10-03-2018 11:12 PM - edited 03-08-2019 04:18 PM
Hello friends
pcs 172.16.20.0/24 connected to switch IP address 172.16.100.6------switch 172.16.100.1---switch 172.16.100.149----- dhcp server ip 172.16.0.12 connected
I would like to block client discover process of dhcp for computers connected in switch 172.16.100.6 and other traffic should work fine.
---------- this mean cable connection
10-04-2018 02:13 AM
Hello
access-list 100 deny udp any any eq 67
access-list 100 deny udp any any eq 68
access-list 100 permit up any any
apply the access-list to the L3 interface of the subnet you wish to negate dhcp
intx/x
ip access-group 100 in
io access-group 100 out
10-04-2018 03:53 AM - edited 10-04-2018 04:02 AM
Thanks for the reply.
I have applied the access list on Layer 3 switch where all our inter vlan routing start from there and want to block specific subnet but it does not work still computer from that below subnet are getting ip addresses from dhcp server and below is my access list.
access-list 102 deny udp 172.16.60.0 0.0.0.255 any eq bootpc
access-list 102 deny udp 172.16.60.0 0.0.0.255 any eq bootps
access-list 102 permit ip any any.
Below is my logical diagram
Computers subnets 172.16.X.X L2 switch---L3 Switch---Layer2switch----dhcp is located
10-04-2018 05:42 AM
deny udp any any eq 67
deny udp any any eq 68
Please mark helpful posts.
10-04-2018 06:23 AM
Thanks for the reply.
I have applied the access list on Layer 3 switch where all our inter vlan routing start from there and want to block specific subnet but it does not work still computer from that below subnet are getting ip addresses from dhcp server and below is my access list.
access-list 102 deny udp 172.16.60.0 0.0.0.255 any eq bootpc
access-list 102 deny udp 172.16.60.0 0.0.0.255 any eq bootps
access-list 102 permit ip any any.
Below is my logical diagram
Computers subnets 172.16.X.X L2 switch---L3 Switch---Layer2switch----dhcp is located
10-04-2018 09:33 AM
There is a significant logical flaw in your access list.
access-list 102 deny udp 172.16.60.0 0.0.0.255 any eq bootpc
you are trying to block traffic from an IP subnet. But the purpose of the DHCP query is that it comes from a device that does not yet have an IP address. So you will never see a DHCP request with source 172.16.60. The suggestions that you need to deny udp any any are correct.
HTH
Rick
10-04-2018 09:59 AM
Reading through my response I realize that part of it was not well written. Rather than saying that the ACL should deny udp any any I should have either said deny should specify any any instead of specifying the source subnet or I should have been more complete and said deny udp any any eq bootpc or bootps.
HTH
Rick
10-04-2018 02:17 AM
a simple way to go is to enable dhcp-snooping and NOT trust any other link for dhcp
dhcp discover packets wil not be blocked , but response is not returned, so the discovery will not complete
10-04-2018 11:59 AM
Hello
@pieterh wrote:
a simple way to go is to enable dhcp-snooping and NOT trust any other link for dhcp
dhcp discover packets wil not be blocked , but response is not returned, so the discovery will not complete
This will not stop a client from receiving dhcp that isn’t suppose to because you need to trust the same uplink that sources dhcp for other clients that do require it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide