How to block a fake DHCP server without enabling DHCP snooping?
Scenario
How to block a fake DHCP server without enabling DHCP snooping and still fulfill the following requirements?
1. The trusted DHCP server is connected on port 40.
2. Block the fake DHCP server from other ports.
Step
Without enabling the DHCP snooping feature, we can use the ACL feature to fulfill the above requirement.
Please configure the following classifiers and policy rules for the switch with CLI commands.
Classifier
classifier "block DHCP" ethernet-type ip ip-protocol udp source-socket 67 destination-socket 68
=> To block DHCP server from all ports.
classifier "allow DHCP" ethernet-type ip source-port 40 ip-protocol udp source-socket 67 destination-socket 68
=> To allow Trusted DHCP server from the specific port 40.
Policy Rule
policy allow classifier "allow DHCP" egress-port 1 priority 0 dscp 0 tos 0 bandwidth 0 out-of-profile-dscp 0
=> Select classifier-block DHCP, action: drop packets.
policy block classifier "block DHCP" egress-port 1 priority 0 dscp 0 tos 0 bandwidth 0 out-of-profile-dscp 0 forward-action drop
=> Select classifier-allow DHCP, action: forward packets.
Verification
Connect the trusted DHCP server on port 40 and the PC on port 10.
The PC can receive the IP address successfully.
However, if you connect other DHCP servers to other ports and port 40 is disconnected, the PC on port 10 will be unable to get any IP address.