Hi
I have a wan interface that needs to obtain an IP address via DHCP from the ISP. The DHCP server IP address may change.
The interface is in a seperate vrf on the router from the LAN interface.
I would like some advice on how I should secure this interface.
I was thinking about an ACL like this applied inbound on the wan interface.
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
.....
<allow permited traffic>
.....
permit udp any eq 67 any eq 68 ! for DHCP
deny ip any any log
I would also have urpf enabled on the WAN interface with an ACL such as this.
permit udp any eq 67 any eq 68
deny ip any any log
What other specific measures could I take to secure the DHCP?
Thanks