Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dhcp prevention

ALL

I am now using 3550 as a dhcp server for all the PC. But i found a serious problem if a PC itself is a dhcp server, many of the pc will obtain the IP from that fake PC. What can i do.

tks

10 REPLIES

Re: dhcp prevention

Hi Sam,

If you know you have a pc which is working as a DHCP server and you are not using it and you are using 3550 as a DHCP server why don't you just disable the DHCP service on that pc?

Regards,

Ankur

Purple

Re: dhcp prevention

You could apply an access-list to all switch ports connected to PCs that blocks inbound UDP packets with a source port of BOOTPS (udp/67)...

Hope that helps - pls rate the post if it does.

Paresh

Re: dhcp prevention

Hi Paresh,

I didn't understood this part. What will be my source ip in ACL cause PC had not yet got an ip from DHCP.

Correct me if I mistook your explaination?

Regards,

Ankur

Purple

Re: dhcp prevention

Ankur,

The idea is to block packets *from* the rogue PC which is running a DHCP server. This PC would have a valid IP address .. so if you blocked such packets from all ports except the one connected to the real DHCP server, you could prevent the accidental or malicious PC from disrupting DHCP on the network.

I haven't tried this myself but it just seems like something that could work :-)

Paresh

Re: dhcp prevention

Hi Paresh,

Sorry I mistook your explaination. Got it now. You plan to restrict that pc who is running dhcp server via ACL.

Regards,

Ankur

Re: dhcp prevention

Hi,

Yes, that's true, the PC's will fetch the DHCP IP from the DHCP server which get the request first and replies back.

If that a single PC in your n/w and you know the IP and all, then you can use the ACLS to block the DHCP traffic to and from the server on the UDP ports.

access-list deny udp host host eq 67

access-list deny udp host host eq 68

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a00800f0804.shtml

HTH, Please rate if it does.

-amit singh

New Member

Re: dhcp prevention

All

I did read some dhcp snoofing material, but dont know how to apply.

in additional, i am using 3550 as level2 switch only. will the ACL still work?

tks

Hall of Fame Super Silver

Re: dhcp prevention

Configure the global command "ip dchp snooping" then the interface command "no ip dhcp snooping trust" on the interface that the rogue DHCP server is attached to.

See: http://www.cisco.com/en/US/partner/products/hw/switches/ps5206/products_configuration_guide_chapter09186a008039eb9c.html

Hope this helps, please rate helpful posts.

New Member

Re: dhcp prevention

Yeah, use DHCP snooping. Upgrade to the latest 12.2 code for the c3550 platform to get this new feature. It works well.

New Member

Re: dhcp prevention

what about manual assigned IPadresses ? have you thought aboyt that ? if not u probably need an spoofing acl too to protect against this.

Dont know if Cisco has a function that can protect against this auto.

Martin

DK

159
Views
0
Helpful
10
Replies
CreatePlease to create content