DHCP, IP helper and Security

From: gladston@br.ibm.com
Date: Wed Jun 29 2005 - 14:18:39 GMT-3

• Next message: Scott Morris: "RE: MSDP and MBGP question"
• Previous message: atolstykh@atfam.com: "RE: Tag egress frames on the access port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Would you agree?

Ip forward-protocol - works if allowing port 68 (bootpc) or port 67(bootps)
           either one works, it is not necessary to permit both

access-list IN (related to dhcp clients) on helper router - must allow packets destinated to port 67 (bootps)

Rack2R6#sh access-list 101
Extended IP access list 101
    permit udp any any eq bootps (11 matches)
    deny ip any any log-input

It seems "ip forward-protocol udp.." checks source or destination on packets when choosing what packets it needs to forward. Do you have other opinion?

Tests using "ip forward-protocol udp bootps":
(R3 is the DHCP server; R6 is the helper agent; R7 is the dhcp client)

Rack2R6(config)#no ip forward-protocol udp bootpc
Rack2R6(config)#no ip forward-protocol udp
Rack2R6(config)#ip forward-protocol udp bootps

R7(config)#int e0
R7(config-if)#sh
R7(config-if)#no sh

Rack2R3#
*Mar 1 05:31:38: DHCPD: DHCPRELEASE message received from client 0100.000c.3bd6.a9 (148.5.46.103).
*Mar 1 05:31:38: DHCPD: DHCPRELEASE message received from client 0100.000c.3bd6.a9 (148.5.46.103).
*Mar 1 05:31:38: DHCPD: DHCPRELEASE message received from client 0100.000c.3bd6.a9 (148.5.46.103).
Rack2R3#
Rack2R3#
Rack2R3#
*Mar 1 05:31:47: DHCPD: DHCPDISCOVER received from client 0100.000c.3bd6.a9 through relay 148.5.46.6.
Rack2R3#
*Mar 1 05:31:49: DHCPD: Sending DHCPOFFER to client 0100.000c.3bd6.a9 (148.5.46.104).
*Mar 1 05:31:49: DHCPD: unicasting BOOTREPLY for client 0000.0c3b.d6a9 to relay 148.5.46.6.
*Mar 1 05:31:49: DHCPD: DHCPREQUEST received from client 0100.000c.3bd6.a9.
*Mar 1 05:31:49: DHCPD: Sending DHCPACK to client 0100.000c.3bd6.a9 (148.5.46.104).
*Mar 1 05:31:49: DHCPD: unicasting BOOTREPLY for client 0000.0c3b.d6a9 to relay 148.5.46.6.
Rack2R3#

Rack2R6#sh access-list 101
Extended IP access list 101
    permit ospf any any
    permit igmp any any
    permit udp any any eq pim-auto-rp
    permit udp any any eq bootps (25 matches)
    deny ip any any log-input

• Next message: Scott Morris: "RE: MSDP and MBGP question"
• Previous message: atolstykh@atfam.com: "RE: Tag egress frames on the access port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:45 GMT-3