ZONE-1 and ZONE-2 are in same security level & the traffic between same security levels are enabled.
To understand what really happened at the back end of DHCP protocol please go here. This post explains it with Wireshark captures.
According to the packet capture, Discover and Request packets are sent by the client as a broadcast with a source IP address of 0.0.0.0 and a destination IP address of 255.255.255.255 & destination port is udp 67 (bootps). So this requires an ACL on ZONE-2 interface.
Also the Offer & Ack packets have the source IP of the DHCP server and the destination can be any, & destination port is udp 68 (bootpc). This also requires an ACL on ZONE-1 interface.
To understand what really happened at the back end of DHCP protocol please go here. This post explains it with Wireshark captures.
According to the packet capture, Discover and Request packets are sent by the client as a broadcast with a source IP address of 0.0.0.0 and a destination IP address of 255.255.255.255 & destination port is udp 67 (bootps). So this requires an ACL on ZONE-2 interface.
Also the Offer & Ack packets have the source IP of the DHCP server and the destination can be any, & destination port is udp 68 (bootpc). This also requires an ACL on ZONE-1 interface.
According to the packet capture, Discover and Request packets are sent by the client as a broadcast with a source IP address of 0.0.0.0 and a destination IP address of 255.255.255.255 & destination port is udp 67 (bootps). Cisco Business Value Practitioner Specialist
ReplyDeleteInformative blog. Thanks for sharing risk of cyber attacks and its protection. I found best information on ICS/SCADA systems.
ReplyDelete