02-08-2018 06:53 AM - edited 03-08-2019 01:46 PM
We had an audit performed where the auditing company used a config parser on a switch config. It was a Cisco 3750-X switch. The config parser flagged the switch saying it had the DHCP service running based on the fact that it did not have the command 'no service dhcp' in the config. However, with that audit we turned in a 'show ip socket' command which showed the service was not actively running on the switch.
I have checked and the service is off be default on 3850 switches but I want to know if newer revisions of code for the 3750-X had the service off by default as well. I am running numerous other 3750X switches with older code and the service is running unless you manually turn it off but the switch in question is updated quarterly if code is available so it is running newer firmware.
Thanks for any input on this.
Charley
02-08-2018 11:21 AM
DHCP is enabled in Cisco IOS software, requires configuration. The important part is the switch responds to DHCP requests only if it is configured as a DHCP server. If it is not configured it does nothing.
Look under "Default DHCP Configuration" section.
Mike
02-08-2018 11:31 AM
I completely understand that is has to be configured to work but by default in older switches port 67 is an active running service. Even on my older 3750x switches if you run a 'show ip socket' that port is running. Because of standards we have to abide by we have to justify every running port on that network, whether it is on a server or switch. If we can't justify a use it has to be turn off if it can be. If it can't be turned off we have to document why and show proof.
That is why I was asking. The latest code for the 3750x switches seems to have that service off by default but the older versions do not. Just trying to find any documentation to show when that was changed to default off.
Thanks,
Charley
02-08-2018 11:47 AM
I was checking to see if I could find anything on it but no luck. You could try reaching out to Cisco and see what they recommend. I do know on some audits like that if I could produce documentation on something being on but not able to be used it sometimes allowed the audit to pass, but it depends on the score of the issue.
Mike
02-08-2018 11:49 AM
Another thing that might help is updating them to the latest code so they at least can see that you are current.
Mike
02-08-2018 12:34 PM
I have a case open with Cisco now asking that very question. I am waiting on their response.
We are also required by the same standards to stay up to date. We have to check once a month and if new recommended code exists we have to upgrade or write documentation detailing why we can't upgrade.
Thanks again for any assistance,
Charley
02-08-2018 12:37 PM
Post here what you find....curious.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide