How to filter DHCP packets from/to a server?

dps-innsbruck · ‎12-28-2011

Hi,

a power analyzer in my network is sending some packets that are

unexpected and incorrectly recognized as DHCPOFFERS. As a workaround, I would like to filter those packets with my Cisco switch 3750.

Suppose IP_POWER_ANALYZER is the ip address, what could be the best choice

1. deny udp any IP_POWER_ANALYZER eq bootpc

2. deny udp any IP_POWER_ANALYZER eq bootpc; deny udp IP_POWER_ANALYZER any eq bootps

3. deny udp any eq bootpc IP_POWER_ANALYZER eq bootps

4. ?

Are 2. and 3. equivalent?

Thank you

cadet alain · ‎12-28-2011

Hi,

1) deny any udp packet sent to port 68 of the server

2 and 3 are not the same:

2) deny any udp packet sent to port 68 of the server and sent from the server to any on port 67

3) deny any udp packet from port 68 sent to the server on port 67

So:

1) the server won't receive DHCP packets from a server( OFFER,ACK,NACK)

2) the server won't receive any packets from a dhcp server like in 1 but also won't send any DHCP client requests

3)the server won't receive DHCP client requests( DISCOVER,REQUEST)

So I think none of these is what you want but instead:

deny udp IP_POWER_ANALYZER eq bootps any eq bootpc

Regards.

Alain

Don't forget to rate helpful posts.

John Peek · ‎01-26-2012

Have you thought about using DHCP snooping?

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swdhcp82.html#wp1058138

"DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch."