1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

blocking dhcp broadcasts coming in and out

Discussion in 'Other Cisco Equipment' started by no_logo_f_kansas, Dec 7, 2006.

  1. no_logo_f_kansas

    no_logo_f_kansas LI Guru Member

    i need to block dhcp broadcasts coming in and out. i have the following. just curious if this right.


    >config t
    >access-list 110 deny udp any eq bootpc <<dhcp server ip address>> eq bootps
    >access-list 111 deny udp <<dhcp server ip address>> eq bootps any eq bootpc
    >int s0
    >ip access-group 110 in
    >ip access-group 111 out
     
  2. kspare

    kspare Computer Guy Staff Member Member

    access-list 110 deny udp any any eq bootps
    access-list 110 deny udp any any eq bootpc
    access-list 111 deny udp any any eq bootps
    access-list 111 deny udp any any eq bootpc

    That will block traffic from clients and servers from any ip to any ip.
     
  3. no_logo_f_kansas

    no_logo_f_kansas LI Guru Member

    quick question. if understand this right. dhcp service is on by default on a cisco router. is this correct?

    to stop it?

    >no dhcp service
     
  4. kspare

    kspare Computer Guy Staff Member Member

    you could do that yup!

    also remove any dhcp pools and you should be fine.
     
  5. ifican

    ifican Network Guru Member

    First off all of this is correct, but personally I try to stay as efficient as possible and write/change my configs accordingly:

    1)There is no need to use separate ACL's the same one can be applied in both directions, but there is no harm in the way it is being done now.

    2)DHCP is on by default - yes, but only in certain platforms and expected implementations. I.E. 800 series, pix 501, 506 (think so but not sure). This is the case for the simple fact these devices are designed mostly for soho environments and the IOS is structured to make implementation as easy as possible for the end user.
     

Share This Page