How to Configure ACL to block illegal DHCP server on Zyxel Switches running in cloud mode?

Zyxel_Melen
Zyxel_Melen Posts: 2,305  Zyxel Employee
Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
edited June 2023 in Network Security

Background

 

Use ACL to block illegal DHCP Server on Nebula switch to ensure client can get correct DHCP IP address setting.

 

 

Scenario and Topology

Due to Nebula not supporting DHCP snooping now, we can use ACL to allow the trusted DHCP server IP address to send DHCP packets using UDP port 67 and deny other IP address to block illegal DHCP Servers from providing DHCP IP setting to clients.
This topic will introduce how to use ACL to block illegal DHCP Servers.

 

 

Configuration

 

The following steps are applicable for switches supported on Nebula Control Center. Nebula supported switch are listed as the following topic: [NEBULA] What model supports Nebula CC currently? — Zyxel Community

Notice: GS1350 and GS1915 series does not support ACL in cloud mode.

 

Configure ACL

1.1 Please go to “Site-wide > Configure > Switches > ACL” to add first rule:
“Policy: allow, Protocol: UDP, Source MAC: any, Source IP:10.214.48.254 (you may type your DHCP server IP), Source Port: 67, Destination MAC: any, Destination IP: any, Destination Port: 68, VLAN: any, and the description of this rule.”
This rule allows trusted DHCP server to provide DHCP IP setting.

1.2  After setup allow rule, we need to add a deny rule to deny other illegal DHCP servers from sending OFFER and ACK packets.
“Policy: deny, Protocol: UDP, Source MAC: any, Source IP:any, Source Port: 67, Destination MAC: any, Destination IP: any, Destination Port: 68, VLAN: any, and the description of this rule.”



Verification

 

Using a Windows PC as your DHCP client, use cmd with command “ipconfig” to check the IPv4 address.


Then use command “ipconfig /release” & “ipconfig /renew” to let client to send a new DHCP discover packet.


After the renew process is done, we can see the IP setting is the same as above. This means the ACL did block the illegal DHCP offer packet.

 

Note

 

1.        If you have many DHCP server in your network surrounding, you need to add all of your DHCP server to allow list or your client may not receive DHCP IP setting.

2.        Make sure the list of allowed DHCP server rules are above the deny rule. Otherwise, all DHCP packets from trusted DHCP servers will also be denied.