configuring Cisco Router to preventing assigning DHCP address

Discussion in 'Cisco' started by Rami Rosen, Oct 11, 2004.

  1. Rami Rosen

    Rami Rosen Guest

    Hello,

    I have C820 cisco router. As part of it it has a DHCP server.
    I have some diskless station in my network.
    When this station is powered down and powered up, it gets
    an ip address from this CISCO DHCP server.

    I want to configure this Cisco Router so that it will not assign
    an IP address to that station.It should get it's IP from a different
    DHCP server on the LAN (I know of course the MAC address of that
    diskless station)

    regareds,
    rami
     
    Rami Rosen, Oct 11, 2004
    #1
    1. Advertisements

  2. Rami Rosen

    Ben Guest

    Probably the simplest way is to apply a MAC access-list on the interface
    that allows everything except the MAC range of the diskless workstations.
     
    Ben, Oct 11, 2004
    #2
    1. Advertisements

  3. Rami Rosen

    max Guest

    can You show any examples of access list to filter certain MAC adresses
    I was wondering about this lot of time
    thanks
    Max
     
    max, Oct 11, 2004
    #3
  4. Rami Rosen

    mh Guest

    It is not clear that a MAC address filter will work.

    Blocking all traffic from the particular workstation is NOT what you
    want.

    You want to only block BOOTP packets ( which is what DHCP packets are
    carried in.

    You may be able to do this with extended MAC address filter where you
    configure that extended fields to match the offset and contents the
    MAC address of the workstation in the actual DHCP packet. You will
    probably need a packet trace to get the offset correct.
     
    mh, Oct 12, 2004
    #4
  5. Rami Rosen

    Rami Rosen Guest

    Hello,
    Thnks.
    Absolutely right. Even more precise term wil be "ignore BOOTP packets"
    instead of "block BOOTP packets".
    what is this extended MAC address filter?
    can you give some reference in Cisco docs?
    what is offset of a MAC address ?
    is a sniffer (like Ethereal) is capable of doing it ?
    in case not - how can I get a packet trace?
    regards,
    rami
     
    Rami Rosen, Oct 13, 2004
    #5
  6. Rami Rosen

    Ana Guest

    The simplest way:
    disable the dhcp server in the router
    --> no service dhcp
     
    Ana, Oct 13, 2004
    #6
  7. Rami Rosen

    mh Guest

    Look up RFC 1541, it will show the format of a DHCP packet

    Then use Etherreal trace to figure out offset of client hardware
    address (MAC address) in DHCP packet
     
    mh, Oct 14, 2004
    #7
  8. Rami Rosen

    Rami Rosen Guest

    THnks,
    This is not applicable , however; I want to avoid only one
    specific station from getting DHCP address from the server ; since there are other
    DHCP clients which shoud get IP addresses from that CISCO router this
    will not solve the problem.

    regards
    rami
     
    Rami Rosen, Oct 17, 2004
    #8
  9. A ha - sounds like you're looking for the "ip dhcp excluded-address"
    command then.

    Aaron

    ---

    ~ THnks,
    ~ This is not applicable , however; I want to avoid only one
    ~ specific station from getting DHCP address from the server ; since there are other
    ~ DHCP clients which shoud get IP addresses from that CISCO router this
    ~ will not solve the problem.
    ~
    ~ regards
    ~ rami
    ~
    ~ (Ana) wrote in message ~ > The simplest way:
    ~ > disable the dhcp server in the router
    ~ > --> no service dhcp
     
    Aaron Leonard, Oct 18, 2004
    #9
  10. Sorry, "ip dhcp excluded-address" was a dumb suggestion - you're
    looking to block a given client from getting an address from the
    DHCP server by *MAC* address I assume.

    Can you tell me what exactly is the goal here ... is the idea that
    this particular client is supposed to get its address from a
    DIFFERENT DHCP server? Or do you just want to keep this client
    from accessing the network in general?

    Aaron

    ---

    ~ A ha - sounds like you're looking for the "ip dhcp excluded-address"
    ~ command then.
    ~
    ~ Aaron
    ~
    ~ ---
    ~
    ~ ~ THnks,
    ~ ~ This is not applicable , however; I want to avoid only one
    ~ ~ specific station from getting DHCP address from the server ; since there are other
    ~ ~ DHCP clients which shoud get IP addresses from that CISCO router this
    ~ ~ will not solve the problem.
    ~ ~
    ~ ~ regards
    ~ ~ rami
    ~ ~
    ~ ~ (Ana) wrote in message ~ ~ > The simplest way:
    ~ ~ > disable the dhcp server in the router
    ~ ~ > --> no service dhcp
     
    Aaron Leonard, Oct 19, 2004
    #10
  11. Rami Rosen

    Rami Rosen Guest

    Thanks Aaron,

    Well this particular client is supposed to get its address from a
    DIFFERENT DHCP server,and this client should have access to the
    network in general.

