[c-nsp] ZBFW and DHCP

Andrew Jones Andrew.Jones at alphawest.com.au
Wed Sep 14 00:59:36 EDT 2011 

obvious question, but is DHCP passed in the service policy?

ie :

ip access-list extended al-dhcp
 remark Permit DHCP Clients to be allocated an address by the router
 permit udp any any eq bootpc
 permit udp any any eq bootps

class-map type inspect match-all cm-dhcp
 match access-group name al-dhcp

policy-map type inspect pm-dhcp
 class type inspect cm-dhcp
  pass

zone-pair security zp-untrusted-self source zo-untrusted destination self
service-policy type inspect pm-dhcp


you may need to reverse the acl so that it allows DHCP both ways, as this is to allow the router to serve DHCP.

ie 

permit udp any eq bootpc any

Cheers,

Andrew Jones


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Voll
Sent: Wednesday, 14 September 2011 12:11 AM
To: Hughes, Scott GRE-MG
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ZBFW and DHCP

I have Zones for both inside self and outside self

Scott

On Mon, Sep 12, 2011 at 1:38 PM, Hughes, Scott GRE-MG
<SHughes at grenergy.com>wrote:

> Did you setup any zone-pairs involving the 'self' zone? If you don't use
> self zones, no additional configuration should be necessary for DHCP
> packets.
>
>
>
> On Sep 12, 2011, at 9:43 AM, "Scott Voll" <svoll.voip at gmail.com> wrote:
>
> > So I'm setting up a GRE IPSEC tunnel as my backup link with a 2821.  I
> have
> > also setup ZBFW on the outside interface.  So far so good.
> >
> > BUT now the outside interface will not get a DHCP address from the ISP.
>  How
> > do I allow the Router to get a DHCP address?  Did I miss something on the
> > ZBFW config?  Or can this not be done?
> >
> > TIA
> >
> > Scott
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> NOTICE TO RECIPIENT: The information contained in this message from
> Great River Energy and any attachments are confidential and intended
> only for the named recipient(s). If you have received this message in
> error, you are prohibited from copying, distributing or using the
> information. Please contact the sender immediately by return email and
> delete the original message.
>
>
>
>
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list