Help with ACL (x450)

[JayNEC]

To block rogue DHCP servers, I would like to block DHCP traffic to any server but two (for different VLANs).
Trying to figure out the ACL methodology, but I could use a hand with this.

EG i have a student network that appears to have rogue DHC servers running. I would like to kill them and only allow the two legitimate DHCP servers to operate. I also have DHCP forwarding on the IP interfaces enabled.

 

[NARBE]

Hi,

I never try on extreme but I think i'll work.

First rule add a permit from 0.0.0.0 to DHCPServer@IP udp source 67 udp destination 68
2nd rule block udp traffic port source 67 to port destination 68 from 0.0.0.0 to 0.0.0.0.
Or you can just use the 2nd rule applied to all ports except the port where you have the DHCP connected.

I hope this will help you.

 

[rn4it]

The only problem is these ACL's will only work if the DHCP requests are passing through the switch with the ACL's. Are you going to place ACL's on the edge switches as well? If not, this won't work. You need to have where the client patches in ACL'd because that's where the rouge DHCP server will most likely be patched in.