Solved

MAC Access List to Block DHCP Traffic on a Cisco SG500

Posted on 2016-10-11
19
36 Views
Last Modified: 2016-11-01
I need to block DHCP traffic on a single port of a Cisco SG500 52-port switch.
I am of the understanding that I can use a MAC access list to do this but I am unfamiliar with setting up a MAC access list.

How do I set up a MAC access list on a single port to block DHCP traffic on a Cisco SG500?
0
Comment
Question by:wmtrader
  • 9
  • 5
  • 5
19 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 41840876
MAC access list will not block a single protocol.
You need tcp access list with ports, and remember that such list is not parsed by ASIC, and it will load switch CPU.

It would help if you tell what is the problem and what is the normal situation without the problem.
0
 

Author Comment

by:wmtrader
ID: 41840914
I have two Windows 2011 SBS DHCP servers in their own domain and they need to be on the same VLAN.
Each server is plugged into their own switch and the switches are connected via a WAN link.
Both are DHCP servers that need to provide IP assignments to their domain clients on the same switch.
All traffic between the two segments needs to flow but I need to stop the DHCP request.

I know this can be done on some switches, block a protocol on a singe or multiple ports, but I do not see this on the SG500.

Each time I have asked different variations of this question I get a lot or people trying to teach me networking, going off on side tracks or just saying "don't do it". Some people ask so many questions that it comes across as if they want justification for my need to do it this way before they answer the question, and usually they don't . I've been in IT for 18 years so I don't need to be taught about DHCP, routing, protocol ports or some other networking subject. I do need help in trying to block DHCP between to switches on the same VLAN, it must be done this way.
0
 
LVL 61

Expert Comment

by:gheist
ID: 41840980
Make separate DHCP server not bound to any domain.
2 DHCP servers cannot co-exist on same broadcast network.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41841056
This is what DHCP snooping is for. Configure DHCP snooping on each switch for the VLAN you want to control then set the port where the DHCP server is connected on each switch to trusted. That will stop each switch from allowing the remote DHCP server to service the clients on the other switch.

DHCP is UDP so a TCP access-expression won't work.
0
 

Author Comment

by:wmtrader
ID: 41841070
I tried DHCP snooping on the SG500 it blocks IPv4 DHCP traffic but it won't block IPv6 DHCP traffic
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41841105
You need to use DHCPv6 Guard for IPv6.
0
 

Author Comment

by:wmtrader
ID: 41841119
I have not seen anything called DHCPv6 Guard on a Cisco SG500.
How do I enable DHCPv6 Guard on a Cisco SG500?
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 41841129
I've never done it on a SG500, but it is possible. The config guide (p. 428) shows how to config it..

http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/administration_guide/500_Series_Admin_Guide.pdf
0
 

Author Comment

by:wmtrader
ID: 41841132
I don't see it on the SG500 I am working with.
I think I need to upgrade the SG500's firmware to get that feature.
I will upgrade to the latest firmware and try that.
thanks
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 61

Expert Comment

by:gheist
ID: 41841377
DHCPv6 is not the only way to automatically acquire IPv6 address
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41841415
No, but it's the only way to acquire an IPv6 address via DHCP.

SLAAC, etc, isn't DHCP.
0
 
LVL 61

Expert Comment

by:gheist
ID: 41842605
Best would be to make external DHCP, not in any domain, Linux fits the bill quite well.
0
 

Author Comment

by:wmtrader
ID: 41842622
I've worked with Windows DHCP servers but I've not worked a Linux DHCP servers.
(I've looked at Linux but I've not used it)
I will need setup the Linux DHCP server to support 2 different Windows SBS 2011 domains on the same LAN.

Any advice on which Linux distro?
Any advice on setting up the Linux DHCP to support 2 different Windows SBS 2011 domains on the same LAN?
0
 
LVL 61

Expert Comment

by:gheist
ID: 41842632
You can make a desktop VM initially. I would choose openSUSE with YaST, i.e local GUI to manage IP reservations.
Other option is webmin, but that has very rainy security record.
If you feel courageous, probably ubuntu, debian, or CentOS, but then it is editing huge IP reservation files.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41842712
Where has external DHCP come from?

DHCP should be dealt with by the SBS servers.  It will make life much easier for clients, especially in a SBS domain.

@wmtrader - is there any reason why you want to block DHCPv6?  Are you running it at each site?

Did you do the firmware upgrade on the switches?
0
 

Author Comment

by:wmtrader
ID: 41842766
is there any reason why you want to block DHCPv6?
The 2008 DHCP server stops if it sees another IPv4 and or IPv6 DHCP server on the LAN.
The first 2008 DHPC server that is on stays on and the second server turned on will disable its DHPC service until it no longer sees the first DHCP server.
I then get one domain with a DHCP server and one without a DHCP server depending on which 2008 DHCP server is active first.
I also get PCs getting the wrong DNS server IP settings. PCs in domain 1 will get the IP of the DNS server in domain 2 or the other way around.

Did you do the firmware upgrade on the switches?
No that switch is supporting everything in the second office and that office/plant is running from 7 am to 3 am.
I am upgrading a spare switch today and I will swap it out tonight at 4 am and stick around to see the results.
0
 

Author Comment

by:wmtrader
ID: 41846245
How do I enable DHCPv6 Guard on a Cisco SG500-52P with firmware version 1.4.5.02 (the most current firmware) to block IPv6 DHCP traffic?

I have gone through the Cisco SG500 manual and I am not understanding how to enable this feature.
0
 

Author Comment

by:wmtrader
ID: 41846280
Still working on enabling DHCPv6 Guard
0
 

Author Comment

by:wmtrader
ID: 41850015
I never got DHCPv6 Guard to work. I went through the steps to enable it but not success in getting it to work. Not sure if it is the wrong solution of if I simply failed to set it up correctly.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now