I work in an engineering focused company and several of our products do DHCP. Problem is, absent minded engineers keep plugging these devices and virtual machines into the corporate network, creating a headache for our tech support team.
General layout is:
Server vlan (contains corporate DHCP server at 172.16.5.50)
PXE vlan (contains corporate PXE boot server for imaging at 172.16.55.50)
Switch config is pretty basic for this stuff right now:
configure bootprelay add 172.16.5.50 vr VR-Default
configure bootprelay add 172.16.55.50 vr VR-Default
enable bootprelay ipv4 vlan OFC
enable bootprelay ipv4 vlan ENG
enable bootprelay ipv4 vlan SVR
enable bootprelay ipv4 vlan MFG
enable bootprelay ipv4 vlan SUP
enable bootprelay ipv4 vlan PXE
The only DHCP servers we want to be able to answer live on the server vlan for normal boring DHCP and the PXE boot server that lives in the PXE vlan.
Is it possible to build an ACL that will block DHCP replies from anything but the bootprelay configured servers?