HPE Community
Switches, Hubs, and Modems
1819833 Members
2847 Online
109607 Solutions
New Discussion юеВ

dhcp matching access-list

 
SOLVED
Go to solution
Mauro Furini
Frequent Advisor

тАО11-24-2010 02:29 AM

тАО11-24-2010 02:29 AM

dhcp matching access-list

Hi all,
I have two 6200yl-24G as core, eight 2610-poe and eight 2910-48 as distribution.
In the vlan client I have configured the helper-address, to reach the dhcp server in another site of the company via mpls. To restrict the communication I have configured an acl on the vlan but it's very helpful in troubleshooting becasuse it permit to me to control the matching of the rules.

ip access-list extended "111"
[cut]
90 permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
[cut]

The anomaly is that I never see the matching of the dhcp rules posted, with the command
"show statistic acvl4 111 vlan 11 in"
when other line was matched.
To make another control, I configured the same access-list in the Cisco router back of the Procurve, and this is the results:

70 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps (7410 matches)

what is wrong?
Thank's in advance
0 Kudos
7 REPLIES 7
Natasha Samoylenko
Trusted Contributor

тАО11-25-2010 03:33 AM

тАО11-25-2010 03:33 AM

Re: dhcp matching access-list

May be ACL applied not in the right place/direction.
Can you show config of switch on which you apply ACL?
VLAN 111 is the client VLAN?
Where you configure helper address?
Which switch makes routing?
In what VLAN is router?
0 Kudos
Mauro Furini
Frequent Advisor

тАО11-25-2010 07:55 AM

тАО11-25-2010 07:55 AM

Re: dhcp matching access-list

Thank's for the reply, in attach you can find the config of the 2 core switch and the 2 Cisco router.

To reply to your question:
1- Hope the position of the acl was correct, is applied in the client vlan.
2- the config attach
3- vlan 111 is the client vlan in dhcp, like 112,121,122. We can focus only on the vlan 111 for semplicity.
4- the helper add is configured in the vlan
es:
vlan 111
name "dati_clg1"
ip helper-address 172.30.78.24
ip helper-address 172.30.88.23
ip address 10.9.130.6 255.255.255.0
tagged 2-3,Trk1
ip access-group "111" in
exit
5- intra vlan routing was performed by the core switch, i have configured the vrrp for all vlan.
6- the backbone router is connected in vlan 2 "backbone"

Thank's again
0 Kudos
Mauro Furini
Frequent Advisor

тАО11-25-2010 07:59 AM

тАО11-25-2010 07:59 AM

Re: dhcp matching access-list

the attachment :D
0 Kudos
Natasha Samoylenko
Trusted Contributor

тАО11-25-2010 11:09 AM

тАО11-25-2010 11:09 AM

Solution

Re: dhcp matching access-list

I have one thought: may be it's because you apply Routed ACL and it can't filter DHCP broadcast messages?

RACL can filter:
- a packet routed between subnets on different VLANs;
- routed traffic between the subnets on the VLAN;
- traffic for switch itself.

If you apply the same ACL on port, I think you will have a match. Because it can filter any type of traffic.
May be it is because of broadcast. This is not router traffic and don't go exactly on switch.
But I thought (before this :)) that RACL must filter this too, so I'm not sure.

Config looks good.
Sorry, but this the only cause that I see.
I can't test it right now.
May be somebody else can help with this.
Antonio Milanese
Trusted Contributor

тАО11-25-2010 01:28 PM

тАО11-25-2010 01:28 PM

Re: dhcp matching access-list

Hello,

i think Natasha is on the right path..but not because it's a bcast but for the reason inside RACL operations. She said correctly:

> RACL can filter:
> - a packet routed between subnets on different VLANs;
> - routed traffic between the subnets on the VLAN;
> - traffic for switch itself.

but the on "ACL operation notes" the manual states:

- do not screen switched traffic WITHIN vlans with the same subnet
- do not screen egress traffic generated from the switch ip itself

so i suspect that here packet inspection/processing order matters:
the dhcp relay agent mangles the universal bcast to unicast before ACL is affected so generated packets are "coming from switch itself"

Well just an supposition I never checked but activating debug commands and "wiresharking" a bit may cast some light on this =)

Do you have some sparetime?..i'm curious =)

Regards,

Antonio
Mauro Furini
Frequent Advisor

тАО11-29-2010 04:57 AM

тАО11-29-2010 04:57 AM

Re: dhcp matching access-list

Thank's for the reply.
Unfortunately, this configuration is in a remote office and I can't "wireshark it", but this configuration of acl works correctly in every remote branch office with a router Cisco and an unmanaged switch behind, with only a vlan.
Maybe the same acl works differently between Cisco and Hp?
Thank's
0 Kudos
Mauro Furini
Frequent Advisor

тАО11-30-2010 06:30 AM

тАО11-30-2010 06:30 AM

Re: dhcp matching access-list

Finally works!!
Like your suggestion, i have simply rename the line "ip access-group xxx in" in "ip access-group xxx vlan", to make it from RACL to VACL...and magically the counter of dhcp grow up...
Thank's a lot
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.