12-28-2011 02:23 AM - edited 03-07-2019 04:04 AM
Hi,
a power analyzer in my network is sending some packets that are
unexpected and incorrectly recognized as DHCPOFFERS. As a workaround, I would like to filter those packets with my Cisco switch 3750.
Suppose IP_POWER_ANALYZER is the ip address, what could be the best choice
1. deny udp any IP_POWER_ANALYZER eq bootpc
2. deny udp any IP_POWER_ANALYZER eq bootpc; deny udp IP_POWER_ANALYZER any eq bootps
3. deny udp any eq bootpc IP_POWER_ANALYZER eq bootps
4. ?
Are 2. and 3. equivalent?
Thank you
12-28-2011 03:53 AM
Hi,
1) deny any udp packet sent to port 68 of the server
2 and 3 are not the same:
2) deny any udp packet sent to port 68 of the server and sent from the server to any on port 67
3) deny any udp packet from port 68 sent to the server on port 67
So:
1) the server won't receive DHCP packets from a server( OFFER,ACK,NACK)
2) the server won't receive any packets from a dhcp server like in 1 but also won't send any DHCP client requests
3)the server won't receive DHCP client requests( DISCOVER,REQUEST)
So I think none of these is what you want but instead:
deny udp IP_POWER_ANALYZER eq bootps any eq bootpc
Regards.
Alain
01-26-2012 07:09 PM
Have you thought about using DHCP snooping?
"DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide