Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco DHCP Snooping on Uplink Port??

Reply
Thread Tools

Cisco DHCP Snooping on Uplink Port??

 
 
abrink
Guest
Posts: n/a
 
      12-02-2005
All -

I have a 3750 stack group that all my users are plugged into as their
core switch, however, I also have a 3524 hanging off this stack group
as well. Recently, someone plugged a rouge DHCP server into the 3524,
causing me all sorts of grief. My question is since my 3750 supports
DHCP Snooping, can I turn this on to solve all my problems?

Thanks,
Andrew

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-02-2005
In article <(E-Mail Removed) .com>,
abrink <(E-Mail Removed)> wrote:
>I have a 3750 stack group that all my users are plugged into as their
>core switch, however, I also have a 3524 hanging off this stack group
>as well. Recently, someone plugged a rouge DHCP server into the 3524,
>causing me all sorts of grief. My question is since my 3750 supports
>DHCP Snooping, can I turn this on to solve all my problems?


Hmmm, I suspect not -- DHCP snooping is, if I understand correctly,
for the case where you might have to relay a DHCP request over a router.

Would it perhaps work to turn on an ACL on the 3750 to block the
DHCP replies from the 3524 ?
--
"It is important to remember that when it comes to law, computers
never make copies, only human beings make copies. Computers are given
commands, not permission. Only people can be given permission."
-- Brad Templeton
 
Reply With Quote
 
 
 
 
anybody43@hotmail.com
Guest
Posts: n/a
 
      12-02-2005
>> Recently, someone plugged a rouge DHCP server into the 3524,
>> causing me all sorts of grief. My question is since my 3750 supports
>> DHCP Snooping, can I turn this on to solve all my problems?


> I understand correctly ... relay a DHCP request over a router


That is DHCP forwarding.

It has cheered me up no end that just
once in a while Walter has misssed the target.
It is nice to see that there is a regular fallible
human on the other end of the handle.

I don't like the name Cisco have chosen
for this feature though I find it confusing too.


http://www.cisco.com/en/US/products/...080435791.html

Overview of DHCP Snooping
DHCP snooping is a DHCP security feature
that provides network security by filtering
untrusted DHCP messages and by building and
maintaining a DHCP snooping binding database
(also referred to as a DHCP snooping binding table).

DHCP snooping acts like a firewall between
untrusted hosts and DHCP servers. You
can use DHCP snooping to differentiate
between untrusted interfaces connected
to the end user and trusted interfaces
connected to the DHCP server or another switch.



--------------------------------------------------------------------------------

Note For DHCP snooping to function properly, all
DHCP servers must be connected to the switch
through trusted interfaces.

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      12-02-2005
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
>It has cheered me up no end that just
>once in a while Walter has misssed the target.
>It is nice to see that there is a regular fallible
>human on the other end of the handle.




I have an excuse -- hang on, it's right here, I saw it just a few days
ago, it was on my desk in one of these piles... or was it in
the computer room.... lemme see.... oh, I hope I didn't take it home,
because if my spouse borrowed it, I might not get it back for weeks!
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
 
Reply With Quote
 
Peter
Guest
Posts: n/a
 
      12-02-2005
Hi Andrew,

> I have a 3750 stack group that all my users are plugged into as their
> core switch, however, I also have a 3524 hanging off this stack group
> as well. Recently, someone plugged a rouge DHCP server into the 3524,
> causing me all sorts of grief. My question is since my 3750 supports
> DHCP Snooping, can I turn this on to solve all my problems?


I have to disagree with Walter on this (although he has vastly more
experience than I), about 2 weeks ago I started investigating this
functionality (DHCP Snooping) as well and as near as we can see, DHCP
Snooping does exactly what you (we) want., IE when enabled on a Layer
2 ACCESS port it blocks DHCP Server messages arriving FROM that port.

Its not clear from what I have read so far, but I can't see how/why
one would use it on Trunk ports if all your ACCESS ports are covered
correctly. In our case we would be using it on 2950's only.

Cheers................pk.

--
Peter from Auckland.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Blade HS22 + Cisco 3010X with Cisco CVR-X2-SFP: Uplink to Cisco 2960? Rainer Bläs Cisco 2 06-09-2011 03:31 PM
DHCP snooping psychogenic Cisco 3 03-03-2006 10:23 AM
dhcp snooping Guan Foo Wah Cisco 0 12-25-2005 07:46 AM
Re: DHCP snooping across several switches Victor Sudakov Cisco 3 09-25-2005 04:44 AM



Advertisments