[c-nsp] dai / dhcp snooping bug
Tarko Tikan
tarko at lanparty.ee
Tue Aug 11 07:42:08 EDT 2015
hey,
> Another idea would be to see if I could configure the dhcp server to
> just ignore unicast requests (easier than putting ACL's on the the
> switches).
You can configure ACL on the server as well (read: iptables or so).
All relayed packets will use router interface IP as source address (at
least cisco relay does that, some other platforms use egress interface
IP but it's usually configurable). This way you can permit your actualy
interface IPs and deny rest thus blocking unicast renewals directly from
DHCP clients.
It's not ideal, as you have to keep list of /32s or so in the ACL but at
least you can keep the ACL in few places and not distribute it to all
network devices.
--
tarko
More information about the cisco-nsp
mailing list