Controllerless Networks

Dear Experts, 

 

In Instant, is there anyway to allow dhcp responses from authorized servers only? i tried to use inbound firewall rules but they dont seem to work. I have a legitimate server on my LAN that should service the dhcp requests for connecting client. 

 

Any ideas please?

I tried blocking icmp from all sources to all destinations. Still i am able to ping my lan machines from my wireless clients. In the explanation for inbound rules, its mentioned that if there is a deny rule, it will be applied

Have you tried configuring Centralized DHCP Scopes on the IAPs. Configuration > DHCP Server. You could set up an IP helper, and point DHCP to the servers you want responding. On the IAP you can also apply ACLs to the AP ports as well. See below example of me denying ICMP on the uplink port:

 

wlan access-list session denyicmp
rule 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0 match icmp any any deny
!
wired-port-profile denyicmp
access-rule-name denyicmp
!
enet0-port-profile denyicmp

Also I have tested with blocking icmp with this type of setup and it works. Just make sure your rules are in the right order so your DHCP is being denied unless form your DHCP server. Also make sure you apply and save:

 

inbound-firewall
rule 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0 match 1 any any deny
rule 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0 match any any any permit

 

 

 

Dear Dustin,

What does "1" implies here?

rule 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0 match "1" any
any deny

When configuring the ACL in the GUI, it will insert the protocol number, but if you configure it in the CLI it will use the icmp name for the protocol identifier. See here for IANA Protocol Numbers: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml