Re: How to protect from a unauthorized SOHO router? - Page 2

Combat Support Wing ESKseksfemten · ‎01-21-2012

Hi

If it's possible, how do you protect/block a unauthorized DHCP SOHO router with NAT form a Cisco 3750?

Thanks

Kasper

Combat Support Wing ESKseksfemten · ‎01-25-2012

rizwanr74 wrote:

First you indentify your actual DHCP Server port and apply “ip dhcp snooping trust”

interface GigabitEthernet1/0/1

Description My DHCP Server

ip dhcp snooping trust

And then apply this command on global config mode.

ip dhcp snooping.

This should take your problem.

thanks

Rizwan Rafeek

I think you should read the thread again, the snooping commands has nothing to do with this issue, because the problem lies on the other side of a hidden object.

ebarticel · ‎01-25-2012

Maybe these links will help

http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/c40lwap.html#wp1105242

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swmacro.html#wp1160524

Eugen

RockstarWiFi · ‎12-03-2013

So I was recently asked about this and it appears there is not many solid answers to this question, so let me tell you how I see this issue. You have a couple of options. First of all you can statically configure mac-addresses or have them dynamically learned (sticky) for a particular switch or closet. In most corporate networks this would not solve your issue as your looking to dynamically spot a router which is layer 3. For all intensive purposes it is a host on the network. If this poses a great risk to your organization you can always adopt 802.1x, which can add an additional form of authentication mac+user/pw for any device trying to access the network, and so far as I know not many home routers could support this. You could also opt to use device certificates, trust-sec, etc. but obviously there is a cost to these things.

So to answer your question, there is no way that port security "by itself" can prevent this.