This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Correct rule to allow DHCP in ACL for a VLAN

Correct rule to allow DHCP in ACL for a VLAN

Ilya_Semenov
Contributor

‎12-06-2016 12:01 PM

Hello, everybody!

I need to allow DHCP traffic for a certain VLAN in ACL. Is my rule correct?

entry DHCP { if {

protocol udp ;

destination-port 67,68 ;

} then {

permit ;

}

}

Should it be applied to VLAN as "ingress"?

Could you please, check it? Thank you!!!

0 Kudos
13 REPLIES 13

Erik_Auerswald
Contributor II
In response to Henrique

‎12-06-2016 12:42 PM

Hi Ilya,

that entry denies all IP (version 4) traffic, but still allows non-IP Ethernet frames. That is OK and equivalent to the implicit deny any of Extreme EOS (or Cisco IOS) IP access-lists (router ACL).

Erik
0 Kudos

Henrique
Extreme Employee
In response to Henrique

‎12-06-2016 12:42 PM

That rule would allow IP broadcast traffic only.
0 Kudos

Ilya_Semenov
Contributor
In response to Henrique

‎12-06-2016 12:42 PM

Yes, I have the deny-all rules in the end of ACL.

My additional questuon was about does this rule

entry dhcp { if {
destination-address 255.255.255.255/32 ;
} then {
count dhcp ;
permit ;
}
}

have a sense at all?

What does this rule exactly allow?

Thank you very much!

0 Kudos

Ilya_Semenov
Contributor

‎12-06-2016 12:31 PM

Many thanks to you!

Then, I am correct that this allow all ip traffic? No only DHCP, yes?

entry dhcp { if {
destination-address 255.255.255.255/32 ;
} then {
count dhcp ;
permit ;
}
}

Thank you!
0 Kudos

Erik_Auerswald
Contributor II
In response to Ilya_Semenov

‎12-06-2016 12:31 PM

The IP address 255.255.255.255 is the local (not global, my mistake) broadcast address for IP version 4, also known as all ones. This includes any protocol and any port, thus it is not just DHCP.

It is not every broadcast packet either, because IP version 4 supports directed broadcasts (directed broadcasts should be disabled for security reasons, it allows e.g. amplification in Smurf attacks).
0 Kudos
GTM-P2G8KFN