cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2288
Views
0
Helpful
1
Replies

WAN Interface with DHCP - How to secure?

serotonin888
Beginner
Beginner

Hi

I have a wan interface that needs to obtain an IP address via DHCP from the ISP. The DHCP server IP address may change.

The interface is in a seperate vrf on the router from the LAN interface.

I would like some advice on how I should secure this interface.

I was thinking about an ACL like this applied inbound on the wan interface.

deny ip 127.0.0.0 0.255.255.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 224.0.0.0 31.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

.....

<allow permited traffic>

.....

permit udp any eq 67 any eq 68     ! for DHCP

deny ip any any log

I would also have urpf enabled on the WAN interface with an ACL such as this.

permit udp any eq 67 any eq 68

deny ip any any log

What other specific measures could I take to secure the DHCP?

Thanks

1 Reply 1

p.juarezponte
Beginner
Beginner

I think that's a good configuration.

If I configure wan via sdm I get something like you have.

access-list 108 deny   ip 10.0.0.0 0.255.255.255 any

access-list 108 deny   ip 172.16.0.0 0.15.255.255 any

access-list 108 deny   ip 192.168.0.0 0.0.255.255 any

access-list 108 deny   ip 127.0.0.0 0.255.255.255 any

access-list 108 deny   ip host 255.255.255.255 any

access-list 108 deny   ip host 0.0.0.0 any

access-list 108 deny   ip any any log

I should add too:

interface fastEthernet0/0

     no cdp enable

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers