Guest

Cisco IOS Firewall

DHCP Client or Server with ZBF Router Configuration

Document ID: 116117

Updated: Jul 29, 2013

Contributed by Puneet Seth and Phillip Strelau, Cisco TAC Engineers.

   Print

Introduction

This document describes how to configure a router that is acting as a Dynamic Host Control Protocol (DHCP) server or DHCP client with the zone-based firewall (ZBF) feature. Because it is fairly common to have DHCP and ZBF enabled simultaneously, these configuration tips help ensure these features interact correctly.

Prerequisites

Requirements

Cisco recommends that you have knowledge of the Cisco IOS® software zone-based firewall. Refer to the Zone-Based Policy Firewall Design and Application Guide for details.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Feature Information

When ZBF is enabled on an IOS router, any traffic to the self zone (that is, traffic destined to the router's management plane) is allowed by default in the IOS 15.x train of code.

If you have created a policy for any zone (such as 'inside' or 'outside') to the self zone (out-to-self policy) or the reverse (self-to-out policy), you must explicitly define permissible traffic in the policies attached to these zones. Use the inspect or pass action in order to define the permissible traffic.

Data Analysis

DHCP uses broadcast User Datagram Protocol (UDP) packets in order to complete the DHCP process. Zone-based firewall configurations that specify the inspect action for these broadcast UDP packets might be dropped by the router, and the DHCP process might fail. You might also see this log message:

%FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair self-out class dhcp with ip ident 0

Refer to the issue described in Cisco bug ID CSCso53376, "ZBF inspect doesn't work for broadcast traffic."

In order to avoid this problem, modify the zone-based firewall configuration so that the pass action instead of the inspect action is applied to the DHCP traffic.

Note: This is required only when a policy is applied to the self zone on the router.

Zone-Based Firewall as DHCP Client with Pass Action for UDP Traffic

Configure

This example configuration utilizes the pass action set instead of the inspect action in the policy-map for all UDP traffic to or from the router.

zone security outside
zone security inside

interface Ethernet0/1
zone-member security outside
interface Ethernet0/2
zone-member security inside

class-map type inspect match-all dhcp
match protocol udp

policy-map type inspect out-to-self
class type inspect dhcp
pass
class class-default
drop
policy-map type inspect self-to-out
class type inspect dhcp
pass
class class-default
drop

zone-pair security out-to-self source outside destination self
zone-pair security self-to-out source self destination outside

Verify

Review the syslogs in order to verify that the router successfully obtained a DHCP address.

  • When both the out-to-self and self-to-out policies are configured to pass UDP traffic, the router can obtain a IP address from DHCP as shown in this syslog:
    %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/0 assigned DHCP address 192.168.1.5, mask 255.255.255.0
  • When only the out-to-self zone policy is configured to pass UDP traffic, the router can also obtain an IP address from DHCP, and this syslog is created:
    %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/0 assigned DHCP address 192.168.1.6, mask 255.255.255.0
  • When only the self-to-out zone policy is configured to pass UDP traffic, the router can obtain an IP address from DHCP, and this syslog is created:
    %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/0 assigned DHCP address 192.168.1.7, mask 255.255.25

Zone-Based Firewall with Pass Action for DHCP Traffic

Configure

This example configuration shows how to prevent all UDP traffic from a zone into your router's self zone except for DHCP packets. Use an access-list with specific ports in order to allow just DHCP traffic; in this example, UDP port 67 and UDP port 68 are specified to be matched. A class-map that references the access-list has the pass action applied.

access-list extended 111
10 permit udp any any eq 67

access-list extended 112
10 permit udp any any eq 68

class-map type inspect match-any self-to-out
match access-group 111
class-map type inspect match-any out-to-self
match access-group 112

zone security outside
zone security inside

interface Ethernet0/1
zone-member security outside
interface Ethernet0/2
zone-member security inside

policy-map type inspect out-to-self
class type inspect out-to-self
pass
class class-default
drop
policy-map type inspect self-to-out
class type inspect self-to-out
pass
class class-default
drop

zone-pair security out-to-self source outside destination self
zone-pair security self-to-out source self destination outside

Verify

Review output from the show policy-map type inspect zone-pair sessions command in order to confirm that the router is permitting DHCP traffic through the zone firewall. In this example output, the highlighted counters indicate that packets are being passed through the zone firewall. If these counters are zero, there is a problem with the configuration, or the packets are not arriving to the router for processing.

router#show policy-map type inspect zone-pair sessions

policy exists on zp out-to-self
Zone-pair: out-to-self
Service-policy inspect : out-to-self
Class-map: out-to-self (match-any)
Match: access-group 112
3 packets, 924 bytes
30 second rate 0 bps
Pass
6 packets, 1848 bytes

Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes

policy exists on zp self-to-out
Zone-pair: self-to-out
Service-policy inspect : self-to-out
Class-map: self-to-out (match-any)
Match: access-group 111
6 packets, 3504 bytes
30 second rate 0 bps
Pass
6 packets, 3504 bytes

Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes

Scenario for Incorrect Configurations

This sample scenario shows what happens when the router is incorrectly configured to specify the inspect action for DHCP traffic. In this scenario, the router is configured as a DHCP client. The router sends out a DHCP discover message to try and obtain an IP address. The zone-based firewall is configured to inspect this DHCP traffic. This is an example of the ZBF configuration:

zone security outside
zone security inside

interface Ethernet0/1
zone-member security outside

interface Ethernet0/2
zone-member security inside

class-map type inspect match-all dhcp
match protocol udp

policy-map type inspect out-to-self
class type inspect dhcp
inspect
class class-default
drop
policy-map type inspect self-to-out
class type inspect dhcp
inspect
class class-default
drop

zone-pair securiy out-to-self source outside destination self
zone-pair security self-to-out source self destination outside

When the self-to-out policy is configured with the inspect action for UDP traffic, the DHCP discovery packet is dropped, and this syslog is created:

%FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair self-out class dhcp with ip ident 0

When both the self-to-out and out-to-self policy are configured with the inspect action for UDP traffic, the DHCP discovery packet is dropped, and this syslog is created:

%FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair self-out class dhcp with ip ident 0

When the out-to-self policy has the inspect action enabled, and the self-to-out policy has the pass action enabled for UDP traffic, the DHCP offer packet is dropped after the DHCP discovery packet is sent, and this syslog is created:

%FW-6-DROP_PKT: Dropping udp session 192.168.1.1:67 255.255.255.255:68 on zone-pair out-self class dhcp with ip ident 0

Router as DHCP Server

If the routers' inside interface is acting as a DHCP server and if the clients that connect to the inside interface are the DHCP clients, this DHCP traffic is allowed by default if there is no inside-to-self or self-to-inside zone policy.

However, if either of those policies does exist, you need to configure a pass action for the traffic of interest (UDP port 67 or UDP port 68) in the zone pair service policy.

Troubleshoot

There is currently no specific troubleshooting information available for these configurations.

Updated: Jul 29, 2013
Document ID: 116117