This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (WiNG)
- DHCP only on radio interfaces
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
DHCP only on radio interfaces
DHCP only on radio interfaces
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2017 12:08 PM
I need to deploy several pieces of AP7502 WING 5.9 with Mesh MCX when VC is DHCP server. Only VC is with ETH link.
I need the DHCP responses only on the wireless side.
Question:
How can I block the DHCP from crossing the GE1?
Thanks
I need the DHCP responses only on the wireless side.
Question:
How can I block the DHCP from crossing the GE1?
Thanks
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2017 12:25 PM
Hi Aviv,
you assign DHCP policy per VLAN, not physical interface.
So then you shall crate ACL blocking UDP/68 incoming on GE1 and that's it.
Here example blocking DHCP Discover on GE1
VX(config-ip-acl-NO-DHCP-FROM-GE)#show context ip access-list NO-DHCP-FROM-GE deny udp any eq 68 any eq dhcps rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context interface ge1 switchport mode trunk switchport trunk native vlan 88 no switchport trunk native tagged switchport trunk allowed vlan 88,99 use ip-access-list in NO-DHCP-FROM-GE So in translation - incoming traffic will be examined by ACL NO-DHCP-FROM-GE and will deny packets matching source UDP port 68.
At the same time AP will still be able to request IP address from external DHCP server as ACL is mapped to inbound direction only.
You can definitely do it with different range - this is just en example.
Regards,
Ondrej
you assign DHCP policy per VLAN, not physical interface.
So then you shall crate ACL blocking UDP/68 incoming on GE1 and that's it.
Here example blocking DHCP Discover on GE1
VX(config-ip-acl-NO-DHCP-FROM-GE)#show context ip access-list NO-DHCP-FROM-GE deny udp any eq 68 any eq dhcps rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context interface ge1 switchport mode trunk switchport trunk native vlan 88 no switchport trunk native tagged switchport trunk allowed vlan 88,99 use ip-access-list in NO-DHCP-FROM-GE So in translation - incoming traffic will be examined by ACL NO-DHCP-FROM-GE and will deny packets matching source UDP port 68.
At the same time AP will still be able to request IP address from external DHCP server as ACL is mapped to inbound direction only.
You can definitely do it with different range - this is just en example.
Regards,
Ondrej
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2017 12:25 PM
Hi Ondrej,
Firstly, your rule with the addition of "allow all traffic precedence 100" working well.
I understood why we filtering incoming traffic.
DHCP server just don't receive the IP requests from the clients from the ETH side 🙂
This is genius!
Thank you
Firstly, your rule with the addition of "allow all traffic precedence 100" working well.
I understood why we filtering incoming traffic.
DHCP server just don't receive the IP requests from the clients from the ETH side 🙂
This is genius!
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2017 12:25 PM
Hi Aviv,
let me show something then:
VX(config-ip-acl-NO-ICMP)#show context
ip access-list NO-ICMP
deny icmp any any rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context
interface ge1
switchport mode trunk
switchport trunk native vlan 88
no switchport trunk native tagged
switchport trunk allowed vlan 88,99
use ip-access-list in NO-ICMP Then trying to ping this host from its adopting controller this is what I see as deny - the I means inbound direction
AP#service pktcap on deny filter not mint
Capturing up to 50 packets. Use Ctrl-C to abort.
1 9:24:54.304425 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 1, length 108, DF, DSCP 0
2 9:24:55.305571 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 2, length 108, DF, DSCP 0
3 9:24:56.305600 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 3, length 108, DF, DSCP 0
4 9:24:57.305576 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 4, length 108, DF, DSCP 0
5 9:24:58.305581 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 5, length 108, DF, DSCP 0However, FROM the AP you are able to ping controller as this is outbound request
AP#ping 192.168.7.205
PING 192.168.7.205 (192.168.7.205) 100(128) bytes of data.
108 bytes from 192.168.7.205: icmp_seq=1 ttl=63 time=0.596 ms
108 bytes from 192.168.7.205: icmp_seq=2 ttl=63 time=0.496 ms
I am not sure about the system architecture but I consider interface "bridge" as a bus between GEs, VLANs and RADIOs. However, you request was not to respond to DHCP discoveries incoming from wired side - this is done by dropping traffic with source port UDP 68
Does it make sense?
Regards,
Ondrej
let me show something then:
VX(config-ip-acl-NO-ICMP)#show context
ip access-list NO-ICMP
deny icmp any any rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context
interface ge1
switchport mode trunk
switchport trunk native vlan 88
no switchport trunk native tagged
switchport trunk allowed vlan 88,99
use ip-access-list in NO-ICMP Then trying to ping this host from its adopting controller this is what I see as deny - the I means inbound direction
AP#service pktcap on deny filter not mint
Capturing up to 50 packets. Use Ctrl-C to abort.
1 9:24:54.304425 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 1, length 108, DF, DSCP 0
2 9:24:55.305571 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 2, length 108, DF, DSCP 0
3 9:24:56.305600 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 3, length 108, DF, DSCP 0
4 9:24:57.305576 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 4, length 108, DF, DSCP 0
5 9:24:58.305581 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 5, length 108, DF, DSCP 0However, FROM the AP you are able to ping controller as this is outbound request
AP#ping 192.168.7.205
PING 192.168.7.205 (192.168.7.205) 100(128) bytes of data.
108 bytes from 192.168.7.205: icmp_seq=1 ttl=63 time=0.596 ms
108 bytes from 192.168.7.205: icmp_seq=2 ttl=63 time=0.496 ms
I am not sure about the system architecture but I consider interface "bridge" as a bus between GEs, VLANs and RADIOs. However, you request was not to respond to DHCP discoveries incoming from wired side - this is done by dropping traffic with source port UDP 68
Does it make sense?
Regards,
Ondrej
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2017 12:25 PM
Ondrej,
Just I did not understand why we call it "inbound direction" although it seems to be an filtering on out direction in my opinion. Additionally we don't have the option to filter the out direction of GE.
As it although filtering the DHCP on VLAN why still it will forward DHCP Discover over wireless interface.
Can I find some information about internal bridging interface processes (radios, ge, bridge, svi, vlans) of the WING5 access points to understand better how it works?
Sorry, but I just try to understand the logic.
Thanks,
Aviv
Just I did not understand why we call it "inbound direction" although it seems to be an filtering on out direction in my opinion. Additionally we don't have the option to filter the out direction of GE.
As it although filtering the DHCP on VLAN why still it will forward DHCP Discover over wireless interface.
Can I find some information about internal bridging interface processes (radios, ge, bridge, svi, vlans) of the WING5 access points to understand better how it works?
Sorry, but I just try to understand the logic.
Thanks,
Aviv
