How Somebody Helped Kill dhcpd on Our Network
Bob Franklin
r.c.franklin at reading.ac.uk
Mon Jul 31 15:28:02 UTC 2006
On Mon, 31 Jul 2006, Martin McCormick wrote:
> Thanks for the good information. Cisco is where we are going but
> unfortunately we haven't replaced everything yet.
For the reference, we do this on our Extreme edge switches:
create access-mask dhcp-mask ip-protocol dest-l4port source-l4port ports
create access-list dhcp-rogue access-mask dhcp-mask ip-protocol udp
dest-l4port 68 source-l4port 67 ports 1-48 deny
This works at layer 2 and blocks based on the ingress port 1-48; we don't
have to specify any IPs and only need to unblock if there is a need for
a DHCP server at the edge somewhere (which we don't generally allow).
- Bob
--
Bob Franklin <r.c.franklin at reading.ac.uk> +44 (0)118 378 7147
Systems and Communications, IT Services, The University of Reading, UK
More information about the dhcp-users
mailing list