    Currently what I do is stop the CISCO DHCP server, and start my client
    box, so
    that it will not get IP from the CISCO DHCP server. I do not date to
    think of
    such a solution when deploying it at a customer site..

    I know that this also can be done at the client side: but we are not
    devloping the client side ...
    (To be more accurate : we are developing some app which works with a
    hw device (the client we talk about ) which we get from a company we
    are working with; this box sends bootp request after
    reboot. The Cisco router answers with boot reply and afterwards gives
    it the address, and I want to avoid this. This box is not
    sophosticated enough to reject the address the Cisco DHCP Server
    assigns).


    regards,
    rami
     
    Rami Rosen, Oct 22, 2004
    #11
  12. OK ... I pondered this for awhile, and the only thing I could come
    up with is this:

    You could configure a layer 2 filter on the router to block
    incoming BOOTPC packets from this one client's MAC address.
    You can't configure a layer 2 filter on a routed interface
    however, so to do this you'd need to configure IRB and put
    the layer 2 filter on the LAN interface's bridge group.

    Aaron

    ---

    ~ Thanks Aaron,
    ~
    ~ Well this particular client is supposed to get its address from a
    ~ DIFFERENT DHCP server,and this client should have access to the
    ~ network in general.
    ~
    ~ Currently what I do is stop the CISCO DHCP server, and start my client
    ~ box, so
    ~ that it will not get IP from the CISCO DHCP server. I do not date to
    ~ think of
    ~ such a solution when deploying it at a customer site..
    ~
    ~ I know that this also can be done at the client side: but we are not
    ~ devloping the client side ...
    ~ (To be more accurate : we are developing some app which works with a
    ~ hw device (the client we talk about ) which we get from a company we
    ~ are working with; this box sends bootp request after
    ~ reboot. The Cisco router answers with boot reply and afterwards gives
    ~ it the address, and I want to avoid this. This box is not
    ~ sophosticated enough to reject the address the Cisco DHCP Server
    ~ assigns).
    ~
    ~
    ~ regards,
    ~ rami
    ~
    ~ > Sorry, "ip dhcp excluded-address" was a dumb suggestion - you're
    ~ > looking to block a given client from getting an address from the
    ~ > DHCP server by *MAC* address I assume.
    ~ >
    ~ > Can you tell me what exactly is the goal here ... is the idea that
    ~ > this particular client is supposed to get its address from a
    ~ > DIFFERENT DHCP server? Or do you just want to keep this client
    ~ > from accessing the network in general?
    ~ >
    ~ > Aaron
    ~ >
    ~ > ---
    ~ >
    ~ > ~ A ha - sounds like you're looking for the "ip dhcp excluded-address"
    ~ > ~ command then.
    ~ > ~
    ~ > ~ Aaron
    ~ > ~
    ~ > ~ ---
    ~ > ~
    ~ > ~ ~ THnks,
    ~ > ~ ~ This is not applicable , however; I want to avoid only one
    ~ > ~ ~ specific station from getting DHCP address from the server ; since there are other
    ~ > ~ ~ DHCP clients which shoud get IP addresses from that CISCO router this
    ~ > ~ ~ will not solve the problem.
    ~ > ~ ~
    ~ > ~ ~ regards
    ~ > ~ ~ rami
    ~ > ~ ~
    ~ > ~ ~ (Ana) wrote in message ~ > ~ ~ > The simplest way:
    ~ > ~ ~ > disable the dhcp server in the router
    ~ > ~ ~ > --> no service dhcp
     
    Aaron Leonard, Oct 22, 2004
    #12
  13. hw device (the client we talk about ) which we get from a company we ~ are
    If this box is really sending a bootp request, see if you have the "ip
    dhcp bootp ignore" command on the router. It does what it says. CCO is
    giving a 404 error at the moment so I can't see where it first appeared.
     
    Martin Gallagher, Oct 23, 2004
    #13
  14. Rami Rosen

    mh Guest

    this feature was introduced in 12.2(8)T
     
    mh, Oct 24, 2004
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.