Lock Rogue Dhcp server from switch level best pactices

Unanswered Question
Jan 20th, 2009

Please let me know the best practices to prevent rogue dhcp server inside network.

Let me know cisco have any tools to monitor the same from switch level

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Mohamed Sobair Tue, 01/20/2009 - 01:32

Hi,

You will need to implement (DHCP Snooping) and trust DHCP on the required uplinks and access ports.

Another way is to check (IP Source Guard) Feature.

Please have a look at the attached document.

HTH

Mohamed

Attachment: 
rajeesh.kumar1@... Tue, 01/20/2009 - 22:04

Thanks Mohamed. Is this feature available on all models

Our model is 2600 series at layer two level .

Giuseppe Larosa Tue, 01/20/2009 - 01:36

Hello Rajeesh,

on several platforms are available security features like dynamic ARP inspection.

On the basis of DAI ip source guard and DHCP snooping are possible and the latter is the specific tool to use to fight rogue DHCP servers.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swdhcp82.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swdynarp.html

Be aware that if you enable DHCP snooping the default state for all ports is untrusted so you need to declare trusted the access ports where a legitimate DHCP server is connected and the uplinks from which another switch can see legitimate servers answers.

Hope to help

Giuseppe

Actions

This Discussion