Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

illegal dhcp (DHCP Snooping )

hi,

in my network , where there is a dhcp (i use dhcp relay on my layer 3 switch),

often someone connect a pc with a service of dhcp service active , and this produces a problem.

i read in cisco.com and i find the documentation about how to fix this problem.

DHCP Snooping is the solution.

The release on my cisco 6509 with msfc2 not support this feature.

WHAT DO YOU THINK ABOUT IT ?

HAVE YOU A LINK WITH AN EXAMPLE OF ALTERNATIVE METHODS?

Thanks

FC

2 REPLIES
Silver

Re: illegal dhcp (DHCP Snooping )

It is supported on 6500 w sup2/msfc2 Native starting from release 12.2(18)SXE.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/snoodhcp.htm

In CatOS , it has been supported since 8.3 release.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_3/confg_gd/dhcp.htm

As far as I know , dhcp snooping is the only technique to prevent from rogue dhcp server attacks.

HTH.

Salman Z.

New Member

Re: illegal dhcp (DHCP Snooping )

my version are:

IOS (tm) MSFC2 Software (C6MSFC2-JSV-M), Version 12.1(11b)E4

in CAT OS

WS-C6509 Software, Version NmpSW: 7.6(8)

Step 1. (Permit DHCP response from host 1.2.3.4). "set security acl ip SERVER permit udp host 1.2.3.4 any eq 68"

Step 2. (Deny DHCP responses from any other host). "set security acl ip SERVER deny udp any any eq 68"

Step 3. (Permit other IP traffic). "set security acl ip SERVER permit any any"

Step 4.(Commit the VACL)."commit security acl SERVER"

Step 5.(Map the VACL to VLAN 10 for example). "set security acl map SERVER 10"

WHAT DO YOU THINK ABOUT MY CONFIGURATION?

Thanks

FC

166
Views
0
Helpful
2
Replies
CreatePlease to create content