01-21-2012 11:43 AM - edited 03-07-2019 04:28 AM
Hi
If it's possible, how do you protect/block a unauthorized DHCP SOHO router with NAT form a Cisco 3750?
Thanks
Kasper
01-25-2012 12:56 PM
rizwanr74 wrote:
First you indentify your actual DHCP Server port and apply “ip dhcp snooping trust”
interface GigabitEthernet1/0/1
Description My DHCP Server
ip dhcp snooping trust
And then apply this command on global config mode.
ip dhcp snooping.
This should take your problem.
thanks
Rizwan Rafeek
I think you should read the thread again, the snooping commands has nothing to do with this issue, because the problem lies on the other side of a hidden object.
01-25-2012 04:52 PM
12-03-2013 07:21 PM
So I was recently asked about this and it appears there is not many solid answers to this question, so let me tell you how I see this issue. You have a couple of options. First of all you can statically configure mac-addresses or have them dynamically learned (sticky) for a particular switch or closet. In most corporate networks this would not solve your issue as your looking to dynamically spot a router which is layer 3. For all intensive purposes it is a host on the network. If this poses a great risk to your organization you can always adopt 802.1x, which can add an additional form of authentication mac+user/pw for any device trying to access the network, and so far as I know not many home routers could support this. You could also opt to use device certificates, trust-sec, etc. but obviously there is a cost to these things.
So to answer your question, there is no way that port security "by itself" can prevent this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide