This document describes how to configure a router that is acting as a Dynamic Host Control Protocol (DHCP) server or DHCP client with the zone-based firewall (ZBF) feature. Because it is fairly common to have DHCP and ZBF enabled simultaneously, these configuration tips help ensure these features interact correctly.
Cisco recommends that you have knowledge of the Cisco IOS® software zone-based firewall. Refer to the Zone-Based Policy Firewall Design and Application Guide for details.
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
When ZBF is enabled on an IOS router, any traffic to the self zone (that is, traffic destined to the router's management plane) is allowed by default in the IOS 15.x train of code.
If you have created a policy for any zone (such as 'inside' or 'outside') to the self zone (out-to-self policy) or the reverse (self-to-out policy), you must explicitly define permissible traffic in the policies attached to these zones. Use the inspect or pass action in order to define the permissible traffic.
DHCP uses broadcast User Datagram Protocol (UDP) packets in order to complete the DHCP process. Zone-based firewall configurations that specify the inspect action for these broadcast UDP packets might be dropped by the router, and the DHCP process might fail. You might also see this log message:
%FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair
self-out class dhcp with ip ident 0
Refer to the issue described in Cisco bug ID CSCso53376, "ZBF inspect doesn't work for broadcast traffic."
In order to avoid this problem, modify the zone-based firewall configuration so that the pass action instead of the inspect action is applied to the DHCP traffic.
This example configuration utilizes the pass action set instead of the inspect action in the policy-map for all UDP traffic to or from the router.
zone security outside
zone security inside
interface Ethernet0/1
zone-member security outside
interface Ethernet0/2
zone-member security inside
class-map type inspect match-all dhcp
match protocol udp
policy-map type inspect out-to-self
class type inspect dhcp
pass
class class-default
drop
policy-map type inspect self-to-out
class type inspect dhcp
pass
class class-default
drop
zone-pair security out-to-self source outside destination self
service-policy type inspect out-to-self
zone-pair security self-to-out source self destination outside
service-policy type inspect self-to-out
Review the syslogs in order to verify that the router successfully obtained a DHCP address.
When both the out-to-self and self-to-out policies are configured to pass UDP traffic, the router can obtain a IP address from DHCP as shown in this syslog:
%DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/0 assigned DHCP address 192.168.1.5,
mask 255.255.255.0
When only the out-to-self zone policy is configured to pass UDP traffic, the router can also obtain an IP address from DHCP, and this syslog is created:
%DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/0 assigned DHCP address 192.168.1.6,
mask 255.255.255.0
When only the self-to-out zone policy is configured to pass UDP traffic, the router can obtain an IP address from DHCP, and this syslog is created:
%DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/0 assigned DHCP address 192.168.1.7,
mask 255.255.25
This example configuration shows how to prevent all UDP traffic from a zone into your router's self zone except for DHCP packets. Use an access-list with specific ports in order to allow just DHCP traffic; in this example, UDP port 67 and UDP port 68 are specified to be matched. A class-map that references the access-list has the pass action applied.
access-list extended 111
10 permit udp any any eq 67
access-list extended 112
10 permit udp any any eq 68
class-map type inspect match-any self-to-out
match access-group 111
class-map type inspect match-any out-to-self
match access-group 112
zone security outside
zone security inside
interface Ethernet0/1
zone-member security outside
interface Ethernet0/2
zone-member security inside
policy-map type inspect out-to-self
class type inspect out-to-self
pass
class class-default
drop
policy-map type inspect self-to-out
class type inspect self-to-out
pass
class class-default
drop
zone-pair security out-to-self source outside destination self
service-policy type inspect out-to-self
zone-pair security self-to-out source self destination outside
service-policy type inspect self-to-out
Review output from the show policy-map type inspect zone-pair sessions command in order to confirm that the router is permitting DHCP traffic through the zone firewall. In this example output, the highlighted counters indicate that packets are being passed through the zone firewall. If these counters are zero, there is a problem with the configuration, or the packets are not arriving to the router for processing.
router#show policy-map type inspect zone-pair sessions
policy exists on zp out-to-self
Zone-pair: out-to-self
Service-policy inspect : out-to-self
Class-map: out-to-self (match-any)
Match: access-group 112
3 packets, 924 bytes
30 second rate 0 bps
Pass
6 packets, 1848 bytes
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
policy exists on zp self-to-out
Zone-pair: self-to-out
Service-policy inspect : self-to-out
Class-map: self-to-out (match-any)
Match: access-group 111
6 packets, 3504 bytes
30 second rate 0 bps
Pass
6 packets, 3504 bytes
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
This sample scenario shows what happens when the router is incorrectly configured to specify the inspect action for DHCP traffic. In this scenario, the router is configured as a DHCP client. The router sends out a DHCP discover message to try and obtain an IP address. The zone-based firewall is configured to inspect this DHCP traffic. This is an example of the ZBF configuration:
zone security outside
zone security inside
interface Ethernet0/1
zone-member security outside
interface Ethernet0/2
zone-member security inside
class-map type inspect match-all dhcp
match protocol udp
policy-map type inspect out-to-self
class type inspect dhcp
inspect
class class-default
drop
policy-map type inspect self-to-out
class type inspect dhcp
inspect
class class-default
drop
zone-pair securiy out-to-self source outside destination self
service-policy type inspect out-to-self
zone-pair security self-to-out source self destination outside
service-policy type inspect self-to-out
When the self-to-out policy is configured with the inspect action for UDP traffic, the DHCP discovery packet is dropped, and this syslog is created:
%FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair
self-out class dhcp with ip ident 0
When both the self-to-out and out-to-self policy are configured with the inspect action for UDP traffic, the DHCP discovery packet is dropped, and this syslog is created:
%FW-6-DROP_PKT: Dropping udp session 0.0.0.0:68 255.255.255.255:67 on zone-pair
self-out class dhcp with ip ident 0
When the out-to-self policy has the inspect action enabled, and the self-to-out policy has the pass action enabled for UDP traffic, the DHCP offer packet is dropped after the DHCP discovery packet is sent, and this syslog is created:
%FW-6-DROP_PKT: Dropping udp session 192.168.1.1:67 255.255.255.255:68 on zone-pair
out-self class dhcp with ip ident 0
If the routers' inside interface is acting as a DHCP server and if the clients that connect to the inside interface are the DHCP clients, this DHCP traffic is allowed by default if there is no inside-to-self or self-to-inside zone policy.
However, if either of those policies does exist, you need to configure a pass action for the traffic of interest (UDP port 67 or UDP port 68) in the zone pair service policy.
There is currently no specific troubleshooting information available for these configurations.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
19-Apr-2013 |
Initial Release |