Stop DHCP traffic from passing across interfaces

sbohannan · ‎04-30-2008

I'm having an issue with dhcp traffic passing across my cisco ASA 5510 interfaces.

Example of setup

Company 1 connected to interface 1 has its own dhcp server

Company 2 connected to interface 2 has its own dhcp server.

Some users are getting there ip address from the other companys dhcp server. The 2 companys should pass traffic to each other but not dhcp.

Is there anyway to stop dhcp traffic from crossing interfaces

Shane

Collin Clark · ‎04-30-2008

usually have to permit DHCP traffic explicitly. Specification of the DHCP client-server protocol describes several cases when packets must have the source address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP servers require special consideration and further complicate configuration.

To allow DHCP, network administrators need to allow several types of packets through the server-side firewall. All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side firewall should allow the following types of packets:

* Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip

* Incoming packets from any address to 255.255.255.255

* Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255

where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients

An example in an ASA would similar to the following.

For blocking client:

access-list TEST extended deny udp any any eq bootpc

For blocking server:

or access-list TEST extended deny udp any any eq bootps

Hope that helps.