Link to home
Start Free TrialLog in
Avatar of wmtrader
wmtraderFlag for United States of America

asked on

MAC Access List to Block DHCP Traffic on a Cisco SG500

I need to block DHCP traffic on a single port of a Cisco SG500 52-port switch.
I am of the understanding that I can use a MAC access list to do this but I am unfamiliar with setting up a MAC access list.

How do I set up a MAC access list on a single port to block DHCP traffic on a Cisco SG500?
Avatar of gheist
gheist
Flag of Belgium image

MAC access list will not block a single protocol.
You need tcp access list with ports, and remember that such list is not parsed by ASIC, and it will load switch CPU.

It would help if you tell what is the problem and what is the normal situation without the problem.
Avatar of wmtrader

ASKER

I have two Windows 2011 SBS DHCP servers in their own domain and they need to be on the same VLAN.
Each server is plugged into their own switch and the switches are connected via a WAN link.
Both are DHCP servers that need to provide IP assignments to their domain clients on the same switch.
All traffic between the two segments needs to flow but I need to stop the DHCP request.

I know this can be done on some switches, block a protocol on a singe or multiple ports, but I do not see this on the SG500.

Each time I have asked different variations of this question I get a lot or people trying to teach me networking, going off on side tracks or just saying "don't do it". Some people ask so many questions that it comes across as if they want justification for my need to do it this way before they answer the question, and usually they don't . I've been in IT for 18 years so I don't need to be taught about DHCP, routing, protocol ports or some other networking subject. I do need help in trying to block DHCP between to switches on the same VLAN, it must be done this way.
Make separate DHCP server not bound to any domain.
2 DHCP servers cannot co-exist on same broadcast network.
Avatar of Craig Beck
This is what DHCP snooping is for. Configure DHCP snooping on each switch for the VLAN you want to control then set the port where the DHCP server is connected on each switch to trusted. That will stop each switch from allowing the remote DHCP server to service the clients on the other switch.

DHCP is UDP so a TCP access-expression won't work.
I tried DHCP snooping on the SG500 it blocks IPv4 DHCP traffic but it won't block IPv6 DHCP traffic
You need to use DHCPv6 Guard for IPv6.
I have not seen anything called DHCPv6 Guard on a Cisco SG500.
How do I enable DHCPv6 Guard on a Cisco SG500?
ASKER CERTIFIED SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I don't see it on the SG500 I am working with.
I think I need to upgrade the SG500's firmware to get that feature.
I will upgrade to the latest firmware and try that.
thanks
DHCPv6 is not the only way to automatically acquire IPv6 address
No, but it's the only way to acquire an IPv6 address via DHCP.

SLAAC, etc, isn't DHCP.
Best would be to make external DHCP, not in any domain, Linux fits the bill quite well.
I've worked with Windows DHCP servers but I've not worked a Linux DHCP servers.
(I've looked at Linux but I've not used it)
I will need setup the Linux DHCP server to support 2 different Windows SBS 2011 domains on the same LAN.

Any advice on which Linux distro?
Any advice on setting up the Linux DHCP to support 2 different Windows SBS 2011 domains on the same LAN?
You can make a desktop VM initially. I would choose openSUSE with YaST, i.e local GUI to manage IP reservations.
Other option is webmin, but that has very rainy security record.
If you feel courageous, probably ubuntu, debian, or CentOS, but then it is editing huge IP reservation files.
Where has external DHCP come from?

DHCP should be dealt with by the SBS servers.  It will make life much easier for clients, especially in a SBS domain.

@wmtrader - is there any reason why you want to block DHCPv6?  Are you running it at each site?

Did you do the firmware upgrade on the switches?
is there any reason why you want to block DHCPv6?
The 2008 DHCP server stops if it sees another IPv4 and or IPv6 DHCP server on the LAN.
The first 2008 DHPC server that is on stays on and the second server turned on will disable its DHPC service until it no longer sees the first DHCP server.
I then get one domain with a DHCP server and one without a DHCP server depending on which 2008 DHCP server is active first.
I also get PCs getting the wrong DNS server IP settings. PCs in domain 1 will get the IP of the DNS server in domain 2 or the other way around.

Did you do the firmware upgrade on the switches?
No that switch is supporting everything in the second office and that office/plant is running from 7 am to 3 am.
I am upgrading a spare switch today and I will swap it out tonight at 4 am and stick around to see the results.
How do I enable DHCPv6 Guard on a Cisco SG500-52P with firmware version 1.4.5.02 (the most current firmware) to block IPv6 DHCP traffic?

I have gone through the Cisco SG500 manual and I am not understanding how to enable this feature.
Still working on enabling DHCPv6 Guard
I never got DHCPv6 Guard to work. I went through the steps to enable it but not success in getting it to work. Not sure if it is the wrong solution of if I simply failed to set it up correctly.