cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
371
Views
0
Helpful
2
Replies

DHCP Snooping and IP Source Guard

bardellom
Level 1
Level 1

Can these two Cisco switch security features affectively prevent a host with a statically assigned IP address from accessing the network?

Thanks

2 Replies 2

jbrenesj
Level 3
Level 3

IP Source Guard needs the DHCP snooping database which is built upon receiving DHCP dicoveries from the host. Since the host won't ask for an IP, there is not going to be an entry in the snooping database so all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PVACL) is installed on the port. Again, no DHCP process initiated by the host so all non-DHCP traffic will be blocked.

Switch(config)# ip dhcp snooping

Switch(config)# interface fa6/1

Switch(config-if)# no ip dhcp snooping trust

Switch(config-if)# ip verify source vlan dhcp-snooping

You can also enable arp inspection (but is only possible on the whole vlan) to prevent this host from sending arp replies so no one will be able to communicate with him.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco