Stop DHCP traffic from passing across interfaces

Unanswered Question

I'm having an issue with dhcp traffic passing across my cisco ASA 5510 interfaces.

Example of setup

Company 1 connected to interface 1 has its own dhcp server

Company 2 connected to interface 2 has its own dhcp server.

Some users are getting there ip address from the other companys dhcp server. The 2 companys should pass traffic to each other but not dhcp.

Is there anyway to stop dhcp traffic from crossing interfaces


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Wed, 04/30/2008 - 14:26
User Badges:
  • Purple, 4500 points or more

usually have to permit DHCP traffic explicitly. Specification of the DHCP client-server protocol describes several cases when packets must have the source address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP servers require special consideration and further complicate configuration.

To allow DHCP, network administrators need to allow several types of packets through the server-side firewall. All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side firewall should allow the following types of packets:

* Incoming packets from or dhcp-pool to dhcp-ip

* Incoming packets from any address to

* Outgoing packets from dhcp-ip to dhcp-pool or

where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients

An example in an ASA would similar to the following.

For blocking client:

access-list TEST extended deny udp any any eq bootpc

For blocking server:

or access-list TEST extended deny udp any any eq bootps

Hope that helps.


This Discussion