Dhcp Vacls

Not all switch deployments are able to take advantage of DHCP snooping. A lower-tech solution to this problem can be partially achieved with DHCP VACLs. The VACL can specify which addresses are able to send DHCP replies. These replies will come from the unicast IP address of the DHCP server offering the lease. By filtering these replies by source address, rogue DHCP servers can be properly filtered. Conside the typical DHCP deployment depicted in Figure 6-9.

Figure 6-9. Common DHCP Deployment

Here, a local LAN is being served by a remote DHCP server. This server receives DHCP requests by DHC relay configured on the default router. When the default router receives the DHCP lease offer back from the DHCP server, it passes it on to the client directly. Here is a VACL to protect against rogue DHCP servers in this example:

set security acl ip ROGUE-DHCP permit udp host any eq 68 set security acl ip ROGUE-DHCP permit udp host any eq 68 set security acl ip ROGUE-DHCP deny udp any any eq 68 set security acl ip ROGUE-DHCP permit ip any any

From the point at which the user PC requests an initial lease, here is what happens:

1. The user PC boots up and sends a DHCP request with source and destination

2. Both the default router and the rogue DHCP server see this request.

3. The rogue DHCP server replies, but since the source IP address is not, the reply is droppe by the access switch.

4. The default router passes the DHCP request to the real DHCP server, receives a reply, and passes t information on to the client.

5. The client connects and uses the network.


Using VACLs to stop rogue DHCP servers is far from comprehensive protection. The rogue server could still spoof the IP address of the legitimate DHCP server. However, using VACLs will certainly stop all accidental DHCP servers put on the network and will thwart most common attackers.

