Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Stop DHCP traffic from passing across interfaces

I'm having an issue with dhcp traffic passing across my cisco ASA 5510 interfaces.

Example of setup

Company 1 connected to interface 1 has its own dhcp server

Company 2 connected to interface 2 has its own dhcp server.

Some users are getting there ip address from the other companys dhcp server. The 2 companys should pass traffic to each other but not dhcp.

Is there anyway to stop dhcp traffic from crossing interfaces

Shane

1 REPLY

Re: Stop DHCP traffic from passing across interfaces

usually have to permit DHCP traffic explicitly. Specification of the DHCP client-server protocol describes several cases when packets must have the source address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP servers require special consideration and further complicate configuration.

To allow DHCP, network administrators need to allow several types of packets through the server-side firewall. All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side firewall should allow the following types of packets:

* Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip

* Incoming packets from any address to 255.255.255.255

* Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255

where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients

An example in an ASA would similar to the following.

For blocking client:

access-list TEST extended deny udp any any eq bootpc

For blocking server:

or access-list TEST extended deny udp any any eq bootps

Hope that helps.

600
Views
0
Helpful
1
Replies