Can you block a DHCP server by IP address within Meraki

phelimmc
Here to help

Can you block a DHCP server by IP address within Meraki

Hi,

Can someone please advise? can you block a DHCP server by IP address within Meraki? there only seems to be an option to block by MAC address?

Thanks

5 Replies 5
Brash
Kind of a big deal
Kind of a big deal

Not that I'm aware of.

What is the use case of blocking it based on IP address?

DHCP works on layer 2 and therefore the responses to DHCP requests will be sent via MAC address.

ww
Kind of a big deal
Kind of a big deal

You could use acl on the switches.

Or if its forwarded using a svi on for example the mx you can block it using the firewall

RaphaelL
Kind of a big deal
Kind of a big deal

In some cases you can and can't. It depends where the DHCP server is.

If the DHCP server is configured as a IP helper and resides on a different vlan , there are some nasty hidden firewall rules that will still allow the trafic ( eg: Wireless firewall , GP 'firewall' ) 

I find that very annoying.

Also the MX firewall won't block trafic that has a destination in the autoVPN tunnel , you would need to use the S2S firewall.  You can get confused real quick

BlakeRichardson
Kind of a big deal
Kind of a big deal

If its a private network track down who DHCP server it is and give them a slap on the hand, interfering with a network is a hanging offence in many companies. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Dunky
Head in the Cloud

The best option is to whitelist your known DHCP servers which will block any others by default regardless of their IP.  

 

Go to Switches> DHCP servers & ARP, and configure as below entering the MACs of your DHCP servers where I have redacted mine:

Dunky_0-1660923226697.png

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels