ACL to block DHCP/Bootp/PXEBoot from all but certain servers?

  • 30 March 2016
  • 7 replies

Userlevel 2
I work in an engineering focused company and several of our products do DHCP. Problem is, absent minded engineers keep plugging these devices and virtual machines into the corporate network, creating a headache for our tech support team.

General layout is:
Office vlan
Manufacturing vlan
Engineering vlan
Server vlan (contains corporate DHCP server at
Support vlan
PXE vlan (contains corporate PXE boot server for imaging at

Switch config is pretty basic for this stuff right now:

configure bootprelay add vr VR-Default
configure bootprelay add vr VR-Default
enable bootprelay ipv4 vlan OFC
enable bootprelay ipv4 vlan ENG
enable bootprelay ipv4 vlan SVR
enable bootprelay ipv4 vlan MFG
enable bootprelay ipv4 vlan SUP
enable bootprelay ipv4 vlan PXE

The only DHCP servers we want to be able to answer live on the server vlan for normal boring DHCP and the PXE boot server that lives in the PXE vlan.

Is it possible to build an ACL that will block DHCP replies from anything but the bootprelay configured servers?

7 replies

Hey don't use ACLs for this use DHCP snooping it what it was designed for:

Userlevel 2
The documentation is a little thin, but what I'm gathering is that I would enable DHCP snooping on the office, mfg, engineering and support vlans and that would block rogue dhcp servers but allow the clients to still request addresses and image from the PXE server?
Userlevel 4
The Documentation is quite straightforward;

Configuring DHCP Snooping By default DHCP snooping is disabled on the switch. To enable DHCP snooping on the switch, use the following command:

enable ip-security dhcp-snooping vlan ports [all | ] violationaction [drop-packet {[block-mac | block-port] [duration | permanently] | none]}] {snmp-trap}

The violation action setting determines what action(s) the switch takes when a rogue DHCP server packet is seen on an untrusted port or the IP address of the originating server is not among those of the configured trusted DHCP servers. The DHCP server packets are DHCP OFFER, ACK and NAK. The following list describes the violation actions:

    block-mac—The switch automatically generates an ACL to block the MAC address on that port. The switch does not blackhole that MAC address in the FDB. The switch can either temporarily or permanently block the MAC address. block-port—The switch blocks all traffic on that port by disabling the port either temporarily or permanently. none—The switch takes no action to drop the rogue DHCP packet or block the port, and so on. In this case, DHCP snooping continues to build and manage the DHCP bindings database and DHCP forwarding will continue in hardware as before.
Any violation that occurs causes the switch to generate an Event Management System (EMS) log message.

Configure Trusted DHCP Server To configure a trusted DHCP server on the switch, use the following command:

configure trusted-servers vlan add server [i] trust-for dhcpserver

You can configure a maximum of eight trusted DHCP servers on the switch.

If you configure one or more trusted ports, the switch assumes that all DHCP server packets on the trusted port are valid.

Configuring Trusted DHCP Ports

Before you configure trusted ports, you must enable DHCP snooping on the switch. To enable DHCP snooping, use the following command:

enable ip-security dhcp-snooping vlan ports [all | ] violationaction [drop-packet {[block-mac | block-port] [duration | permanently] | none]}] {snmp-trap}

Trusted ports do not block traffic; rather, the switch forwards any DHCP server packets that appear on trusted ports. Depending on your DHCP snooping configuration, the switch drops packets and can disable the port temporarily, disable the port permanently, blackhole the MAC address temporarily, blackhole the MAC address permanently, and so on.

To enable trusted ports on the switch, use the following command:

configure trusted-ports [|all] trust-for dhcp-server

Userlevel 2
We have 3 edge stacks, all dhcp is handled by a DHCP server attached to our core 8810s.

For example, on edge stack IDF01 for vlan ENG, the configuration would look like this:

configure trusted-servers vlan ENG add server trust-for dhcpserver
enable ip-security dhcp-snooping vlan ENG ports all violation action drop-packet

Does that look correct?
Userlevel 6
also have it send you an alarm... that way it will do a snmp trap and you can track down rogue dhcp server... We also do this on edge access ports that are pulling from a trusted dhcp server and we go one step further on the edge we have the switch disable the port along with throwing a trap... makes it near impossible for a rogue to come in and makes it super easy to track down the guilty party 🙂

Userlevel 2
I like that idea EtherMAN, going to add an snmp-trap and set the port to disable.

We already disable ports via ELRP when engineers make loops so they have to enter a ticket to get them turned back on 😛
Userlevel 2
you could just block port 4011 (which should be the port used for pxe boot) via ACL on the vlans you dont want PXE boot