cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16651
Views
0
Helpful
19
Replies

Can i prevent DHCP broadcast from passing throught certain port

mahmoudyf
Level 1
Level 1

Hi,

I have 2 locations connected throught VPN link through Cisco switches 2960, each location has a lan and has a dhcp server.

can i prevent dhcp broadcst on switch port from passing to vpn link.

Thanks in Advance

19 Replies 19

Edison Ortiz
Hall of Fame
Hall of Fame

You can configure 'DHCP Snooping' and only trust the port where the local DHCP server is connected to.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_50_se/configuration/guide/swdhcp82.html

Regards

Edison.

Ok,

but I mean that i want to block Dhcp broadcast from my lan to go to WAN link between two locations, my problem is the traffic through WAN link.

Ok,

but I mean that i want to block Dhcp broadcast from my lan to go to WAN link between two locations, my problem is the traffic through WAN link.

Mohamed Sobair
Level 7
Level 7

Hi,

Unfortunately , you either block broadcast on a certain level or block all the broadcast traffic on the port.

But you have an option to rate limit the DHCP requests on the untrusted ports as recommended by Cisco to reduce DHCP packet requests.

HTH

Mohamed

Thank you very much for your help,

but i want to know how to block all broadcast on the port(i want to block broadcast from leaving the port) by command.

Hi,

The command is:

Switch port block broadcast

HTH

Mohamed

thank you for your reply Mohamed

That is not working for me.  Tried it as one word or two:

 

(config)#int Gi0/6
(config-if)#switchport block broadcast
                                       ^
% Invalid input detected at '^' marker.

(config-if)#switch port block broadcast
                                  ^
% Invalid input detected at '^' marker.

 

 

(config-if)#switchport ?
  access         Set access mode characteristics of the interface
  autostate      Include or exclude this port from vlan link up calculation
  backup         Set backup for the interface
  block          Disable forwarding of unknown uni/multi cast addresses
  host           Set port host
  mode           Set trunking mode of the interface
  nonegotiate    Device will not engage in negotiation protocol on this interface
  port-security  Security related command
  priority       Set appliance 802.1p priority
  private-vlan   Set the private VLAN configuration
  protected      Configure an interface to be a protected port
  trunk          Set trunking characteristics of the interface
  voice          Voice appliance attributes
  <cr>

(config-if)#switchport block ?
  multicast  Block unknown multicast addresses
  unicast    Block unknown unicast addresses

 

 

*Note broadcast is not an option.

wandering_997
Level 1
Level 1

Which type of VPN are you using now?

Site VPN through local loop not through the internet,connect 2 branches

Site VPN through local loop not through the internet,connect 2 branches

So there's a layer 3 connection between two branches through site-to-site vpn, right?

right

If these two branches have different networks, then DHCP broadcast packets can not pass thought the VPN link, unless you have enabled broadcast forwarding.

I mean DHCP broadcast should not cross to the other side, shouldn't it?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco