Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17456
Views
0
Helpful
7
Replies

blocking DHCP offer

Go to solution
Pablo Trincado
Level 1
Level 1

‎09-02-2011 11:29 AM - edited ‎03-07-2019 02:01 AM

hi guys,

I have the following situation and need only provide dhcp wireless network, wired network uses static IP addresses, but set in the AP DHCP propagates a concession to the wired network switch.

I need block DHCP offer in the access ports in Switch

I can not create more VLANs, as requested.

Router--> Switch --> AP

Regards

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Pablo Trincado

‎09-02-2011 12:52 PM

Hi,

on 2960 you cannot configure RACLs only PACLs( only applied inbound) or mac ACLs to filter non-IP traffic so this wont work on your switch.

Can you try the second option being configuring broadcast flag to off on dhcp clients so the dhcp server offer and request will be unicast and so not flooded on ethernet ports going to router and static IP wired hosts.

If you can't try this I'll dig further to see if perhaps we could use QoS to drop the dhcp server packets or maybe use a VACL

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to cadet alain

‎09-04-2011 12:27 AM

Hi,

I wonder how I didn't even take this option into account before but DHCP snooping will do the work for you:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swdhcp82.html#wp1058243

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to cadet alain

‎09-04-2011 02:30 AM

Hi Alain

i am not sure how you can block DHCP for certain ports with DHCP snooping can help to ignore DHCP offer from untrusted ports to avoid unauthorized DHCP servers wile it keep access DHCP request from clients

the original poster if i did understand the question right he wants to keep DHCP flow in the Switch for some ports / Like the AP however others not supposed to have DHCP communications

i would say port ACL can do it, from your link above go to access-list section where you can block udp 67 as you stated above

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swacl.html#wp1715437

HTH

View solution in original post

0 Helpful
7 Replies 7

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎09-02-2011 11:54 AM

Hi,

I suppose you only hve one vlan and the dhcp server broadcasts its offers which are then propagated to all ports in the vlan and so eventually to ports where your wired clients are connected ?

Is your switch a Cisco switch and if so which model? if not is it manageable? You could use an ACL to deny the dhcp server packets(sourced from udp port 67

Are your wireless hosts all Windows machines ? if so then you can sniff and verify they are setting the broadcasg flag in their DHCP discovers

and tweak the registry to set the broadcast flag to off.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Pablo Trincado
Level 1
Level 1
In response to cadet alain

‎09-02-2011 12:35 PM

thanks for your answer, I attached a diagram.

I need block the concessions DHCP over ethernet port in the switch.

There is a command to block a concession?

Regards

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Pablo Trincado

‎09-02-2011 12:52 PM

Hi,

on 2960 you cannot configure RACLs only PACLs( only applied inbound) or mac ACLs to filter non-IP traffic so this wont work on your switch.

Can you try the second option being configuring broadcast flag to off on dhcp clients so the dhcp server offer and request will be unicast and so not flooded on ethernet ports going to router and static IP wired hosts.

If you can't try this I'll dig further to see if perhaps we could use QoS to drop the dhcp server packets or maybe use a VACL

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to cadet alain

‎09-04-2011 12:27 AM

Hi,

I wonder how I didn't even take this option into account before but DHCP snooping will do the work for you:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swdhcp82.html#wp1058243

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to cadet alain

‎09-04-2011 02:30 AM

Hi Alain

i am not sure how you can block DHCP for certain ports with DHCP snooping can help to ignore DHCP offer from untrusted ports to avoid unauthorized DHCP servers wile it keep access DHCP request from clients

the original poster if i did understand the question right he wants to keep DHCP flow in the Switch for some ports / Like the AP however others not supposed to have DHCP communications

i would say port ACL can do it, from your link above go to access-list section where you can block udp 67 as you stated above

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swacl.html#wp1715437

HTH

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Marwan ALshawi

‎09-04-2011 09:46 AM

Hi,

I understood the dhcp server was not on the router as he requested and he didn't want the broadcasts to get in the wired hosts ports.So I thought about ACL but looking at config guide they say only port-based ACL can be configured and that they can only be set ingress.But if the dhcp is on router it won't help more than dhcp snooping because the replies will be blocked in both method and won't get to clients. if the dhcp is on the AP then both will work indeed, you're right about the ACL but the client hack to request unicast dhcp replies will do the trick also.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-04-2011 03:38 PM

Ya agree

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents