switch security

dkblee · ‎02-17-2009

hi! I'm trying to block dhcp svr setup in our testing lab. If i'm not wrong, i can achieve this by configuring dhcp snooping. I have a few questions that i would like to verify

1) do i need to configure dhcp snooping on the L2 sw and core switch as well? can i just enable it in the l2 switch with the trunk (uplink) to the core switch as a trusted port (the legitimate dhcp server is connected to the core switch)? will this work?

2)what does the snooping rate limit meant? Is it a must to configure this or it's optional? Thanks.

Roberto Salazar · ‎02-17-2009

hi! I'm trying to block dhcp svr setup in our testing lab. If i'm not wrong, i can achieve this by configuring dhcp snooping. I have a few questions that i would like to verify

1) do i need to configure dhcp snooping on the L2 sw and core switch as well? can i just enable it in the l2 switch with the trunk (uplink) to the core switch as a trusted port (the legitimate dhcp server is connected to the core switch)? will this work?

>> the switch with dhcp snooping enabled intercepts the dhcp discover/request from the clients. The switch by default will insert option-82 unless it is disabled. I mentioned option-82 because the upstream switch with dhcp snooping enabled will see this packet with option-82, default behavior is to drop this packet coming from untrusted port. if the dhcp server is NOT in the same vlan as the client and the the dhcp snooping switch is not the relay agent, the external agent will drops those packets too unless you tell it to trust those dhcp discover/request with option-82. Most implementation I found the dhcp snooping are done in the access switch.

2)what does the snooping rate limit meant? Is it a must to configure this or it's optional? Thanks.

>> dhcp snooping rate limit limits the number of dhcp discover/request the switch will accept in the port, once this configured threshold is reached all the rest of the dhcp packet from the clients will be dropped. It is optional.

dkblee · ‎02-17-2009

hi! If the legitimate dhcp svr is in different vlan from the clients connected to the edge sw. Do i need to enable dhcp snooping on the svr vlan as well? The option-82, you are referring to....is it the one that issue out the settings such as GW,DNS,DHCP svr IP and etc? For the "snooping trust" command do i need to do it on both end of the edge sw uplink and the core sw? or just on the edge switch uplink/trunk port will do?

Roberto Salazar · ‎02-17-2009

no, you don't have to. dhcp snooping is per vlan specific, you can enable it on some vlan and NOT on others. You just need to enable trust on the relay agent, relay agent is the default gateway most of the time. Relay agent is "ip helper-address". Or you can disable option-82 insert on the edge switch, so that switch does not insert option-82 if it's not needed. Most implementation does not need option-82.

dkblee · ‎02-17-2009

hi! In short, i will need either

1)configure dhcp trust for the port that's connected to my dhcp svr(my ip helper address)? (in the core sw we are still using the older ver. of catos, which i don't think it has a dhcp snooping feature.)

or

2)disable option-82 at the edge sw?

What's the implication of disabling option-82?

Thanks.

dkblee · ‎02-18-2009

hi! Since, my core is running CatOs (where the dhcp svr is connected to) and edge sw is running CiscoIOS. Can i just configure VCAL with the command "set security acl ip" in the core switch? Will this disable the rogue dhcp to assign ip to the client within that vlan in the edge sw?

Thanks.