Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

WAN Interface with DHCP - How to secure?

Hi

I have a wan interface that needs to obtain an IP address via DHCP from the ISP. The DHCP server IP address may change.

The interface is in a seperate vrf on the router from the LAN interface.

I would like some advice on how I should secure this interface.

I was thinking about an ACL like this applied inbound on the wan interface.

deny ip 127.0.0.0 0.255.255.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 224.0.0.0 31.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

.....

<allow permited traffic>

.....

permit udp any eq 67 any eq 68     ! for DHCP

deny ip any any log

I would also have urpf enabled on the WAN interface with an ACL such as this.

permit udp any eq 67 any eq 68

deny ip any any log

What other specific measures could I take to secure the DHCP?

Thanks

Everyone's tags (3)
1 REPLY
Community Member

WAN Interface with DHCP - How to secure?

I think that's a good configuration.

If I configure wan via sdm I get something like you have.

access-list 108 deny   ip 10.0.0.0 0.255.255.255 any

access-list 108 deny   ip 172.16.0.0 0.15.255.255 any

access-list 108 deny   ip 192.168.0.0 0.0.255.255 any

access-list 108 deny   ip 127.0.0.0 0.255.255.255 any

access-list 108 deny   ip host 255.255.255.255 any

access-list 108 deny   ip host 0.0.0.0 any

access-list 108 deny   ip any any log

I should add too:

interface fastEthernet0/0

     no cdp enable

1740
Views
0
Helpful
1
Replies
CreatePlease to create content