03-28-2006 03:55 AM - edited 03-03-2019 02:31 AM
ALL
I am now using 3550 as a dhcp server for all the PC. But i found a serious problem if a PC itself is a dhcp server, many of the pc will obtain the IP from that fake PC. What can i do.
tks
03-28-2006 03:59 AM
Hi Sam,
If you know you have a pc which is working as a DHCP server and you are not using it and you are using 3550 as a DHCP server why don't you just disable the DHCP service on that pc?
Regards,
Ankur
03-28-2006 04:01 AM
You could apply an access-list to all switch ports connected to PCs that blocks inbound UDP packets with a source port of BOOTPS (udp/67)...
Hope that helps - pls rate the post if it does.
Paresh
03-28-2006 04:05 AM
Hi Paresh,
I didn't understood this part. What will be my source ip in ACL cause PC had not yet got an ip from DHCP.
Correct me if I mistook your explaination?
Regards,
Ankur
03-28-2006 04:10 AM
Ankur,
The idea is to block packets *from* the rogue PC which is running a DHCP server. This PC would have a valid IP address .. so if you blocked such packets from all ports except the one connected to the real DHCP server, you could prevent the accidental or malicious PC from disrupting DHCP on the network.
I haven't tried this myself but it just seems like something that could work :-)
Paresh
03-28-2006 04:10 AM
Hi Paresh,
Sorry I mistook your explaination. Got it now. You plan to restrict that pc who is running dhcp server via ACL.
Regards,
Ankur
03-28-2006 04:08 AM
Hi,
Yes, that's true, the PC's will fetch the DHCP IP from the DHCP server which get the request first and replies back.
If that a single PC in your n/w and you know the IP and all, then you can use the ACLS to block the DHCP traffic to and from the server on the UDP ports.
access-list
access-list
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a00800f0804.shtml
HTH, Please rate if it does.
-amit singh
03-28-2006 12:24 PM
All
I did read some dhcp snoofing material, but dont know how to apply.
in additional, i am using 3550 as level2 switch only. will the ACL still work?
tks
03-28-2006 12:42 PM
Configure the global command "ip dchp snooping" then the interface command "no ip dhcp snooping trust" on the interface that the rogue DHCP server is attached to.
Hope this helps, please rate helpful posts.
03-28-2006 05:50 PM
Yeah, use DHCP snooping. Upgrade to the latest 12.2 code for the c3550 platform to get this new feature. It works well.
03-29-2006 01:42 AM
what about manual assigned IPadresses ? have you thought aboyt that ? if not u probably need an spoofing acl too to protect against this.
Dont know if Cisco has a function that can protect against this auto.
Martin
DK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: