hey,
Another idea would be to see if I could configure the dhcp server to
just ignore unicast requests (easier than putting ACL's on the the
switches).
You can configure ACL on the server as well (read: iptables or so).
All relayed packets will use router interface IP as source address (at
least cisco relay does that, some other platforms use egress interface
IP but it's usually configurable). This way you can permit your actualy
interface IPs and deny rest thus blocking unicast renewals directly from
DHCP clients.
It's not ideal, as you have to keep list of /32s or so in the ACL but at
least you can keep the ACL in few places and not distribute it to all
network devices.
--
tarko
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
