IOS Bridging Config & DHCP ACL/MAC Filtering

peskettc · ‎12-06-2002

I have a configuration question regarding Bridging in IOS and would welcome feedback on how I can approach this.

Scenario:

Two Ethernet interfaces on 1 physical router, both in the same bridge group and bridging is enabled.

We then have two physical segments, i.e. e1 and e2

We have a windows workstation and dhcp server on e1 segment

The workstation will broadcast for the DHCP server and, server will respond as normal

Goal:

To deny all DHCP packets/frames from entering the e2 segment, by denying through a MAC or ACL filter.

Question;

Is it possible to deny broadcast packets when bridging is enabled?

And if so;

Would you use a extended IP ACL or a MAC filter?

(Would IOS allow this as it seems to me to break bridging logic?).

Thanks in advance,

Craig.

I.e.

Packet DHCPDISCOVER

Client IP Address 0.0.0.0

Server IP Address 0.0.0.0

GI Address 0.0.0.0

Packet Source MAC Address 0005.DCC9.C640

Packet Source IP Address 0.0.0.0

Client UDP Source Port 68

Packet Destination MAC Address ffff.ffff.fffff (broadcast)

Packet Destination IP Address 255.255.255.255

Client UDP Dest Port 67

rsissons · ‎12-08-2002

I am not clear from your question whether you are bridging or routing your IP traffic.

If you are routing it, the default, then the mac level filter will not apply and you will need to use an extended ip filter. However, by default, broadcast traffic, ie dest address 255.255.255.255, is not forwarded anyway. You have to explicitly configure the router to do this, 'ip forward-protocol' etc.

If you are bridging the ip traffic, 'no ip routing' global command specified, and NOT recommended, then you would need to use a mac level filter since ip access lists no longer apply.