Block DHCP from ip helper...

[wansolutions]

G'day Guys (and girls),
I want to prevent DHCP requests being propagated through the network via the ip helper x.x.x.x command. I still want to have ip helper enabled, I just don't want to get ip address' from anywhere other than the local segment.

Can someone confirm that if I enter the commands;

ip helper x.x.x.x
....
....
no ip forward-protocol udp 67
....
....

That I will only block DHCP requests from exiting the local segment?
Will this do the trick?
Thanks in advance.

Cheers, Kirby.

 

[ADB100]

If you only want DHCP to operate on a local segment then don't enable andy IP Helpers. IP Helpers are only used if your DHCP server is on a different IP Network (or subnet) from the DHCP Clients; if the Server & Clients are on the same network then the broadcasts from the clients will reach the server without any extra 'help'.

When you enable an IP Helper to a unicast address the packets are not flooded throughout the network anyway; they are simply encapsulated (modified) in a unicast packet and sent direct to the IP address specified in the IP Helper command. If the IP Helper is a broadcast address then the packets are still encapsulated (modified) but broadcast on the relevent network.

Good luck

Andy

 

[PalmTest]

Hi WANSolution,

In addition to ADB100, I protect my network from 'accidential' DHCP installations.

My Core switch has the following acl:
(substituted my IP with 10.10.10.x)
set security acl ip dhcpprod permit udp host 10.10.10.1 any eq 68
set security acl ip dhcpprod permit udp host 10.10.10.2 any eq 68
set security acl ip dhcpprod permit udp host 10.10.10.3 any eq 68
set security acl ip dhcpprod deny udp any any eq 68
set security acl ip dhcpprod permit ip any any

This way I block all dhcp repies from unknown servers, and allow my 3 servers to reply.
All traffic has to go through my Cisco6000 Core switch.

I know it its not the exact answer to your question but perhaps it can help you.