0

To prevent IP spoofing in a VLAN I configured the following access list

 ip access-list extended MITARBEITER permit tcp 10.15.240.0 0.0.0.255 any permit udp 10.15.240.0 0.0.0.255 any permit icmp 10.15.240.0 0.0.0.255 any interface GigabitEthernet0/1.240 encapsulation dot1Q 240 ip address 10.15.240.9 255.255.255.0 ip helper-address 10.15.242.13 ip access-group MITARBEITER in ip nat inside standby 240 ip 10.15.240.1 standby 240 priority 150 standby 240 preempt

I tested it and when I remove ip access-group MITARBEITER in the DHCP request are not blocked by the router. (Using Packet Tracer). What is the problem?

Improve this question
5
  • 2
    You are only permitting traffic from that one /24 network into the router through that interface. You can simplify it by using ip on one line instead of the three different lines of tcp, udp, and icmp. Commented May 2, 2023 at 21:43
  • But by using IP I would block protocols below L3 in the OSI model like. ARP, STP, CDP? Commented May 2, 2023 at 21:54
  • 1
    STP, CDP, etc. are link-only protocols that do not leave the interface on which they are received. ARP does not cross routers. You are no more blocking them with ip than you are by choosing only higher-layer protocols like TCP and UDP. Commented May 2, 2023 at 22:00
  • 2
    It's an IP access-list, so it will only apply to IPv4 layer-3 traffic. ARP, STP, and CDP aren't IP. Commented May 3, 2023 at 0:30
  • Moreover, an IP(v4) ACL doesn't block IPv6 or other L3/L2 traffic... Commented May 3, 2023 at 7:40

1 Answer 1

Reset to default
4

DHCP Discover broadcast has to be whitelisted explicitly

 ip access-list extended MITARBEITER permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps permit TCP 10.15.240.0 0.0.0.255 any permit UDP 10.15.240.0 0.0.0.255 any permit icmp 10.15.240.0 0.0.0.255 any

The list can be simplified to

ip access-list extended MITARBEITER permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps permit IP 10.15.240.0 0.0.0.255 any

Now it works!

Improve this answer
1
  • 1
    You are still using three lines where one would work. Commented May 3, 2023 at 1:47

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.