object-group service DHCP udp

eford · ‎03-02-2017

Cisco ASA with three usable interfaces:

- Outside

- Phones

- Inside LAN

our phones use a dhcp server. The dhcp addresses can be found on our Inside Lan computers (dhcp server from Phones is leaking into our Inside Lan computers). How do we stop this behavior? There are dhcp servers on the phones and Inside LAN networks but we want the dhcp servers to be assigning dhcp addresses to the correct network segment.

Any Suggestions?

Thank You

Karsten Iwen · ‎03-02-2017

There can be three reasons for this behavior:

Your network is horribly broken
The ASA has a "dhcprelay" configured
Some other device relays DHCP requests to the server.

Hopefully it's 2) which can easily be removed on the ASA if not needed.

eford · ‎03-02-2017

Ok...

- I opened the running-config in Notepad and searched for DHCP and also Relay but found neither, could this be found as a different reference> What do I look for?

Thank You

Karsten Iwen · ‎03-02-2017

make sure you didn't search case-sensitive. The command to look for is "dhcprelay"

eford · ‎03-02-2017

I do not see dhcprelay in the running-config or startup-config. Would this mean that it is not the Cisco ASA?

Thank You

Karsten Iwen · ‎03-02-2017

Yes, then it's not the ASA. How many network-cards does the server have? Perhaps it's connected to all LANs?

HQuest · ‎03-02-2017

object-group service DHCP udp
port-object eq bootpc
port-object eq bootps

access-list inside_access_in extended deny udp object any object-group any object-group DHCP

access-list outside_access_in extended deny udp object any object-group any object-group DHCP

access-list phone_access_in extended deny udp object any object-group any object-group DHCP

If you don't have a dhcprelay command, make sure your L3 SVIs on your switch doesn't have an ip helper-address entry.

How to stop DHCP from crossing over network segments, crossing over interfaces?