Cisco DHCP Snooping on Uplink Port??

Discussion in 'Cisco' started by abrink, Dec 2, 2005.

  1. abrink

    abrink Guest

    All -

    I have a 3750 stack group that all my users are plugged into as their
    core switch, however, I also have a 3524 hanging off this stack group
    as well. Recently, someone plugged a rouge DHCP server into the 3524,
    causing me all sorts of grief. My question is since my 3750 supports
    DHCP Snooping, can I turn this on to solve all my problems?

    Thanks,
    Andrew
    abrink, Dec 2, 2005
    #1
    1. Advertising

  2. In article <>,
    abrink <> wrote:
    >I have a 3750 stack group that all my users are plugged into as their
    >core switch, however, I also have a 3524 hanging off this stack group
    >as well. Recently, someone plugged a rouge DHCP server into the 3524,
    >causing me all sorts of grief. My question is since my 3750 supports
    >DHCP Snooping, can I turn this on to solve all my problems?


    Hmmm, I suspect not -- DHCP snooping is, if I understand correctly,
    for the case where you might have to relay a DHCP request over a router.

    Would it perhaps work to turn on an ACL on the 3750 to block the
    DHCP replies from the 3524 ?
    --
    "It is important to remember that when it comes to law, computers
    never make copies, only human beings make copies. Computers are given
    commands, not permission. Only people can be given permission."
    -- Brad Templeton
    Walter Roberson, Dec 2, 2005
    #2
    1. Advertising

  3. abrink

    Guest

    >> Recently, someone plugged a rouge DHCP server into the 3524,
    >> causing me all sorts of grief. My question is since my 3750 supports
    >> DHCP Snooping, can I turn this on to solve all my problems?


    > I understand correctly ... relay a DHCP request over a router


    That is DHCP forwarding.

    It has cheered me up no end that just
    once in a while Walter has misssed the target.
    It is nice to see that there is a regular fallible
    human on the other end of the handle.

    I don't like the name Cisco have chosen
    for this feature though:) I find it confusing too.


    http://www.cisco.com/en/US/products...figuration_guide_chapter09186a0080435791.html

    Overview of DHCP Snooping
    DHCP snooping is a DHCP security feature
    that provides network security by filtering
    untrusted DHCP messages and by building and
    maintaining a DHCP snooping binding database
    (also referred to as a DHCP snooping binding table).

    DHCP snooping acts like a firewall between
    untrusted hosts and DHCP servers. You
    can use DHCP snooping to differentiate
    between untrusted interfaces connected
    to the end user and trusted interfaces
    connected to the DHCP server or another switch.



    --------------------------------------------------------------------------------

    Note For DHCP snooping to function properly, all
    DHCP servers must be connected to the switch
    through trusted interfaces.
    , Dec 2, 2005
    #3
  4. In article <>,
    <> wrote:
    >It has cheered me up no end that just
    >once in a while Walter has misssed the target.
    >It is nice to see that there is a regular fallible
    >human on the other end of the handle.


    ;-)

    I have an excuse -- hang on, it's right here, I saw it just a few days
    ago, it was on my desk in one of these piles... or was it in
    the computer room.... lemme see.... oh, I hope I didn't take it home,
    because if my spouse borrowed it, I might not get it back for weeks!
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
    Walter Roberson, Dec 2, 2005
    #4
  5. abrink

    Peter Guest

    Hi Andrew,

    > I have a 3750 stack group that all my users are plugged into as their
    > core switch, however, I also have a 3524 hanging off this stack group
    > as well. Recently, someone plugged a rouge DHCP server into the 3524,
    > causing me all sorts of grief. My question is since my 3750 supports
    > DHCP Snooping, can I turn this on to solve all my problems?


    I have to disagree with Walter on this (although he has vastly more
    experience than I), about 2 weeks ago I started investigating this
    functionality (DHCP Snooping) as well and as near as we can see, DHCP
    Snooping does exactly what you (we) want., IE when enabled on a Layer
    2 ACCESS port it blocks DHCP Server messages arriving FROM that port.

    Its not clear from what I have read so far, but I can't see how/why
    one would use it on Trunk ports if all your ACCESS ports are covered
    correctly. In our case we would be using it on 2950's only.

    Cheers................pk.

    --
    Peter from Auckland.
    Peter, Dec 2, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. novice03
    Replies:
    5
    Views:
    4,943
    Doug McIntyre
    Jan 31, 2005
  2. Victor Sudakov

    Re: DHCP snooping across several switches

    Victor Sudakov, Sep 24, 2005, in forum: Cisco
    Replies:
    3
    Views:
    1,671
    Victor Sudakov
    Sep 25, 2005
  3. Guan Foo Wah

    dhcp snooping

    Guan Foo Wah, Dec 25, 2005, in forum: Cisco
    Replies:
    0
    Views:
    737
    Guan Foo Wah
    Dec 25, 2005
  4. psychogenic

    DHCP snooping

    psychogenic, Mar 2, 2006, in forum: Cisco
    Replies:
    3
    Views:
    2,173
  5. Rainer Bläs
    Replies:
    2
    Views:
    1,607
    Rainer Bläs
    Jun 9, 2011
Loading...

Share This Page