[c-nsp] Limiting DHCP on a Bridge Group

David Prall dcp at dcptech.com
Wed Feb 10 13:04:47 EST 2010 

Match protocol is nbar, I can never remember which require "ip nbar
protocol-discovery" on the interface. 

Why not use an access-list denying dhcp
deny udp any eq bootpc any eq bootps

David

--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Garry
> Sent: Wednesday, February 10, 2010 12:50 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Limiting DHCP on a Bridge Group
> 
> Hi,
> 
> I've got a setup that could use some tweaking ...
> 
> CPE is a 876W, with the 4 wired switch ports (read: VLAN1) and the WLAN
> being in a bridge group, LAN ip on the BVI1 interface.
> 
> LAN ports are only for designated boxes, while there are select users
> that may use the WLAN link to connect. For those, the router is running
> as a DHCP server, too.
> Anyway, I would like to limit the DHCP answers to just the WLAN link. I
> know I could go ahead and just split up the bridge group, with routing
> between the networks, but due to some other requirements, WLAN and
> wired
> lan needs to be in the same broadcast domain (at least unless the
> customer goes through some major reconfiguration).
> 
> I've received some suggestion as to using a policy map with class maps
> matching on proto dhcp and the incoming interfaces, dropping the
> traffic
> when it matched, while still forwarding the class default ... anyway, I
> tried setting that up, but still got DHCP on the FE ports ...
> 
> Any other suggestions? Or some hint on what I missed? Here's an excerpt
> from the config ...
> 
> ---
> class-map match-all NODHCP
>  match protocol dhcp
>  match input-interface FastEthernet0
> class-map match-all NODHCP1
>  match protocol dhcp
>  match input-interface FastEthernet1
> class-map match-all NODHCP2
>  match protocol dhcp
>  match input-interface FastEthernet2
> class-map match-all NODHCP3
>  match protocol dhcp
>  match input-interface FastEthernet3
> 
> policy-map NODHCP
>  class NODHCP
>    drop
>  class NODHCP1
>    drop
>  class NODHCP2
>    drop
>  class NODHCP3
>    drop
>  class class-default
> !
> interface BVI1
>  ip address 10.1.1.1 255.255.255.0
>  service-policy input NODHCP
> 
> Help appreciated, -garry
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list