Solved: 2960S block DHCP

David Kondicz · ‎03-24-2013

Hi all,

i am trying to block all dhcp packets throught 2960S lan base IOS. But when i set no trust interface for dhcp snooping, the dhcp packet source port will be err-disabled. Is there any other solution to block any DHCP packet throught switch without interface or other service outage?

Is possible to block DHCP packet throught specific VLAN?

Thank you very much !

BR

Dave

Peter Paluch · ‎03-24-2013

Hi Dave,

Looks like you have forgotten to have the permit ip any any line as the last line in your ACL. Am I correct?

Sadly, there's no way to recover from this via IP. Two options are possible - either restart the switch, or try configuring a so-called cluster using CDP and access that switch using CDP clustering. Check this link for more information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/15.0_2_se/configuration/guide/swclus.html

Sadly, sometimes it's up to learn from our own faults.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎03-24-2013

Hi Dave,

DHCP Snooping is not going to put your interfaces into err-disabled state to my best knowledge. DHCP server messages received on untrusted ports will be dropped but the ports will not be err-disabled. Did you experience a different behavior?

Another options at blocking DHCP are ACLs. You can use IP ACLs placed on switchports in the in direction that will drop all UDP traffic destined to ports 67 or 68. With the newest IOSes, the 2960-S should also support VACLs, or VLAN access maps, that allow you to define a filtering policy for the entire VLAN at once. Please note that VACLs are not (yet) officially supported on 2960-S but I've seen the commands and functionality already been present on 2960 12.2(58) or 15.x IOSes.

Best regards,

Peter

David Kondicz · ‎03-24-2013

Thank you Peter,

i have upgraded my switches and tryed it by ACL. I blocked whole comunication on switch and i cant accest to sw by IP.

i added deny any source and any destination eq port udp 67, 68

After that

int range gi 1/0/1-28

ip acc 200

BR

Dave

Peter Paluch · ‎03-24-2013

Hi Dave,

Looks like you have forgotten to have the permit ip any any line as the last line in your ACL. Am I correct?

Sadly, there's no way to recover from this via IP. Two options are possible - either restart the switch, or try configuring a so-called cluster using CDP and access that switch using CDP clustering. Check this link for more information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/15.0_2_se/configuration/guide/swclus.html

Sadly, sometimes it's up to learn from our own faults.

Best regards,

Peter

David Kondicz · ‎03-25-2013

Is that correct Peter?

#show access-lists

Extended IP access list 2000

10 deny udp any any eq bootps

20 deny udp any any eq bootpc

30 permit ip any any (188712 matches)

Thanx

BR

Dave

Peter Paluch · ‎03-27-2013

Hi Dave,

I apologize for the late answer - was busy at my work.

Yes, this ACL looks good. Does it work for you?

Best regards,

Peter

David Kondicz · ‎04-01-2013

Hello Peter,

it works,

thank you very much!

BR

David