From: Michael Snyder (msnyder@wk.net)
Date: Mon Nov 24 2003 - 00:41:30 GMT-3
What I broke was DHCP.
It seems when a client doesn't have ip address, it broadcasts to udp
255.255.255.255 from udp address 0.0.0.0 asking for a ip address.
I had allowed all normal unicast traffic, but didn't think about dhcp.
After a google search I added the following statement.
Permit udp host 0.0.0.0 eq 68 host 255.255.255.255 eq 67
The reason I thought of this for a Groupstudy posting, is couldn't you
envision this on the lab?
Have a good restrictive access list on interface, then much later in the
lab; they say also add dhcp to that router. I know I would just think
easy points and move on.
Just a thought.
------------------------------------------------------------------------
--------------
I had a real world experience to share.
Testing out ids, I found a lot of spoofed traffic on a clients network.
I believe it was one of the newer worms out at the time. I had a tech
tracking down the infected machines.
I noticed that a lot of the traffic was neither sourced nor destined for
the network I was on, and it wasn't on a transit network!
So, I figure I can take care of that, and threw a vlan filter on the
switch.
Where a.b.c.d = clients network.
Permit ip a.b.c.d 0.0.0.255 any
Permit ip any a.b.c.d 0.0.0.255
Get a call the next day. Network is broke.
Can anyone guess what I broke?
Continued on next email.
Michael Snyder
Lead Network Engineer
CCDP, CCSP, MCSE NT/2000
Revolution Computer Systems
(270) 443-7400
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:16 GMT-3