Extreme Networks

george_margarit · ‎04-20-2018

Looking to block DHCP Offers from connected clients.

From: Any (client)

To: Any

Source port: 67

Destination Port: 68

Protocol : UDP

Action: Block

Everything else: Permit

Can i have some guidance on how to set this up, so I don't also block DHCP Offers from our DHCP Server?

Thanks

AnonymousM · ‎04-24-2018

Your source and destination ports look good, this is traffic from a dhcp server back to the client. So creating a rule like this is straight forward - the trick is to apply it on traffic FROM any client, and not the other way.

Classic: From-Access
NG: Outbound Traffic

On NG it should look like this:

I still highly recommend to test this first.

Hope this helps.

View solution in original post

nlowe · ‎04-25-2018

Hi all,

Have you tried running a rogue DHCP server?

In the feature branch of HiveOS, you should observe enabled by default:

forwarding-engine dhcp-shield enable

forwarding-engine arp-shield enable

These have to be switched off by supplemental CLI if they are not wanted.

Cheers,

Nick

george_margarit · ‎04-24-2018

Cool, thanks.

AnonymousM · ‎04-24-2018

Ah, that ICMPv6 / Multicast, which is a bit tricky with Aerohive... I suggest to open a new thread explicitly for this topic. Hopefully someone else will jump on it 😉

george_margarit · ‎04-24-2018

Thanks Carsten.

It's only been a week using Aerohive and navigating through the GUI is still a tricky.

I have created that exact policy on your screenshot, but was finding tricky to make sure where to 'apply' this and the User Profiles (IP Firewall -> From-access) is the answer here.

As a follow up, do we have an option to similarly block IPv6 Router-Advertisements?

It's not on the list of network services (under that name at least).

Extreme Networks

How to block Rogue DHCP Servers on the connected clients

How to block Rogue DHCP Servers on the connected clients