[c-nsp] dai / dhcp snooping bug

Tarko Tikan tarko at lanparty.ee
Tue Aug 11 07:42:08 EDT 2015


> Another idea would be to see if I could configure the dhcp server to
> just ignore unicast requests (easier than putting ACL's on the the
> switches).

You can configure ACL on the server as well (read: iptables or so).

All relayed packets will use router interface IP as source address (at 
least cisco relay does that, some other platforms use egress interface 
IP but it's usually configurable). This way you can permit your actualy 
interface IPs and deny rest thus blocking unicast renewals directly from 
DHCP clients.

It's not ideal, as you have to keep list of /32s or so in the ACL but at 
least you can keep the ACL in few places and not distribute it to all 
network devices.


More information about the cisco-nsp mailing list