10-04-2007 02:28 AM - edited 03-05-2019 06:52 PM
Hello All,
I need to make sure that on 1 trunk port all DHCP request/responses will not pass. In the documentation for 3750 they say that extended ip ACL can be assigned to L2 port as input ACL, if the port is trunk then traffic for all VLANs will be filtered. To prove it I created following ip extended ACL:
permit udp any eq bootps any
permit ip any any
and I assigned it as ip access-group ACL on L2 trunk port.
However I can not see any match and also permit ip any any hits are far away from all incoming packets counter that interface. Am I missing something?
Thanks and Regards,
Daniel
10-04-2007 02:39 AM
Daniel,
I suspect that the counters are not reliable because most of the processing is being done in the ASIC. I know, for example, that if you put a service policy on an interface and do a show policy-map interface, the counters are rubbish.
I don't know how you would get round this. Perhaps do a service policy with a drop on DHCP class, and then use the QoS accounting tools to view the counters.
Kevin Dorrell
Luxembourg
10-04-2007 02:44 AM
Hello,
Thanks, but I do not really care about the counters, I just need confirmation that assigning IP acl to L2 trunk interface with right deny (deny udp any bootps any bootpc) will filter DHCP responses from server on that port.
D.
11-02-2007 02:40 PM
I've had success blocking NetBIOS like this on Catalyst 2940, 2960, and 3560 switches.
Another option specific to DHCP might be to turn on DHCP snooping and make the specific port untrusted (thus allowing DHCP requests to come from the port, but not DHCP assignments). Hopefully I'm understanding your scenario correctly.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: