DHCP-Snooping-MIB on cat3560

Unanswered Question
Apr 23rd, 2007

Hi

We would like to implement DHCP Snooping in the UserAccess-Layer of our LAN. But as our Printers use static IP-Adresses, and our Workplace-Mgmt does not want to mess up with IOS-CLI, we should provide them the possibilty to enable and disable IP Source Guard with a Web-Interface which configures the switches via SNMP.

Unfortunately, the Implementation of the DHCP-Snooping-MIB seems to be incomplete on the c3560, some OIDs give answer, but neither cdsIfSrcGuardFilterType (1.3.6.1.4.1.9.9.380.1.6.1.1.2, current) nor cdsIfSrcGuardEnable (1.3.6.1.4.1.9.9.380.1.6.1.1.1, deprecated) do give any answers on snmpwalk or react on snmpset.

We use c3560-ipservicesk9-mz.122-25.SEE3.bin, same problem on c3560 and c3560G.

Is there any other way to enable/disable IP Source Guard via SNMP, or is it planned to complete the DHCP-Snooping-MIB in one of the upcoming IOS-Releases for the c3560?

thanks and greetings from switzerland

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mullzkBern_2 Mon, 04/30/2007 - 02:58

DHCP Snooping does more than that, it also creates a database which is used by IP Source Guard, preventing Man-In-The-Middle-Attacks. If you don't have DHCP Snooping enabled, you would have to allow the MAC-Adresses by manually configuring them for each Interface (ip source binding), which would be a nightmare in operating. That's why IP Source Guard is integrated into DHCP-Snooping-MIB.

So to better declare our problem (I am in the same department as bbo): it is not the DHCP-Snooping which we care about, but controlling IP Source Guard via SNMP.

According to Ciscos SNMP object navigator, this should be included in the DHCP-Snooping-MIB, except that it's not, at least not on Catalyst 3650 with current IOS.

Actions

This Discussion