• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 151
  • Last Modified:

MAC Access List to Block DHCP Traffic on a Cisco SG500

I need to block DHCP traffic on a single port of a Cisco SG500 52-port switch.
I am of the understanding that I can use a MAC access list to do this but I am unfamiliar with setting up a MAC access list.

How do I set up a MAC access list on a single port to block DHCP traffic on a Cisco SG500?
0
wmtrader
Asked:
wmtrader
  • 9
  • 5
  • 5
1 Solution
 
gheistCommented:
MAC access list will not block a single protocol.
You need tcp access list with ports, and remember that such list is not parsed by ASIC, and it will load switch CPU.

It would help if you tell what is the problem and what is the normal situation without the problem.
0
 
wmtraderAuthor Commented:
I have two Windows 2011 SBS DHCP servers in their own domain and they need to be on the same VLAN.
Each server is plugged into their own switch and the switches are connected via a WAN link.
Both are DHCP servers that need to provide IP assignments to their domain clients on the same switch.
All traffic between the two segments needs to flow but I need to stop the DHCP request.

I know this can be done on some switches, block a protocol on a singe or multiple ports, but I do not see this on the SG500.

Each time I have asked different variations of this question I get a lot or people trying to teach me networking, going off on side tracks or just saying "don't do it". Some people ask so many questions that it comes across as if they want justification for my need to do it this way before they answer the question, and usually they don't . I've been in IT for 18 years so I don't need to be taught about DHCP, routing, protocol ports or some other networking subject. I do need help in trying to block DHCP between to switches on the same VLAN, it must be done this way.
0
 
gheistCommented:
Make separate DHCP server not bound to any domain.
2 DHCP servers cannot co-exist on same broadcast network.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Craig BeckCommented:
This is what DHCP snooping is for. Configure DHCP snooping on each switch for the VLAN you want to control then set the port where the DHCP server is connected on each switch to trusted. That will stop each switch from allowing the remote DHCP server to service the clients on the other switch.

DHCP is UDP so a TCP access-expression won't work.
0
 
wmtraderAuthor Commented:
I tried DHCP snooping on the SG500 it blocks IPv4 DHCP traffic but it won't block IPv6 DHCP traffic
0
 
Craig BeckCommented:
You need to use DHCPv6 Guard for IPv6.
0
 
wmtraderAuthor Commented:
I have not seen anything called DHCPv6 Guard on a Cisco SG500.
How do I enable DHCPv6 Guard on a Cisco SG500?
0
 
Craig BeckCommented:
I've never done it on a SG500, but it is possible. The config guide (p. 428) shows how to config it..

http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/administration_guide/500_Series_Admin_Guide.pdf
0
 
wmtraderAuthor Commented:
I don't see it on the SG500 I am working with.
I think I need to upgrade the SG500's firmware to get that feature.
I will upgrade to the latest firmware and try that.
thanks
0
 
gheistCommented:
DHCPv6 is not the only way to automatically acquire IPv6 address
0
 
Craig BeckCommented:
No, but it's the only way to acquire an IPv6 address via DHCP.

SLAAC, etc, isn't DHCP.
0
 
gheistCommented:
Best would be to make external DHCP, not in any domain, Linux fits the bill quite well.
0
 
wmtraderAuthor Commented:
I've worked with Windows DHCP servers but I've not worked a Linux DHCP servers.
(I've looked at Linux but I've not used it)
I will need setup the Linux DHCP server to support 2 different Windows SBS 2011 domains on the same LAN.

Any advice on which Linux distro?
Any advice on setting up the Linux DHCP to support 2 different Windows SBS 2011 domains on the same LAN?
0
 
gheistCommented:
You can make a desktop VM initially. I would choose openSUSE with YaST, i.e local GUI to manage IP reservations.
Other option is webmin, but that has very rainy security record.
If you feel courageous, probably ubuntu, debian, or CentOS, but then it is editing huge IP reservation files.
0
 
Craig BeckCommented:
Where has external DHCP come from?

DHCP should be dealt with by the SBS servers.  It will make life much easier for clients, especially in a SBS domain.

@wmtrader - is there any reason why you want to block DHCPv6?  Are you running it at each site?

Did you do the firmware upgrade on the switches?
0
 
wmtraderAuthor Commented:
is there any reason why you want to block DHCPv6?
The 2008 DHCP server stops if it sees another IPv4 and or IPv6 DHCP server on the LAN.
The first 2008 DHPC server that is on stays on and the second server turned on will disable its DHPC service until it no longer sees the first DHCP server.
I then get one domain with a DHCP server and one without a DHCP server depending on which 2008 DHCP server is active first.
I also get PCs getting the wrong DNS server IP settings. PCs in domain 1 will get the IP of the DNS server in domain 2 or the other way around.

Did you do the firmware upgrade on the switches?
No that switch is supporting everything in the second office and that office/plant is running from 7 am to 3 am.
I am upgrading a spare switch today and I will swap it out tonight at 4 am and stick around to see the results.
0
 
wmtraderAuthor Commented:
How do I enable DHCPv6 Guard on a Cisco SG500-52P with firmware version 1.4.5.02 (the most current firmware) to block IPv6 DHCP traffic?

I have gone through the Cisco SG500 manual and I am not understanding how to enable this feature.
0
 
wmtraderAuthor Commented:
Still working on enabling DHCPv6 Guard
0
 
wmtraderAuthor Commented:
I never got DHCPv6 Guard to work. I went through the steps to enable it but not success in getting it to work. Not sure if it is the wrong solution of if I simply failed to set it up correctly.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now