How to Configure ACL to block illegal DHCP server on Zyxel Switches running in cloud mode?
Background
Use ACL to block illegal DHCP Server on Nebula switch to ensure client can get correct DHCP IP address setting.
Scenario and Topology
This topic will introduce how to use ACL to block illegal DHCP Servers.
Configuration
The following steps are applicable for switches supported on Nebula Control Center. Nebula supported switch are listed as the following topic: [NEBULA] What model supports Nebula CC currently? — Zyxel Community
Notice: GS1350 and GS1915 series does not support ACL in cloud mode.
1 Configure ACL
1.1 Please go to “Site-wide > Configure > Switches > ACL” to add first rule:
“Policy: allow, Protocol: UDP, Source
MAC: any, Source IP:10.214.48.254 (you may type your DHCP server IP), Source
Port: 67, Destination MAC: any, Destination IP: any, Destination Port: 68,
VLAN: any, and the description of this rule.”
This rule allows trusted DHCP server to
provide DHCP IP setting.
1.2 After setup allow rule, we need
to add a deny rule to deny other illegal DHCP servers from sending OFFER and
ACK packets.
“Policy: deny, Protocol: UDP, Source MAC: any, Source IP:any,
Source Port: 67, Destination MAC: any, Destination IP: any, Destination Port:
68, VLAN: any, and the description of this rule.”
Verification
Using a Windows PC as your DHCP client, use cmd with command “ipconfig” to check the IPv4 address.
Then use command “ipconfig /release” & “ipconfig /renew” to let client to send a new DHCP discover packet.
After the renew process is done, we can see the IP setting is the same as above. This means the ACL did block the illegal DHCP offer packet.
Note
1. If you have many DHCP server in your network surrounding, you need to add all of your DHCP server to allow list or your client may not receive DHCP IP setting.
2. Make sure the list of allowed DHCP server rules are above the deny rule. Otherwise, all DHCP packets from trusted DHCP servers will also be denied.
Zyxel Melen
Categories
- All Categories
- 347 Beta Program
- 2.1K Nebula
- 114 Nebula Ideas
- 77 Nebula Status and Incidents
- 5K Security
- 44 USG FLEX H Series
- 246 Security Ideas
- 1.2K Switch
- 65 Switch Ideas
- 901 WirelessLAN
- 33 WLAN Ideas
- 5.8K Consumer Product
- 204 Service & License
- 326 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.8K FAQ
- 831 Nebula FAQ
- 401 Security FAQ
- 219 Switch FAQ
- 190 WirelessLAN FAQ
- 45 Consumer Product FAQ
- 136 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 71 About Community
- 61 Security Highlight