09-02-2011 11:29 AM - edited 03-07-2019 02:01 AM
hi guys,
I have the following situation and need only provide dhcp wireless network, wired network uses static IP addresses, but set in the AP DHCP propagates a concession to the wired network switch.
I need block DHCP offer in the access ports in Switch
I can not create more VLANs, as requested.
Router--> Switch --> AP
Regards
Solved! Go to Solution.
09-02-2011 12:52 PM
Hi,
on 2960 you cannot configure RACLs only PACLs( only applied inbound) or mac ACLs to filter non-IP traffic so this wont work on your switch.
Can you try the second option being configuring broadcast flag to off on dhcp clients so the dhcp server offer and request will be unicast and so not flooded on ethernet ports going to router and static IP wired hosts.
If you can't try this I'll dig further to see if perhaps we could use QoS to drop the dhcp server packets or maybe use a VACL
Regards.
Alain.
09-04-2011 12:27 AM
Hi,
I wonder how I didn't even take this option into account before but DHCP snooping will do the work for you:
Regards.
Alain.
09-04-2011 02:30 AM
Hi Alain
i am not sure how you can block DHCP for certain ports with DHCP snooping can help to ignore DHCP offer from untrusted ports to avoid unauthorized DHCP servers wile it keep access DHCP request from clients
the original poster if i did understand the question right he wants to keep DHCP flow in the Switch for some ports / Like the AP however others not supposed to have DHCP communications
i would say port ACL can do it, from your link above go to access-list section where you can block udp 67 as you stated above
HTH
09-02-2011 11:54 AM
Hi,
I suppose you only hve one vlan and the dhcp server broadcasts its offers which are then propagated to all ports in the vlan and so eventually to ports where your wired clients are connected ?
Is your switch a Cisco switch and if so which model? if not is it manageable? You could use an ACL to deny the dhcp server packets(sourced from udp port 67
Are your wireless hosts all Windows machines ? if so then you can sniff and verify they are setting the broadcasg flag in their DHCP discovers
and tweak the registry to set the broadcast flag to off.
Regards.
Alain.
09-02-2011 12:35 PM
thanks for your answer, I attached a diagram.
I need block the concessions DHCP over ethernet port in the switch.
There is a command to block a concession?
Regards
09-02-2011 12:52 PM
Hi,
on 2960 you cannot configure RACLs only PACLs( only applied inbound) or mac ACLs to filter non-IP traffic so this wont work on your switch.
Can you try the second option being configuring broadcast flag to off on dhcp clients so the dhcp server offer and request will be unicast and so not flooded on ethernet ports going to router and static IP wired hosts.
If you can't try this I'll dig further to see if perhaps we could use QoS to drop the dhcp server packets or maybe use a VACL
Regards.
Alain.
09-04-2011 12:27 AM
Hi,
I wonder how I didn't even take this option into account before but DHCP snooping will do the work for you:
Regards.
Alain.
09-04-2011 02:30 AM
Hi Alain
i am not sure how you can block DHCP for certain ports with DHCP snooping can help to ignore DHCP offer from untrusted ports to avoid unauthorized DHCP servers wile it keep access DHCP request from clients
the original poster if i did understand the question right he wants to keep DHCP flow in the Switch for some ports / Like the AP however others not supposed to have DHCP communications
i would say port ACL can do it, from your link above go to access-list section where you can block udp 67 as you stated above
HTH
09-04-2011 09:46 AM
Hi,
I understood the dhcp server was not on the router as he requested and he didn't want the broadcasts to get in the wired hosts ports.So I thought about ACL but looking at config guide they say only port-based ACL can be configured and that they can only be set ingress.But if the dhcp is on router it won't help more than dhcp snooping because the replies will be blocked in both method and won't get to clients. if the dhcp is on the AP then both will work indeed, you're right about the ACL but the client hack to request unicast dhcp replies will do the trick also.
Regards.
Alain.
09-04-2011 03:38 PM
Ya agree
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide