Re: blocking dhcp discover process

CSCO11417382 · ‎10-03-2018

Hello friends

pcs 172.16.20.0/24 connected to switch IP address 172.16.100.6------switch 172.16.100.1---switch 172.16.100.149----- dhcp server ip 172.16.0.12 connected

I would like to block client discover process of dhcp for computers connected in switch 172.16.100.6 and other traffic should work fine.

---------- this mean cable connection

paul driver · ‎10-04-2018

Hello

access-list 100 deny udp any any eq 67

access-list 100 deny udp any any eq 68

access-list 100 permit up any any

apply the access-list to the L3 interface of the subnet you wish to negate dhcp

intx/x

ip access-group 100 in

io access-group 100 out

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CSCO11417382 · ‎10-04-2018

Thanks for the reply.

I have applied the access list on Layer 3 switch where all our inter vlan routing start from there and want to block specific subnet but it does not work still computer from that below subnet are getting ip addresses from dhcp server and below is my access list.

access-list 102 deny udp 172.16.60.0 0.0.0.255 any eq bootpc

access-list 102 deny udp 172.16.60.0 0.0.0.255 any eq bootps

access-list 102 permit ip any any.

Below is my logical diagram

Computers subnets 172.16.X.X L2 switch---L3 Switch---Layer2switch----dhcp is located

Alex Pfeil · ‎10-04-2018

deny udp any any eq 67
deny udp any any eq 68

Please mark helpful posts.

CSCO11417382 · ‎10-04-2018

Thanks for the reply.

I have applied the access list on Layer 3 switch where all our inter vlan routing start from there and want to block specific subnet but it does not work still computer from that below subnet are getting ip addresses from dhcp server and below is my access list.

access-list 102 deny udp 172.16.60.0 0.0.0.255 any eq bootpc

access-list 102 deny udp 172.16.60.0 0.0.0.255 any eq bootps

access-list 102 permit ip any any.

Below is my logical diagram

Computers subnets 172.16.X.X L2 switch---L3 Switch---Layer2switch----dhcp is located

Richard Burts · ‎10-04-2018

There is a significant logical flaw in your access list.

access-list 102 deny udp 172.16.60.0 0.0.0.255 any eq bootpc

you are trying to block traffic from an IP subnet. But the purpose of the DHCP query is that it comes from a device that does not yet have an IP address. So you will never see a DHCP request with source 172.16.60. The suggestions that you need to deny udp any any are correct.

HTH

Rick

HTH

Rick

Richard Burts · ‎10-04-2018

Reading through my response I realize that part of it was not well written. Rather than saying that the ACL should deny udp any any I should have either said deny should specify any any instead of specifying the source subnet or I should have been more complete and said deny udp any any eq bootpc or bootps.

HTH

Rick

HTH

Rick

pieterh · ‎10-04-2018

a simple way to go is to enable dhcp-snooping and NOT trust any other link for dhcp

dhcp discover packets wil not be blocked , but response is not returned, so the discovery will not complete

paul driver · ‎10-04-2018

Hello

@pieterh wrote:

a simple way to go is to enable dhcp-snooping and NOT trust any other link for dhcp

dhcp discover packets wil not be blocked , but response is not returned, so the discovery will not complete

This will not stop a client from receiving dhcp that isn’t suppose to because you need to trust the same uplink that sources dhcp for other clients that do require it

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul