This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACL to block DHCP/Bootp/PXEBoot from all but certain servers?

ACL to block DHCP/Bootp/PXEBoot from all but certain servers?

Ron_Prague
New Contributor II

‎03-29-2016 10:50 PM

I work in an engineering focused company and several of our products do DHCP. Problem is, absent minded engineers keep plugging these devices and virtual machines into the corporate network, creating a headache for our tech support team.

General layout is:
Office vlan
Manufacturing vlan
Engineering vlan
Server vlan (contains corporate DHCP server at 172.16.5.50)
Support vlan
PXE vlan (contains corporate PXE boot server for imaging at 172.16.55.50)

Switch config is pretty basic for this stuff right now:

configure bootprelay add 172.16.5.50 vr VR-Default
configure bootprelay add 172.16.55.50 vr VR-Default
enable bootprelay ipv4 vlan OFC
enable bootprelay ipv4 vlan ENG
enable bootprelay ipv4 vlan SVR
enable bootprelay ipv4 vlan MFG
enable bootprelay ipv4 vlan SUP
enable bootprelay ipv4 vlan PXE

The only DHCP servers we want to be able to answer live on the server vlan for normal boring DHCP and the PXE boot server that lives in the PXE vlan.

Is it possible to build an ACL that will block DHCP replies from anything but the bootprelay configured servers?

0 Kudos
7 REPLIES 7

Johannes_Dennin
New Contributor

‎04-04-2016 10:20 AM

you could just block port 4011 (which should be the port used for pxe boot) via ACL on the vlans you dont want PXE boot
0 Kudos

Ron_Prague
New Contributor II

‎03-30-2016 03:18 PM

I like that idea EtherMAN, going to add an snmp-trap and set the port to disable.

We already disable ports via ELRP when engineers make loops so they have to enter a ticket to get them turned back on 
0 Kudos

EtherMAN
Contributor III

‎03-30-2016 03:15 PM

also have it send you an alarm... that way it will do a snmp trap and you can track down rogue dhcp server... We also do this on edge access ports that are pulling from a trusted dhcp server and we go one step further on the edge we have the switch disable the port along with throwing a trap... makes it near impossible for a rogue to come in and makes it super easy to track down the guilty party 

0 Kudos

Ron_Prague
New Contributor II

‎03-30-2016 04:26 AM

We have 3 edge stacks, all dhcp is handled by a DHCP server attached to our core 8810s.

For example, on edge stack IDF01 for vlan ENG, the configuration would look like this:

configure trusted-servers vlan ENG add server 172.16.5.50 trust-for dhcpserver
enable ip-security dhcp-snooping vlan ENG ports all violation action drop-packet

Does that look correct?
0 Kudos
GTM-P2G8KFN