cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2422
Views
0
Helpful
7
Replies

DHCP Snooping generate alert?

zhichao
Level 1
Level 1

Hi

The customer's requirment is when there is unauthorized DHCP, the switch should block the traffic (or shutdown the port), but there should be some alerts (snmp trap or syslog) generated.

We have tried DHCP snooping, but it does not have the alerting feature.

Any other solution? Thanks

7 Replies 7

bsivasub
Level 4
Level 4

What do you mean by unauhorized DHCP ? Server??

So you want to err-disable to port if untrusted port is sending DHCP offer ???

But I don't know why this is important. The server is blocked anyway. It will never see a DHCP DISCOVER and hence it won't send DHCP OFFER or DHCP ACK etc. If it sending lot of DHCP packets, you can enable rate-limit feature to shut down the interface. DHCP can syslog a message when it is shutdown a port.

basically the users want to be alerted when there is unauthorized DHCP server in the network.

thanks

But why, the server can not do a thing. It will NEVER see a DHCP DISCOVER packet due to broadcast isolation due to dhcp snooping.

Users does not have to worry abt the server. Server is basically can't do any attack. If some user intentionally wanted to do this, he would be dis-appointed as he won't able to attack the network.

how would we detect it anyway ? DHCP offer..?? But since this server won't see a DHCPDISCOVER he won't send out DHCP offer. So this is a mute point.

Hi

It is same as firewall logging/reporting features. Dropping of packets are not enough. It should allow the user to know what happened to their network.

Thanks

To be honest, there is nothing that is dropped. Tell me what we can drop in this scenario.

This is something which can be enhanced but I don't see anything that will be dropped as DHCP is client initiated feature. If the server never gets a DHCP DISCOVER, he would never send out anything to be dropped.

Do you understand what I am saying ?? In which scenario, where dhcp server would send anything.

I C.

I understand what you are saying. So the dhcp snooping feature is to block the dhcp discover to the trusted interfaces instead of blocking the dhcp reply to come back from untrusted ports. Am I right?

However, the customer's tender requested: prevent and ALERT unauthorized DHCP server in the network. Any solution on this?

thanks

just to rephrase

dhcp snooping feature is to block the dhcp discover to the untrusted interfaces.

This would eliminate any way for unauthorized DHCP server to operate.

It won't be possible to detect unauthorized DHCP server since it won't send any DHCP offers/acks (or server replies), since as I said before DHCP is a client initiated protocol. If no client contact server, then server is basically good as not existing.

So I think the client needs to "understand" how DHCP works and how DHCP snooping works.

Once they do, they would drop this request as it is meaningless.

Now you know, go ahead and convince them, it is really a request for a feature which is would ever be used or would be useful.

Good luck

Review Cisco Networking for a $25 gift card