Newbie ACL question: Blocking DHCP

  DaveInPNG

    DaveInPNG Guest

    I have two areas of my network joined at this one switch. Both areas
    have a DHCP server to service their area. Problems is one area is
    getting most of the requests and is running out of addresses.

    I'd like to add an ACL on this switch to deny DHCP requests from most
    of my network to a specific IP address. I tried this ACL but I'm not
    sure it is correct. Can soemone tell me if this will work like I want
    it to?

    Thanks in advance.


    Extended IP access list 100
    deny udp host eq bootps
    deny udp host eq bootpc
    permit udp any any
    DaveInPNG, Feb 17, 2005
  2. I doubt this will work: your list as written is denying unicast UDP/IP
    traffic to your DHCP server, where the DHCP request itself is a layer 2
    broadcast. Ask yourself how a client can communicate with the server over IP
    when it is yet to be assigned an IP address!

    Buzz Lightbeer, Feb 17, 2005
  DaveInPNG

    DaveInPNG Guest

    Yeah, I wondered about that myself.

    Any suggestions? Or am I stuck with added more hardware to filter the


    DaveInPNG, Feb 18, 2005
  DaveInPNG

    Merv Guest

    what is the network topology between the two areas of your network that
    you referred to and the two DHCP servers

    Please indicate for each device in the path whether it is a layer 2 or
    layer 3 switch
    Merv, Feb 18, 2005
  DaveInPNG

    DaveInPNG Guest

    The only devices being used are Cisco 2950 switches. Unless I HAVE to
    add something.

    DaveInPNG, Feb 19, 2005
  DaveInPNG

    DB Guest


    DHCP separating can been done with either L3 switches and/or routers.
    The 2950 can not be upgraded to IP routing.
    Different networks could help you redirecting DHCP requests to the
    server you want.
    Why don't you use 1 DHCP server and make the DHCP range large enough?
    You could also tune the lease times. Or are there more DHCP clients
    then IP addresses?

    DB, Feb 20, 2005
  DaveInPNG

    Merv Guest

    So here is what is happening.

    DHCP requested from PC are sent to a broadcast address.

    If a DHCP request passes thru a Cisco router ( layer 3 device) then use
    of the ip helper-address can be used to direct DHCP request froma
    particul subnet/VLAN to a specific DHCP server. The Cisco router also
    insert the IP address of the router interface on which the DHCP request
    was received address into the DHCP reuest in a filed called GIADDR.
    This can be used by the DHCP server to assign an IP address from the
    proper scope.

    so you have two choices:

    a) enlarge the IP address range scopes on your DHCP server and continue
    to use your 2950 layer 2 switch

    b) add a router to you network and configure a 802.11 tru nk between
    the router and the switch, confiugre VL:ANS interface on the router for
    the subnets in your network and also add ip helper-address commands to
    these interfaces
    Merv, Feb 20, 2005
