Cisco DHCP Snooping on Uplink Port??

Discussion in 'Cisco' started by abrink, Dec 2, 2005.

  1. abrink

    abrink Guest

    All -

    I have a 3750 stack group that all my users are plugged into as their
    core switch, however, I also have a 3524 hanging off this stack group
    as well. Recently, someone plugged a rouge DHCP server into the 3524,
    causing me all sorts of grief. My question is since my 3750 supports
    DHCP Snooping, can I turn this on to solve all my problems?

    abrink, Dec 2, 2005
    1. Advertisements

  2. Hmmm, I suspect not -- DHCP snooping is, if I understand correctly,
    for the case where you might have to relay a DHCP request over a router.

    Would it perhaps work to turn on an ACL on the 3750 to block the
    DHCP replies from the 3524 ?
    Walter Roberson, Dec 2, 2005
    1. Advertisements

  3. abrink

    anybody43 Guest

    Recently, someone plugged a rouge DHCP server into the 3524,
    That is DHCP forwarding.

    It has cheered me up no end that just
    once in a while Walter has misssed the target.
    It is nice to see that there is a regular fallible
    human on the other end of the handle.

    I don't like the name Cisco have chosen
    for this feature though:) I find it confusing too.

    Overview of DHCP Snooping
    DHCP snooping is a DHCP security feature
    that provides network security by filtering
    untrusted DHCP messages and by building and
    maintaining a DHCP snooping binding database
    (also referred to as a DHCP snooping binding table).

    DHCP snooping acts like a firewall between
    untrusted hosts and DHCP servers. You
    can use DHCP snooping to differentiate
    between untrusted interfaces connected
    to the end user and trusted interfaces
    connected to the DHCP server or another switch.
    anybody43, Dec 2, 2005
  4. ;-)

    I have an excuse -- hang on, it's right here, I saw it just a few days
    ago, it was on my desk in one of these piles... or was it in
    the computer room.... lemme see.... oh, I hope I didn't take it home,
    because if my spouse borrowed it, I might not get it back for weeks!
    Walter Roberson, Dec 2, 2005
  5. abrink

    Peter Guest

    Hi Andrew,
    I have to disagree with Walter on this (although he has vastly more
    experience than I), about 2 weeks ago I started investigating this
    functionality (DHCP Snooping) as well and as near as we can see, DHCP
    Snooping does exactly what you (we) want., IE when enabled on a Layer
    2 ACCESS port it blocks DHCP Server messages arriving FROM that port.

    Its not clear from what I have read so far, but I can't see how/why
    one would use it on Trunk ports if all your ACCESS ports are covered
    correctly. In our case we would be using it on 2950's only.
    Peter, Dec 2, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.