https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82538#M9522 <P>Your source and destination ports look good, this is traffic from a dhcp server back to the client. So creating a rule like this is straight forward - the trick is to apply it on traffic FROM any client, and not the other way.</P><UL><LI>Classic: From-Access</LI><LI>NG: Outbound Traffic</LI></UL><P>&nbsp;</P><P>On NG it should look like this:</P><P><span class="lia-inline-image-display-wrapper" image-alt="7054be361cbe40a888455b5579cb2484_0690c000006V0iXAAS.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/5892i5B863D8C66FBD9D1/image-size/large?v=v2&amp;px=999" role="button" title="7054be361cbe40a888455b5579cb2484_0690c000006V0iXAAS.png" alt="7054be361cbe40a888455b5579cb2484_0690c000006V0iXAAS.png" /></span></P><P>&nbsp;</P><P>I still highly recommend to test this first.</P><P>&nbsp;</P><P>Hope this helps.</P> Tue, 24 Apr 2018 16:27:00 GMT AnonymousM 2018-04-24T16:27:00Z https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82535#M9519 <P>Looking to block DHCP Offers from connected clients.</P><P>From: Any (client)</P><P>To: Any</P><P>Source port: 67</P><P>Destination Port: 68</P><P>Protocol : UDP</P><P>Action: Block</P><P>Everything else: Permit</P><P>&nbsp;</P><P>Can i have some guidance on how to set this up, so I don't also block DHCP Offers from our DHCP Server?</P><P>Thanks</P> Fri, 20 Apr 2018 16:04:41 GMT https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82535#M9519 george_margarit 2018-04-20T16:04:41Z https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82536#M9520 <P>My thought is block interstation traffic between wireless clients or using provided example allow DHCP requests to authorized DHCP servers and block all other DHCP traffic while permitting everything else.</P> Fri, 20 Apr 2018 19:34:51 GMT https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82536#M9520 sderikonja1 2018-04-20T19:34:51Z https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82537#M9521 <P>Enable DHCP snooping on your switches. You mark trusted ports where DHCP is allowed, such as routers, uplinks, trunk ports, and DHCP server location. The configuration varies from vendor to vendor.</P> Fri, 20 Apr 2018 21:16:05 GMT https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82537#M9521 jose_gonzalez 2018-04-20T21:16:05Z https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82538#M9522 <P>Your source and destination ports look good, this is traffic from a dhcp server back to the client. So creating a rule like this is straight forward - the trick is to apply it on traffic FROM any client, and not the other way.</P><UL><LI>Classic: From-Access</LI><LI>NG: Outbound Traffic</LI></UL><P>&nbsp;</P><P>On NG it should look like this:</P><P><span class="lia-inline-image-display-wrapper" image-alt="7054be361cbe40a888455b5579cb2484_0690c000006V0iXAAS.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/5892i5B863D8C66FBD9D1/image-size/large?v=v2&amp;px=999" role="button" title="7054be361cbe40a888455b5579cb2484_0690c000006V0iXAAS.png" alt="7054be361cbe40a888455b5579cb2484_0690c000006V0iXAAS.png" /></span></P><P>&nbsp;</P><P>I still highly recommend to test this first.</P><P>&nbsp;</P><P>Hope this helps.</P> Tue, 24 Apr 2018 16:27:00 GMT https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82538#M9522 AnonymousM 2018-04-24T16:27:00Z https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82539#M9523 <P>Thanks Carsten.</P><P>It's only been a week using Aerohive and navigating through the GUI is still a tricky.</P><P>&nbsp;</P><P>I have created that exact policy on your screenshot, but was finding tricky to make sure where to 'apply' this and the User Profiles (IP Firewall -&gt; From-access) is the answer here. </P><P>&nbsp;</P><P>As a follow up, do we have an option to similarly block IPv6 Router-Advertisements?</P><P>It's not on the list of network services (under that name at least).</P><P>&nbsp;</P> Tue, 24 Apr 2018 17:34:05 GMT https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82539#M9523 george_margarit 2018-04-24T17:34:05Z https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82540#M9524 <P>Ah, that ICMPv6 / Multicast, which is a bit tricky with Aerohive... I suggest to open a new thread explicitly for this topic. Hopefully someone else will jump on it <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 24 Apr 2018 17:57:28 GMT https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82540#M9524 AnonymousM 2018-04-24T17:57:28Z https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82541#M9525 <P>Cool, thanks.</P> Tue, 24 Apr 2018 18:12:50 GMT https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82541#M9525 george_margarit 2018-04-24T18:12:50Z https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82542#M9526 <P>Hi all,</P><P>&nbsp;</P><P>Have you tried running a rogue DHCP server?</P><P>&nbsp;</P><P>In the feature branch of HiveOS, you should observe enabled by default:</P><P>&nbsp;</P><P>forwarding-engine dhcp-shield enable</P><P>&nbsp;</P><P>forwarding-engine arp-shield enable</P><P>&nbsp;</P><P>These have to be switched off by supplemental CLI if they are not wanted.</P><P>&nbsp;</P><P>Cheers,</P><P>&nbsp;</P><P>Nick</P> Wed, 25 Apr 2018 16:30:54 GMT https://community.extremenetworks.com/t5/aerohive-migrated-content/how-to-block-rogue-dhcp-servers-on-the-connected-clients/m-p/82542#M9526 nlowe 2018-04-25T16:30:54Z