cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3490
Views
0
Helpful
2
Replies
Highlighted
Beginner

How to filter DHCP packets from/to a server?

Hi,

a power analyzer in my network is sending some packets that are

unexpected and incorrectly recognized as DHCPOFFERS. As a workaround, I would like to filter those packets with my Cisco switch 3750.

Suppose IP_POWER_ANALYZER is the ip address, what could be the best choice

1. deny udp any IP_POWER_ANALYZER eq bootpc

2. deny udp any IP_POWER_ANALYZER eq bootpc; deny udp IP_POWER_ANALYZER any eq bootps

3. deny udp any eq bootpc IP_POWER_ANALYZER eq bootps

4. ?

Are 2. and 3. equivalent?

Thank you

2 REPLIES 2
Highlighted
Advisor

Hi,

1) deny any udp packet sent to port 68 of the server

2 and 3 are not the same:

2) deny any udp packet  sent to port 68 of the server  and sent from the server to  any on port 67

3) deny any udp packet from port 68 sent to the server on port 67

So:

1) the server won't receive DHCP packets from a server( OFFER,ACK,NACK)

2) the server won't receive any packets from a dhcp server like in 1 but also won't send any DHCP client requests

3)the server won't receive DHCP client requests( DISCOVER,REQUEST)

So I think none of these is what you want but instead:

deny udp IP_POWER_ANALYZER eq bootps any eq bootpc

Regards.

Alain

Don't forget to rate helpful posts.
Highlighted
Beginner

Have you thought about using DHCP snooping?

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swdhcp82.html#wp1058138

"DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch."

Content for Community-Ad