Header Only - DO NOT REMOVE - Extreme Networks

DHCP only on radio interfaces


Userlevel 2
I need to deploy several pieces of AP7502 WING 5.9 with Mesh MCX when VC is DHCP server. Only VC is with ETH link.
I need the DHCP responses only on the wireless side.
Question:
How can I block the DHCP from crossing the GE1?
Thanks

7 replies

Userlevel 6
Hi Aviv,

you assign DHCP policy per VLAN, not physical interface.

So then you shall crate ACL blocking UDP/68 incoming on GE1 and that's it.
Here example blocking DHCP Discover on GE1
VX(config-ip-acl-NO-DHCP-FROM-GE)#show context ip access-list NO-DHCP-FROM-GE deny udp any eq 68 any eq dhcps rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context interface ge1 switchport mode trunk switchport trunk native vlan 88 no switchport trunk native tagged switchport trunk allowed vlan 88,99 use ip-access-list in NO-DHCP-FROM-GE [/code]So in translation - incoming traffic will be examined by ACL NO-DHCP-FROM-GE and will deny packets matching source UDP port 68.
At the same time AP will still be able to request IP address from external DHCP server as ACL is mapped to inbound direction only.

You can definitely do it with different range - this is just en example.

Regards,
Ondrej
Userlevel 2
Ondrej Lepa wrote:

Hi Aviv,

you assign DHCP policy per VLAN, not physical interface.

So then you shall crate ACL blocking UDP/68 incoming on GE1 and that's it.
Here example blocking DHCP Discover on GE1
VX(config-ip-acl-NO-DHCP-FROM-GE)#show context ip access-list NO-DHCP-FROM-GE deny udp any eq 68 any eq dhcps rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context interface ge1 switchport mode trunk switchport trunk native vlan 88 no switchport trunk native tagged switchport trunk allowed vlan 88,99 use ip-access-list in NO-DHCP-FROM-GE [/code]So in translation - incoming traffic will be examined by ACL NO-DHCP-FROM-GE and will deny packets matching source UDP port 68.
At the same time AP will still be able to request IP address from external DHCP server as ACL is mapped to inbound direction only.

You can definitely do it with different range - this is just en example.

Regards,
Ondrej

But VC will be able to assign ip addresses to clients on other aps trough mcx? There is vlan1 only.
Userlevel 6
Ondrej Lepa wrote:

Hi Aviv,

you assign DHCP policy per VLAN, not physical interface.

So then you shall crate ACL blocking UDP/68 incoming on GE1 and that's it.
Here example blocking DHCP Discover on GE1
VX(config-ip-acl-NO-DHCP-FROM-GE)#show context ip access-list NO-DHCP-FROM-GE deny udp any eq 68 any eq dhcps rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context interface ge1 switchport mode trunk switchport trunk native vlan 88 no switchport trunk native tagged switchport trunk allowed vlan 88,99 use ip-access-list in NO-DHCP-FROM-GE [/code]So in translation - incoming traffic will be examined by ACL NO-DHCP-FROM-GE and will deny packets matching source UDP port 68.
At the same time AP will still be able to request IP address from external DHCP server as ACL is mapped to inbound direction only.

You can definitely do it with different range - this is just en example.

Regards,
Ondrej

Hi Aviv,

MCX will bring DHCP Discover over wireless interface.
This won't be passed over to GE1 (inbound direction).

Also, as shown the ACL is assigned to GE1 port, not a particular VLAN.

Regards,
Ondrej
Userlevel 2
Ondrej Lepa wrote:

Hi Aviv,

you assign DHCP policy per VLAN, not physical interface.

So then you shall crate ACL blocking UDP/68 incoming on GE1 and that's it.
Here example blocking DHCP Discover on GE1
VX(config-ip-acl-NO-DHCP-FROM-GE)#show context ip access-list NO-DHCP-FROM-GE deny udp any eq 68 any eq dhcps rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context interface ge1 switchport mode trunk switchport trunk native vlan 88 no switchport trunk native tagged switchport trunk allowed vlan 88,99 use ip-access-list in NO-DHCP-FROM-GE [/code]So in translation - incoming traffic will be examined by ACL NO-DHCP-FROM-GE and will deny packets matching source UDP port 68.
At the same time AP will still be able to request IP address from external DHCP server as ACL is mapped to inbound direction only.

You can definitely do it with different range - this is just en example.

Regards,
Ondrej

Many thanks!!!!
Userlevel 2
Ondrej Lepa wrote:

Hi Aviv,

you assign DHCP policy per VLAN, not physical interface.

