Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to prevent 'rogue' DHCP servers on a LAN segment?

Is there a way for me to be able to 'lock down' a VLAN so that DHCP requests are answered by ONLY the specific DHCP server that I haev assgined to that VLAN's subnet?

Would this be accomplished by just putting an ip-helper line in the VLAN configuration, that points to the one DHCP server I want serving addresses to that VLAN segment?

Everyone's tags (4)
4 REPLIES

Re: How to prevent 'rogue' DHCP servers on a LAN segment?

You would need to configure dhcp snooping on your vlan. It's funny that you ask because I jus completed this earlier today with an external database on an scp server.

To keep it simple though, depending on the equipment that you're working with, you would trust the port that the dhcp server connects to and trust all of your links that connect switches. Then keep all of your edge ports that connect to hosts as untrusted:

Ip dhcp snooping
Ip dhcp snooping vlan 1

Int fa0/0
Description dhcp server
Ip dhcp snooping trust

As far as you other question, helpers redirect traffic across vlans for when you have a dhcp server on one vlan and hosts on another vlan need to get their addresses from that dhcp server. It won't help protect the dhcp server or rogue servers.

Hth,
John

Sent from Cisco Technical Support iPhone App

HTH, John *** Please rate all useful posts ***
New Member

Re: How to prevent 'rogue' DHCP servers on a LAN segment?

DHCP Snooping is an option to prevent rogue DHCP servers on the Lan segment.

Commands:

switch(config)#      Ip dhcp snooping

switch(config)#      ip dhcp snooping vlan 100,200,250-252

For trusted servers

switch(config)#    Int fa2/10

                         Description DHCP Server

                         Ip dhcp snooping trust

For more information read the following link.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_53_se/configuration/guide/swdhcp82.html#wp1078853

Regards,

Ali

New Member

I am going to try to

I am going to try to configure this on my Switch. 

 

Am I correct in the thinking if my ASA provides DHCP and is connected to switch Int fa2/10

 

I would use the commands? 

switch(config)#      Ip dhcp snooping

switch(config)#      ip dhcp snooping vlan 1,3 (The Switch I am testing uses Default Vlan1 and Vlan3 (Guest)

 

For trusted servers

switch(config)#    Int fa2/10

                         Description DHCP Server

                         Ip dhcp snooping trust

New Member

I'm looking to do something

I'm looking to do something similar...I have a Cisco 1841 configured as a dhcp server and would like to block any other dhcp servers from the lan.  I recently had a repurposed dsl router that I had configured for use as a wireless AP(disabled dhcp server, wan interface, etc.)  Something(lightning, power surge, or an employee possibly) caused the device to factory reset which in turn re-enabled the internal dhcp server which brought down internet access for all clients depending on dhcp.  Can dhcp snooping be configured to run on the 1841 which should be the only dhcp server on the lan or is this something that can only be handled through a switch config(we have multiple SLM2024 switches spread across this lan and I don't see an option to enable this feature and I don't believe there is a CLI for these switches either?)

Thanks,

Chris

12642
Views
0
Helpful
4
Replies