Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DAI/IPSG question

Hey folks, looking for some insight with this situation. The customer's wireless network is completely separated from their LAN...air gapped, so to speak. Until a careless employee decided to bridge his wireless adapter for whatever reason. This is causing wireless users to get DHCP from the LAN's DHCP server instead of the wireless router.

Is IP source guard with DHCP snooping the answer to their troubles?

My reasoning is something like this. DHCP snooping will stop DHCP going from the wireless to the wired LAN since the bridged laptop would be an untrusted port. IPSG is supposed to ensure that only the IP addressed assigned via DHCP (as seen in the snooping table) is seen coming out of a particular switch port. My only red flag is "does IPSG let through DHCP packets if an address has already been assigned"?

The PC that gets an IP via DHCP is now behaving like a switch, which is sending on more DHCP requests. Port security won't work because that works based on MAC addresses which will always be the MAC of the PC (right?).

Is there an application of any of these technologies that can make this work or am I on the wrong track?

Cheers,

Xavier

2 REPLIES
Hall of Fame Super Silver

DAI/IPSG question

Hello Xavier,

>> The PC that gets an IP via DHCP is now behaving like a switch, which is sending on more DHCP requests. Port security won't work because that works based on MAC addresses which will always be the MAC of the PC (right?)

No, if the PC is bridging between its own wireless NIC and its ethernet NIC the DHCP requests will be sourced by the wireless NICs of the other devices speaking on air, so port security could provide some benefits.

DHCP snooping with IP source guard is also a possible solution to this issue.as you have noted.

Hope to help

Giuseppe

New Member

DAI/IPSG question

Really? I thought that the bridge will change the source MAC address of the frame to it's own when it does the bridging?

So the IPSG won't let through the other DHCP requests thinking that they are legitimate because the source MAC is the original MAC and not a new one.

Sounds good, thanks a lot!

187
Views
5
Helpful
2
Replies
CreatePlease login to create content