DHCP server at 10.0.0.13 on vlan 10
Clients on vlan 5 must use that DHCP server to get addresses in the 172.16.0.0/21 range.
I've configured an ip helper-address on the SVI of vlan 5 to allow the forwarding of DHCP requests. That works fine, and clients can obtain addresses.
However, I'd like to prohibit ALL other traffic to any 10.0.0.0 address from vlan 5.
would the following work?
ip access-list extended dhcppermit
permit udp any eq bootpc any eq bootps
deny ip any 10.0.0.0 0.0.0.255
permit ip any any
int vlan 5
ip address 172.16.0.1 255.255.248.0
ip helper-address 10.0.0.13
ip access-group dhcppermit in
And if so, is there a way to lock this down, even more?
That should do the trick. As long as there are no other services needed on the 10.0.0.x network and i only say this as the DHCP server is often on the same subnet as AD etc. if using microsoft.
I was able to try this out, and was able to get an IP address with that config.
Two more questions:
Do you know if DHCP ever use TCP? I thought I read somewhere that a dhcp renew uses TCP unicast to the DHCP server's address, but I can't seem to find that reference now.
I setup Wireshark on the client and noticed a few pings coming back from the DHCP server, checking if the address was in use, before it handed it out. So it would appear that I need to allow icmp replies back to the server, or that function will never spot duplicate addresses.
I've never heard DHCP uses TCP, but DNS can in some occasions.
Norwally clients should do a Gratuitous arp request before accepting the IP and if it is already on another device it will send a DHCP decline to the server. I also think that some servers also use ARP for duplicate address detection( at least Cisco routers do) so it may be working without letting the ICMP replies back. if the server doesn't get the reply it will suppose it can offer the IP but I don't know if it keeps it up in its table when he receives a decline.
I'll do some searching and let you know.
Don't forget to rate helpful posts.