Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2247
Views
0
Helpful
7
Replies

DHCP Snooping generate alert?

zhichao
Level 1
Level 1

‎06-15-2005 04:26 AM - edited ‎03-02-2019 11:06 PM

Hi

The customer's requirment is when there is unauthorized DHCP, the switch should block the traffic (or shutdown the port), but there should be some alerts (snmp trap or syslog) generated.

We have tried DHCP snooping, but it does not have the alerting feature.

Any other solution? Thanks

Labels:
0 Helpful
7 Replies 7

bsivasub
Level 4
Level 4

‎06-15-2005 08:57 PM

What do you mean by unauhorized DHCP ? Server??

So you want to err-disable to port if untrusted port is sending DHCP offer ???

But I don't know why this is important. The server is blocked anyway. It will never see a DHCP DISCOVER and hence it won't send DHCP OFFER or DHCP ACK etc. If it sending lot of DHCP packets, you can enable rate-limit feature to shut down the interface. DHCP can syslog a message when it is shutdown a port.

0 Helpful

zhichao
Level 1
Level 1
In response to bsivasub

‎06-15-2005 09:43 PM

basically the users want to be alerted when there is unauthorized DHCP server in the network.

thanks

0 Helpful

bsivasub
Level 4
Level 4
In response to zhichao

‎06-15-2005 10:11 PM

But why, the server can not do a thing. It will NEVER see a DHCP DISCOVER packet due to broadcast isolation due to dhcp snooping.

Users does not have to worry abt the server. Server is basically can't do any attack. If some user intentionally wanted to do this, he would be dis-appointed as he won't able to attack the network.

how would we detect it anyway ? DHCP offer..?? But since this server won't see a DHCPDISCOVER he won't send out DHCP offer. So this is a mute point.

0 Helpful

zhichao
Level 1
Level 1
In response to bsivasub

‎06-15-2005 10:21 PM

Hi

It is same as firewall logging/reporting features. Dropping of packets are not enough. It should allow the user to know what happened to their network.

Thanks

0 Helpful

bsivasub
Level 4
Level 4
In response to zhichao

‎06-15-2005 10:35 PM

To be honest, there is nothing that is dropped. Tell me what we can drop in this scenario.

This is something which can be enhanced but I don't see anything that will be dropped as DHCP is client initiated feature. If the server never gets a DHCP DISCOVER, he would never send out anything to be dropped.

Do you understand what I am saying ?? In which scenario, where dhcp server would send anything.

0 Helpful

zhichao
Level 1
Level 1
In response to bsivasub

‎06-15-2005 10:48 PM

I C.

I understand what you are saying. So the dhcp snooping feature is to block the dhcp discover to the trusted interfaces instead of blocking the dhcp reply to come back from untrusted ports. Am I right?

However, the customer's tender requested: prevent and ALERT unauthorized DHCP server in the network. Any solution on this?

thanks

0 Helpful

bsivasub
Level 4
Level 4
In response to zhichao

‎06-15-2005 11:09 PM

just to rephrase

dhcp snooping feature is to block the dhcp discover to the untrusted interfaces.

This would eliminate any way for unauthorized DHCP server to operate.

It won't be possible to detect unauthorized DHCP server since it won't send any DHCP offers/acks (or server replies), since as I said before DHCP is a client initiated protocol. If no client contact server, then server is basically good as not existing.

So I think the client needs to "understand" how DHCP works and how DHCP snooping works.

Once they do, they would drop this request as it is meaningless.

Now you know, go ahead and convince them, it is really a request for a feature which is would ever be used or would be useful.

Good luck

0 Helpful
Customers Also Viewed These Support Documents