Stop DHCP traffic from passing across interfaces

Unanswered Question

I'm having an issue with dhcp traffic passing across my cisco ASA 5510 interfaces.


Example of setup

Company 1 connected to interface 1 has its own dhcp server


Company 2 connected to interface 2 has its own dhcp server.


Some users are getting there ip address from the other companys dhcp server. The 2 companys should pass traffic to each other but not dhcp.


Is there anyway to stop dhcp traffic from crossing interfaces


Shane

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Wed, 04/30/2008 - 14:26
User Badges:
  • Purple, 4500 points or more

usually have to permit DHCP traffic explicitly. Specification of the DHCP client-server protocol describes several cases when packets must have the source address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP servers require special consideration and further complicate configuration.


To allow DHCP, network administrators need to allow several types of packets through the server-side firewall. All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side firewall should allow the following types of packets:


* Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip

* Incoming packets from any address to 255.255.255.255

* Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255


where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients


An example in an ASA would similar to the following.


For blocking client:

access-list TEST extended deny udp any any eq bootpc


For blocking server:

or access-list TEST extended deny udp any any eq bootps


Hope that helps.

Actions

This Discussion