11-10-2009 06:09 AM - edited 03-06-2019 08:32 AM
Hi,
I have 2 locations connected throught VPN link through Cisco switches 2960, each location has a lan and has a dhcp server.
can i prevent dhcp broadcst on switch port from passing to vpn link.
Thanks in Advance
11-10-2009 06:55 AM
You can configure 'DHCP Snooping' and only trust the port where the local DHCP server is connected to.
Regards
Edison.
11-11-2009 02:26 AM
Ok,
but I mean that i want to block Dhcp broadcast from my lan to go to WAN link between two locations, my problem is the traffic through WAN link.
11-11-2009 02:36 AM
Ok,
but I mean that i want to block Dhcp broadcast from my lan to go to WAN link between two locations, my problem is the traffic through WAN link.
11-11-2009 07:51 AM
Hi,
Unfortunately , you either block broadcast on a certain level or block all the broadcast traffic on the port.
But you have an option to rate limit the DHCP requests on the untrusted ports as recommended by Cisco to reduce DHCP packet requests.
HTH
Mohamed
11-11-2009 10:55 PM
Thank you very much for your help,
but i want to know how to block all broadcast on the port(i want to block broadcast from leaving the port) by command.
11-12-2009 02:11 AM
Hi,
The command is:
Switch port block broadcast
HTH
Mohamed
11-12-2009 03:54 AM
thank you for your reply Mohamed
10-30-2014 10:45 AM
That is not working for me. Tried it as one word or two:
(config)#int Gi0/6
(config-if)#switchport block broadcast
^
% Invalid input detected at '^' marker.
(config-if)#switch port block broadcast
^
% Invalid input detected at '^' marker.
(config-if)#switchport ?
access Set access mode characteristics of the interface
autostate Include or exclude this port from vlan link up calculation
backup Set backup for the interface
block Disable forwarding of unknown uni/multi cast addresses
host Set port host
mode Set trunking mode of the interface
nonegotiate Device will not engage in negotiation protocol on this interface
port-security Security related command
priority Set appliance 802.1p priority
private-vlan Set the private VLAN configuration
protected Configure an interface to be a protected port
trunk Set trunking characteristics of the interface
voice Voice appliance attributes
<cr>
(config-if)#switchport block ?
multicast Block unknown multicast addresses
unicast Block unknown unicast addresses
*Note broadcast is not an option.
11-12-2009 12:10 AM
Which type of VPN are you using now?
11-12-2009 12:36 AM
Site VPN through local loop not through the internet,connect 2 branches
11-12-2009 01:31 AM
Site VPN through local loop not through the internet,connect 2 branches
11-12-2009 01:57 AM
So there's a layer 3 connection between two branches through site-to-site vpn, right?
11-12-2009 02:12 AM
right
11-12-2009 02:24 AM
If these two branches have different networks, then DHCP broadcast packets can not pass thought the VPN link, unless you have enabled broadcast forwarding.
I mean DHCP broadcast should not cross to the other side, shouldn't it?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: