In one of our local networks, we have a dhcp server running on several switchports.
Now i would like to deny any DHCP server replies on all client interfaces.
DHCP snooping would not work, because of a few static IP addresses in this network.
Is there any IOS security feature available, to protect my local network, from unwanted DHCP services?
I'd like to add a word or two to the Jon's reply.
The DHCP Snooping works by limiting the DHCP messages that are either accepted or transmitted out a switch interface. Also, the DHCP Snooping makes some sanity checks on the contents of the DHCP message. The DHCP Snooping indeed builds its DHCP snooping database but until further mechanisms like IP Source Guard or Dynamic ARP Inspection are used, this database does not further prevent traffic flows so you do not have to worry about some stations having static IPs while others having their addresses assigned by DHCP.
As you probably know, the DHCP Snooping divides ports on a switch into two categories - trusted and untrusted. The trusted ports are those through which DHCP server(s) can be reached. The untrusted ports are all remaining ports, as they usually lead to end stations.
The DHCP Snooping feature drops the DHCP packets according to the following rules:
- Server messages (OFFER, ACK, NAK, LEASEQUERY) received on an untrusted port
- Client messages in which the chaddr field inside the message does not match the source MAC address of the frame in which the message is encapsulated
- Client messages RELEASE and DECLINE sent by a particular client whose MAC address is, according to the DHCP snooping database, currently associated with a different port than the port through which the message arrived
- Messages received on an untrusted port in which the giaddr field is different from 0.0.0.0 or which contain the Option 82
If a message is not dropped according to these rules, it will be forwarded as follows:
- A client message will be forwarded out through trusted port only
- A server message received on a trusted port will be forwarded back only to the appropriate client (the Option-82 added by the access switch helps in identifying on which port is the appropriate client connected)
As you can see, there are no problems with some stations having static IP addresses - the rules that govern the operation of the DHCP Snooping do not care about static IP assignments. I still believe that the DHCP Snooping is most probably the feature you are looking for.