Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
0
Helpful
10
Replies

dhcp prevention

samuel.lam
Level 1
Level 1

‎03-28-2006 03:55 AM - edited ‎03-03-2019 02:31 AM

ALL

I am now using 3550 as a dhcp server for all the PC. But i found a serious problem if a PC itself is a dhcp server, many of the pc will obtain the IP from that fake PC. What can i do.

tks

Labels:
0 Helpful
10 Replies 10

ankurbhasin
Level 9
Level 9

‎03-28-2006 03:59 AM

Hi Sam,

If you know you have a pc which is working as a DHCP server and you are not using it and you are using 3550 as a DHCP server why don't you just disable the DHCP service on that pc?

Regards,

Ankur

0 Helpful

pkhatri
Level 11
Level 11

‎03-28-2006 04:01 AM

You could apply an access-list to all switch ports connected to PCs that blocks inbound UDP packets with a source port of BOOTPS (udp/67)...

Hope that helps - pls rate the post if it does.

Paresh

0 Helpful

ankurbhasin
Level 9
Level 9
In response to pkhatri

‎03-28-2006 04:05 AM

Hi Paresh,

I didn't understood this part. What will be my source ip in ACL cause PC had not yet got an ip from DHCP.

Correct me if I mistook your explaination?

Regards,

Ankur

0 Helpful

pkhatri
Level 11
Level 11
In response to ankurbhasin

‎03-28-2006 04:10 AM

Ankur,

The idea is to block packets *from* the rogue PC which is running a DHCP server. This PC would have a valid IP address .. so if you blocked such packets from all ports except the one connected to the real DHCP server, you could prevent the accidental or malicious PC from disrupting DHCP on the network.

I haven't tried this myself but it just seems like something that could work :-)

Paresh

0 Helpful

ankurbhasin
Level 9
Level 9
In response to ankurbhasin

‎03-28-2006 04:10 AM

Hi Paresh,

Sorry I mistook your explaination. Got it now. You plan to restrict that pc who is running dhcp server via ACL.

Regards,

Ankur

0 Helpful

amit-singh
Level 8
Level 8

‎03-28-2006 04:08 AM

Hi,

Yes, that's true, the PC's will fetch the DHCP IP from the DHCP server which get the request first and replies back.

If that a single PC in your n/w and you know the IP and all, then you can use the ACLS to block the DHCP traffic to and from the server on the UDP ports.

access-list deny udp host host eq 67

access-list deny udp host host eq 68

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a00800f0804.shtml

HTH, Please rate if it does.

-amit singh

0 Helpful

samuel.lam
Level 1
Level 1
In response to amit-singh

‎03-28-2006 12:24 PM

All

I did read some dhcp snoofing material, but dont know how to apply.

in additional, i am using 3550 as level2 switch only. will the ACL still work?

tks

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-28-2006 12:42 PM

Configure the global command "ip dchp snooping" then the interface command "no ip dhcp snooping trust" on the interface that the rogue DHCP server is attached to.

See: http://www.cisco.com/en/US/partner/products/hw/switches/ps5206/products_configuration_guide_chapter09186a008039eb9c.html

Hope this helps, please rate helpful posts.

0 Helpful

schmij01
Level 1
Level 1
In response to Marvin Rhoads

‎03-28-2006 05:50 PM

Yeah, use DHCP snooping. Upgrade to the latest 12.2 code for the c3550 platform to get this new feature. It works well.

0 Helpful

unicmd
Level 1
Level 1
In response to schmij01

‎03-29-2006 01:42 AM

what about manual assigned IPadresses ? have you thought aboyt that ? if not u probably need an spoofing acl too to protect against this.

Dont know if Cisco has a function that can protect against this auto.

Martin

DK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents