DHCP only on radio interfaces

  • 0
  • 1
  • Question
  • Updated 11 months ago
  • Answered
I need to deploy several pieces of AP7502 WING 5.9 with Mesh MCX when VC is DHCP server. Only VC is with ETH link.
I need the DHCP responses only on the wireless side.
Question:
How can I block the DHCP from crossing the GE1?
Thanks
Photo of Aviv Kedem

Aviv Kedem

  • 1,400 Points 1k badge 2x thumb

Posted 11 months ago

  • 0
  • 1
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 4,968 Points 4k badge 2x thumb
Hi Aviv,

you assign DHCP policy per VLAN, not physical interface.

So then you shall crate ACL blocking UDP/68 incoming on GE1 and that's it.
Here example blocking DHCP Discover on GE1
VX(config-ip-acl-NO-DHCP-FROM-GE)#show context
ip access-list NO-DHCP-FROM-GE
 deny udp any eq 68 any eq dhcps rule-precedence 5
 
VX(config-profile-default-ap7562-if-ge1)#show context
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 88
  no switchport trunk native tagged
  switchport trunk allowed vlan 88,99
  use ip-access-list in NO-DHCP-FROM-GE

So in translation - incoming traffic will be examined by ACL NO-DHCP-FROM-GE and will deny packets matching source UDP port 68.
At the same time AP will still be able to request IP address from external DHCP server as ACL is mapped to inbound direction only. 

You can definitely do it with different range - this is just en example.

Regards,
Ondrej
(Edited)
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 4,968 Points 4k badge 2x thumb
Hi Aviv,

MCX will bring DHCP Discover over wireless interface. 
This won't be passed over to GE1 (inbound direction).

Also, as shown the ACL is assigned to GE1 port, not a particular VLAN.

Regards,
Ondrej
Photo of Aviv Kedem

Aviv Kedem

  • 1,400 Points 1k badge 2x thumb
Many thanks!!!!
Photo of Aviv Kedem

Aviv Kedem

  • 1,400 Points 1k badge 2x thumb
Ondrej,

Just I did not understand why we call it "inbound direction" although it seems to be an filtering on out direction in my opinion. Additionally we don't have the option to filter the out direction of GE.
As it although filtering the DHCP on VLAN why still it will forward DHCP Discover over wireless interface.
Can I find some information about internal bridging interface processes (radios, ge, bridge, svi, vlans) of the WING5 access points to understand better how it works?
Sorry, but I just try to understand the logic.

Thanks,
Aviv
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 4,968 Points 4k badge 2x thumb
Hi Aviv,

let me show something then:
VX(config-ip-acl-NO-ICMP)#show context
ip access-list NO-ICMP
 deny icmp any any rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 88
  no switchport trunk native tagged
  switchport trunk allowed vlan 88,99
  use ip-access-list in NO-ICMP
Then trying to ping this host from its adopting controller this is what I see as deny - the I means inbound direction
AP#service pktcap on deny filter not mint
Capturing up to 50 packets. Use Ctrl-C to abort.
1 9:24:54.304425 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 1, length 108, DF, DSCP 0
2 9:24:55.305571 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 2, length 108, DF, DSCP 0
3 9:24:56.305600 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 3, length 108, DF, DSCP 0
4 9:24:57.305576 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 4, length 108, DF, DSCP 0
5 9:24:58.305581 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 5, length 108, DF, DSCP 0
However, FROM the AP you are able to ping controller as this is outbound request
AP#ping 192.168.7.205
PING 192.168.7.205 (192.168.7.205) 100(128) bytes of data.
108 bytes from 192.168.7.205: icmp_seq=1 ttl=63 time=0.596 ms
108 bytes from 192.168.7.205: icmp_seq=2 ttl=63 time=0.496 ms
I am not sure about the system architecture but I consider interface "bridge" as a bus between GEs, VLANs and RADIOs. However, you request was not to respond to DHCP discoveries incoming from wired side - this is done by dropping traffic with source port UDP 68

Does it make sense?

Regards,
Ondrej
Photo of Aviv Kedem

Aviv Kedem

  • 1,400 Points 1k badge 2x thumb
Hi Ondrej,
Firstly, your rule with the addition of "allow all traffic precedence 100" working well.
I understood why we filtering incoming traffic.
DHCP server just don't receive the IP requests from the clients from the ETH side :)
This is genius!
Thank you
(Edited)