Solved: blocking DHCP offer

Pablo Trincado · ‎09-02-2011

hi guys,

I have the following situation and need only provide dhcp wireless network, wired network uses static IP addresses, but set in the AP DHCP propagates a concession to the wired network switch.

I need block DHCP offer in the access ports in Switch

I can not create more VLANs, as requested.

Router--> Switch --> AP

Regards

cadet alain · ‎09-02-2011

Hi,

on 2960 you cannot configure RACLs only PACLs( only applied inbound) or mac ACLs to filter non-IP traffic so this wont work on your switch.

Can you try the second option being configuring broadcast flag to off on dhcp clients so the dhcp server offer and request will be unicast and so not flooded on ethernet ports going to router and static IP wired hosts.

If you can't try this I'll dig further to see if perhaps we could use QoS to drop the dhcp server packets or maybe use a VACL

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎09-04-2011

Hi,

I wonder how I didn't even take this option into account before but DHCP snooping will do the work for you:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swdhcp82.html#wp1058243

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

Marwan ALshawi · ‎09-04-2011

Hi Alain

i am not sure how you can block DHCP for certain ports with DHCP snooping can help to ignore DHCP offer from untrusted ports to avoid unauthorized DHCP servers wile it keep access DHCP request from clients

the original poster if i did understand the question right he wants to keep DHCP flow in the Switch for some ports / Like the AP however others not supposed to have DHCP communications

i would say port ACL can do it, from your link above go to access-list section where you can block udp 67 as you stated above

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swacl.html#wp1715437

HTH

View solution in original post

cadet alain · ‎09-02-2011

Hi,

I suppose you only hve one vlan and the dhcp server broadcasts its offers which are then propagated to all ports in the vlan and so eventually to ports where your wired clients are connected ?

Is your switch a Cisco switch and if so which model? if not is it manageable? You could use an ACL to deny the dhcp server packets(sourced from udp port 67

Are your wireless hosts all Windows machines ? if so then you can sniff and verify they are setting the broadcasg flag in their DHCP discovers

and tweak the registry to set the broadcast flag to off.

Regards.

Alain.

Don't forget to rate helpful posts.

Pablo Trincado · ‎09-02-2011

thanks for your answer, I attached a diagram.

I need block the concessions DHCP over ethernet port in the switch.

There is a command to block a concession?

Regards

cadet alain · ‎09-02-2011

Hi,

on 2960 you cannot configure RACLs only PACLs( only applied inbound) or mac ACLs to filter non-IP traffic so this wont work on your switch.

Can you try the second option being configuring broadcast flag to off on dhcp clients so the dhcp server offer and request will be unicast and so not flooded on ethernet ports going to router and static IP wired hosts.

If you can't try this I'll dig further to see if perhaps we could use QoS to drop the dhcp server packets or maybe use a VACL

Regards.

Alain.

Don't forget to rate helpful posts.

cadet alain · ‎09-04-2011

Hi,

I wonder how I didn't even take this option into account before but DHCP snooping will do the work for you:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swdhcp82.html#wp1058243

Regards.

Alain.

Don't forget to rate helpful posts.

Marwan ALshawi · ‎09-04-2011

Hi Alain

i am not sure how you can block DHCP for certain ports with DHCP snooping can help to ignore DHCP offer from untrusted ports to avoid unauthorized DHCP servers wile it keep access DHCP request from clients

the original poster if i did understand the question right he wants to keep DHCP flow in the Switch for some ports / Like the AP however others not supposed to have DHCP communications

i would say port ACL can do it, from your link above go to access-list section where you can block udp 67 as you stated above

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swacl.html#wp1715437

HTH

cadet alain · ‎09-04-2011

Hi,

I understood the dhcp server was not on the router as he requested and he didn't want the broadcasts to get in the wired hosts ports.So I thought about ACL but looking at config guide they say only port-based ACL can be configured and that they can only be set ingress.But if the dhcp is on router it won't help more than dhcp snooping because the replies will be blocked in both method and won't get to clients. if the dhcp is on the AP then both will work indeed, you're right about the ACL but the client hack to request unicast dhcp replies will do the trick also.

Regards.

Alain.

Don't forget to rate helpful posts.

Marwan ALshawi · ‎09-04-2011

Ya agree

Sent from Cisco Technical Support iPhone App