How to Configure ACL to block illegal DHCP server on Zyxel Switches running in cloud mode?
Use ACL to block illegal DHCP Server on Nebula switch to ensure client can get correct DHCP IP address setting.
This topic will introduce how to use ACL to block illegal DHCP Servers.
The following steps are applicable for switches supported on Nebula Control Center. Nebula supported switch are listed as the following topic: [NEBULA] What model supports Nebula CC currently? — Zyxel Community
Notice: GS1350 and GS1915 series does not support ACL in cloud mode.
1 Configure ACL
1.1 Please go to “Switch >
configure > ACL” to add first rule:
“Policy: allow, Protocol: UDP, Source MAC: any, Source IP:10.214.48.254 (you may type your DHCP server IP), Source Port: 67, Destination MAC: any, Destination IP: any, Destination Port: 68, VLAN: any, and the description of this rule.”
This rule allows trusted DHCP server to provide DHCP IP setting.
1.2 After setup allow rule, we need
to add a deny rule to deny other illegal DHCP servers from sending OFFER and
“Policy: deny, Protocol: UDP, Source MAC: any, Source IP:any, Source Port: 67, Destination MAC: any, Destination IP: any, Destination Port: 68, VLAN: any, and the description of this rule.”
Using a Windows PC as your DHCP client, use cmd with command “ipconfig” to check the IPv4 address.
Then use command “ipconfig /release” & “ipconfig /renew” to let client to send a new DHCP discover packet.
After the renew process is done, we can see the IP setting is the same as above. This means the ACL did block the illegal DHCP offer packet.
1. If you have many DHCP server in your network surrounding, you need to add all of your DHCP server to allow list or your client may not receive DHCP IP setting.
2. Make sure the list of allowed DHCP server rules are above the deny rule. Otherwise, all DHCP packets from trusted DHCP servers will also be denied.
- 6.8K All Categories
- 1.3K Nebula
- 26 Nebula Ideas
- 28 Nebula Status and Incidents
- 3.8K Security
- 199 Security Ideas
- 691 Switch
- 25 Switch Ideas
- 572 WirelessLAN
- 8 WLAN Ideas
- 4.5K Consumer Product
- 95 Service & License
- 213 New and Release
- 65 Stories
- 35 Security Advisories
- 479 FAQ
- 216 Nebula FAQ
- 109 Security FAQ
- 72 Switch FAQ
- 66 WirelessLAN FAQ
- 20 Nebula Monthly Express
- 42 About Community
- 31 Security Highlight