DHCP Relay: multi-hop, session management and IoT Security

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DHCP Relay: multi-hop, session management and IoT Security

L3 Networker

I have a couple of questions about DHCP Relay, multi-hop, sessions and IoT Security.

This is the situation I am dealing with:

DHCP Relay.drawio.png
Clients are configured for DHCP. Their gateway is a Cisco L3 Switch acting as a DHCP relay.

Red situation: the L3 switch points to the DHCP server. If I do this, I run into troubles: PAN firewall consider ALL the relayed queries as a single session, between the relay and the server. Also, since the session is udp, whenever a threat (or a false positive) is seen by the firewall, that single session is dropped without notification to the endpoints (relay and server), and no client gets an IP anymore.

Green situation: as a workaround, I set up a multi-hop configuration, with the PAN firewall acting as a further relay between the two, and reconfigured the L3 switch to point its relay to the closest firewall interface. Now all the DHCP sessions are dealt individually, and only those with threats are dropped.

In both cases dhcp traffic is configured to be allowed and inspected (L7 policies).

Question 1: is the green configuration ok? Did I miss some guideline/rfc/best practice when I implemented the previous configuration (red)?
Question 2: since now the firewall has full visibility of the DHCP conversation, is there any way I can take advantage of it? Log enrichment and IoT Security / DeviceID come to mind first. My firewall doesn't see any client at L2.

0 REPLIES 0
  • 912 Views
  • 0 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!