So then you shall crate ACL blocking UDP/68 incoming on GE1 and that's it.
Here example blocking DHCP Discover on GE1
VX(config-ip-acl-NO-DHCP-FROM-GE)#show context ip access-list NO-DHCP-FROM-GE deny udp any eq 68 any eq dhcps rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context interface ge1 switchport mode trunk switchport trunk native vlan 88 no switchport trunk native tagged switchport trunk allowed vlan 88,99 use ip-access-list in NO-DHCP-FROM-GE [/code]So in translation - incoming traffic will be examined by ACL NO-DHCP-FROM-GE and will deny packets matching source UDP port 68.
At the same time AP will still be able to request IP address from external DHCP server as ACL is mapped to inbound direction only.

You can definitely do it with different range - this is just en example.

Regards,
Ondrej

Ondrej,

Just I did not understand why we call it "inbound direction" although it seems to be an filtering on out direction in my opinion. Additionally we don't have the option to filter the out direction of GE.
As it although filtering the DHCP on VLAN why still it will forward DHCP Discover over wireless interface.
Can I find some information about internal bridging interface processes (radios, ge, bridge, svi, vlans) of the WING5 access points to understand better how it works?
Sorry, but I just try to understand the logic.

Thanks,
Aviv
Userlevel 6
Ondrej Lepa wrote:

Hi Aviv,

you assign DHCP policy per VLAN, not physical interface.

So then you shall crate ACL blocking UDP/68 incoming on GE1 and that's it.
Here example blocking DHCP Discover on GE1
VX(config-ip-acl-NO-DHCP-FROM-GE)#show context ip access-list NO-DHCP-FROM-GE deny udp any eq 68 any eq dhcps rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context interface ge1 switchport mode trunk switchport trunk native vlan 88 no switchport trunk native tagged switchport trunk allowed vlan 88,99 use ip-access-list in NO-DHCP-FROM-GE [/code]So in translation - incoming traffic will be examined by ACL NO-DHCP-FROM-GE and will deny packets matching source UDP port 68.
At the same time AP will still be able to request IP address from external DHCP server as ACL is mapped to inbound direction only.

You can definitely do it with different range - this is just en example.

Regards,
Ondrej

Hi Aviv,

let me show something then:
VX(config-ip-acl-NO-ICMP)#show context
ip access-list NO-ICMP
deny icmp any any rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context
interface ge1
switchport mode trunk
switchport trunk native vlan 88
no switchport trunk native tagged
switchport trunk allowed vlan 88,99
use ip-access-list in NO-ICMP [/code]Then trying to ping this host from its adopting controller this is what I see as deny - the I means inbound direction
AP#service pktcap on deny filter not mint
Capturing up to 50 packets. Use Ctrl-C to abort.
1 9:24:54.304425 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 1, length 108, DF, DSCP 0
2 9:24:55.305571 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 2, length 108, DF, DSCP 0
3 9:24:56.305600 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 3, length 108, DF, DSCP 0
4 9:24:57.305576 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 4, length 108, DF, DSCP 0
5 9:24:58.305581 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 5, length 108, DF, DSCP 0[/code]However, FROM the AP you are able to ping controller as this is outbound request
AP#ping 192.168.7.205
PING 192.168.7.205 (192.168.7.205) 100(128) bytes of data.
108 bytes from 192.168.7.205: icmp_seq=1 ttl=63 time=0.596 ms
108 bytes from 192.168.7.205: icmp_seq=2 ttl=63 time=0.496 ms
[/code]I am not sure about the system architecture but I consider interface "bridge" as a bus between GEs, VLANs and RADIOs. However, you request was not to respond to DHCP discoveries incoming from wired side - this is done by dropping traffic with source port UDP 68

Does it make sense?

Regards,
Ondrej
Userlevel 2
Ondrej Lepa wrote:

Hi Aviv,

you assign DHCP policy per VLAN, not physical interface.

So then you shall crate ACL blocking UDP/68 incoming on GE1 and that's it.
Here example blocking DHCP Discover on GE1
VX(config-ip-acl-NO-DHCP-FROM-GE)#show context ip access-list NO-DHCP-FROM-GE deny udp any eq 68 any eq dhcps rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context interface ge1 switchport mode trunk switchport trunk native vlan 88 no switchport trunk native tagged switchport trunk allowed vlan 88,99 use ip-access-list in NO-DHCP-FROM-GE [/code]So in translation - incoming traffic will be examined by ACL NO-DHCP-FROM-GE and will deny packets matching source UDP port 68.
At the same time AP will still be able to request IP address from external DHCP server as ACL is mapped to inbound direction only.

You can definitely do it with different range - this is just en example.

Regards,
Ondrej

Hi Ondrej,
Firstly, your rule with the addition of "allow all traffic precedence 100" working well.
I understood why we filtering incoming traffic.
DHCP server just don't receive the IP requests from the clients from the ETH side 🙂
This is genius!
Thank you

Reply