Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dhcp snooping

We are facing a problem with DHCP snooping in one of the site.Problem is that even if we exclude one vlan from dhcp snooping , the hosts in that particular vlan are getting ip addresses from the DHCP server.Following are the configurations we have done for the same

We have enabled ip dhcp snooping for user vlans

enabled ip dhcp snooping trust on all up link ports and the port to which dhcp server is connected.

-and the result is even if vlan 10 is not a part of dhcp snooping, and if we connect our laptop to an access port of vlan 10 we are getting ip adress from the DHCP sever. ie dhcp snooping is not woring in this scenario.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Dhcp snooping

Hello Shibi,

dhcp snooping is a security measure that provides protection from some dhcp attacks (rogue dhcp servers for man in the middle, dhcp dos to fill the scope and so on).

If you configure dhcp snooping to skip a vlan that doesn't imply that users in that vlan cannot get an ip address from dhcp server.

In fact, if in interface vlan 10 on your router you have an ip helper-address pointing to the DHCP server's ip address the PCs will get their ip address if the scope is defined.

In addition in vlan 10 you can face a DHCP attack.

If you don't want to provide DHCP support in vlan10 remove the ip helper-address command in interface vlan 10.

see the following link about DHCP snooping

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/snoodhcp.html#wp1097570

hope to help

Giuseppe

2 REPLIES
Hall of Fame Super Silver

Re: Dhcp snooping

Hello Shibi,

dhcp snooping is a security measure that provides protection from some dhcp attacks (rogue dhcp servers for man in the middle, dhcp dos to fill the scope and so on).

If you configure dhcp snooping to skip a vlan that doesn't imply that users in that vlan cannot get an ip address from dhcp server.

In fact, if in interface vlan 10 on your router you have an ip helper-address pointing to the DHCP server's ip address the PCs will get their ip address if the scope is defined.

In addition in vlan 10 you can face a DHCP attack.

If you don't want to provide DHCP support in vlan10 remove the ip helper-address command in interface vlan 10.

see the following link about DHCP snooping

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/snoodhcp.html#wp1097570

hope to help

Giuseppe

New Member

Re: Dhcp snooping

Thanks Giuseppe.. It was a small misunderstanding fm my side. Thank you once again ,it has cleared my doubt..

Regards

Shibi

150
Views
0
Helpful
2
Replies
CreatePlease to create content