applied to Ingress (incoming) traffic as it physically enters the switch.  In addition, there is an (hidden) implied deny statement appended to end of each ACL configuration that denies any protocol from any source to any destination -- deny any any any.  Thus, the interface configuration -- physical interface, VLAN, or LAG -- must be considered when determining where to apply the ACL.  Additionally, the directional flow of traffic and the other traffic flows that traverse the same interface must be considered or additional services may be hindered.
 
The Inverse Subnet Mask (ISM) configuration must also be considered when specifying a specific host or a range of IP Addresses to perform a specific action (permit or deny).  In regards to ACL configurations and ISM -- an IP Address of 0.0.0.0 with an ISM of 255.255.255.255 is equivalent to an "any" statement.  Thus, your 2nd ACE statement -- (ACE 2.) -- all UDP Port 67 traffic is denied from any source to any destination -- this would be the result of no systems able to obtain a DHCP address.  That would also be indicative that you applied the ACL to the VLAN.
 
UDP Port 67 is utilized by the Bootstrap Protocol (BootP) when a server is responding to a DHCP Discover request packet while UDP Port 68 is utilized by BootP for a device to initiate the DHCP Discover request.
 
If applying the ACL to the default VLAN -- your configuration should be simple to only permit DHCP communication from only your device and not hinder any additional services:
  • 1. console(config-ip-al)# permit-udp 10.0.0.1 0.0.0.0 68 any 67
  • 2. console(config-ip-al)# deny-udp any 68 any 67
  • 3. console(config-ip-al)# permit any any any

Message Edited by DELL-Randy on 07-21-2005 10:50 AM

pgonza2723

2 Posts

October 19th, 2005 15:00

Are there any difference in the commands for the 3324 (SW Version 1.0.0.106, Boot 1.0.0.12)? There is not an option in the command line view to under console(config)# for the acl, and there aren't any options for the acl under the console(config-ip)# . Am I looking in the wrong spots? Also, are you able to define these through the web interface? There doesnt seem to be any options to add an acl under the Network security -> ACL Bindings option. Thanks

DELL-Randy

132 Posts

October 19th, 2005 16:00

The command structure should be the same for both revisions.  Most of the ACL commands are configured from global configuration mode [ console(config)# ], however, to bind the ACL you will utilize the interface configuration mode [ console(config-if)# ], depending on which interface you bind the ACL to (physical interface, LAG, or VLAN).

From the IP interface configuration mode [ console(config-ip)# ], which is only acceptable on the PowerConnect 6024, is where you primarily configure routing commands.

From the HTTP interface, you may configure either IP or MAC based ACLs as well as bind them to an interface.  Switch -> Network Security -> IP or MAC Based ACL is where you configure the ACLs.  Switch -> Network Security -> ACL Bindings is where you attach the ACL to an interface after you have created it.

Was this post helpful?

View All

No Events found!

Top