ACL to block DHCP/Bootp/PXEBoot from all but certain servers?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-29-2016 10:50 PM
I work in an engineering focused company and several of our products do DHCP. Problem is, absent minded engineers keep plugging these devices and virtual machines into the corporate network, creating a headache for our tech support team.
General layout is:
Office vlan
Manufacturing vlan
Engineering vlan
Server vlan (contains corporate DHCP server at 172.16.5.50)
Support vlan
PXE vlan (contains corporate PXE boot server for imaging at 172.16.55.50)
Switch config is pretty basic for this stuff right now:
configure bootprelay add 172.16.5.50 vr VR-Default
configure bootprelay add 172.16.55.50 vr VR-Default
enable bootprelay ipv4 vlan OFC
enable bootprelay ipv4 vlan ENG
enable bootprelay ipv4 vlan SVR
enable bootprelay ipv4 vlan MFG
enable bootprelay ipv4 vlan SUP
enable bootprelay ipv4 vlan PXE
The only DHCP servers we want to be able to answer live on the server vlan for normal boring DHCP and the PXE boot server that lives in the PXE vlan.
Is it possible to build an ACL that will block DHCP replies from anything but the bootprelay configured servers?
General layout is:
Office vlan
Manufacturing vlan
Engineering vlan
Server vlan (contains corporate DHCP server at 172.16.5.50)
Support vlan
PXE vlan (contains corporate PXE boot server for imaging at 172.16.55.50)
Switch config is pretty basic for this stuff right now:
configure bootprelay add 172.16.5.50 vr VR-Default
configure bootprelay add 172.16.55.50 vr VR-Default
enable bootprelay ipv4 vlan OFC
enable bootprelay ipv4 vlan ENG
enable bootprelay ipv4 vlan SVR
enable bootprelay ipv4 vlan MFG
enable bootprelay ipv4 vlan SUP
enable bootprelay ipv4 vlan PXE
The only DHCP servers we want to be able to answer live on the server vlan for normal boring DHCP and the PXE boot server that lives in the PXE vlan.
Is it possible to build an ACL that will block DHCP replies from anything but the bootprelay configured servers?
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-30-2016 03:11 AM
The Documentation is quite straightforward;
Configuring DHCP Snooping By default DHCP snooping is disabled on the switch. To enable DHCP snooping on the switch, use the following command:
enable ip-security dhcp-snooping vlan ports [all | ] violationaction [drop-packet {[block-mac | block-port] [duration | permanently] | none]}] {snmp-trap}
The violation action setting determines what action(s) the switch takes when a rogue DHCP server packet is seen on an untrusted port or the IP address of the originating server is not among those of the configured trusted DHCP servers. The DHCP server packets are DHCP OFFER, ACK and NAK. The following list describes the violation actions:
Configure Trusted DHCP Server To configure a trusted DHCP server on the switch, use the following command:
configure trusted-servers vlan add server trust-for dhcpserver
You can configure a maximum of eight trusted DHCP servers on the switch.
If you configure one or more trusted ports, the switch assumes that all DHCP server packets on the trusted port are valid.
Configuring Trusted DHCP Ports
Before you configure trusted ports, you must enable DHCP snooping on the switch. To enable DHCP snooping, use the following command:
enable ip-security dhcp-snooping vlan ports [all | ] violationaction [drop-packet {[block-mac | block-port] [duration | permanently] | none]}] {snmp-trap}
Trusted ports do not block traffic; rather, the switch forwards any DHCP server packets that appear on trusted ports. Depending on your DHCP snooping configuration, the switch drops packets and can disable the port temporarily, disable the port permanently, blackhole the MAC address temporarily, blackhole the MAC address permanently, and so on.
To enable trusted ports on the switch, use the following command:
configure trusted-ports [|all] trust-for dhcp-server
Configuring DHCP Snooping By default DHCP snooping is disabled on the switch. To enable DHCP snooping on the switch, use the following command:
enable ip-security dhcp-snooping vlan
The violation action setting determines what action(s) the switch takes when a rogue DHCP server packet is seen on an untrusted port or the IP address of the originating server is not among those of the configured trusted DHCP servers. The DHCP server packets are DHCP OFFER, ACK and NAK. The following list describes the violation actions:
- block-mac—The switch automatically generates an ACL to block the MAC address on that port. The switch does not blackhole that MAC address in the FDB. The switch can either temporarily or permanently block the MAC address. block-port—The switch blocks all traffic on that port by disabling the port either temporarily or permanently. none—The switch takes no action to drop the rogue DHCP packet or block the port, and so on. In this case, DHCP snooping continues to build and manage the DHCP bindings database and DHCP forwarding will continue in hardware as before.
Configure Trusted DHCP Server To configure a trusted DHCP server on the switch, use the following command:
configure trusted-servers vlan
You can configure a maximum of eight trusted DHCP servers on the switch.
If you configure one or more trusted ports, the switch assumes that all DHCP server packets on the trusted port are valid.
Configuring Trusted DHCP Ports
Before you configure trusted ports, you must enable DHCP snooping on the switch. To enable DHCP snooping, use the following command:
enable ip-security dhcp-snooping vlan
Trusted ports do not block traffic; rather, the switch forwards any DHCP server packets that appear on trusted ports. Depending on your DHCP snooping configuration, the switch drops packets and can disable the port temporarily, disable the port permanently, blackhole the MAC address temporarily, blackhole the MAC address permanently, and so on.
To enable trusted ports on the switch, use the following command:
configure trusted-ports [|all] trust-for dhcp-server
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-30-2016 01:21 AM
The documentation is a little thin, but what I'm gathering is that I would enable DHCP snooping on the office, mfg, engineering and support vlans and that would block rogue dhcp servers but allow the clients to still request addresses and image from the PXE server?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-30-2016 12:58 AM
Hey don't use ACLs for this use DHCP snooping it what it was designed for:
http://documentation.extremenetworks.com/exos_commands/EXOS_All/EXOS_Commands_All/r_enable-ipsecurit...
http://documentation.extremenetworks.com/exos_commands/EXOS_All/EXOS_Commands_All/r_enable-ipsecurit...
