Solved: Re: Administrative control on L3 switch for DHCP Service

Kuldeep singh · ‎09-02-2012

Hi Expert,

My Network Layout is as, Firewall (with Routing)------>Cisco 3560 Switch (L3)------> connected 8 Cisco 2960 switch (L2)----> all users

I have configured 20 VLAN's on cisco 3560 switch with Dynamic Pool and Static, Means, 5 Vlan's are Dynamic and remaining are Static

Our Company process provides only internet access to existing clients computers. Problem is that, I configured Static VLAN 5

for one of our Client in their seperate room, mean to say, i activated all ports of their room with Static VLAN 5. one day they configured own DHCP server on Windows 2003 Server with same subnet (Same as VLAN5) in their room without any information and now their all computer/ Laptop acquiring ip address Dynamically.

If i have configured Static vlan on that port's then how it is get Dynamic ip from same port's. How is it possible............So weird ?????

How to restrict to permit another DHCP server/Service in our premises. I Do not want to give administrative control to Clients to do such kind of thing with LAN.

Plz find attached cisco 3560 switch configuration herewith.......

Regards

KS

Jeff Van Houten · ‎09-02-2012

You need to post some configs, but if you are saying you configured your switch ports as access ports, that has nothing to do with whether or not a client can receive dhcp. If you are looking to disallow untrusted dhcp sources, you need to look into dhcp snooping.

Sent from Cisco Technical Support iPad App

View solution in original post

Chad Spears · ‎09-02-2012

If you are running the network for clients, almost like a provider... Them give your clients the option. If they want to use and internal DHCP Server then just is able DHCP on your side. If they want you to provide the DHCP server then enable DHCP. Just ensure that if they configure a server then have them set the default gateway to the ip of your switch SVI. Also, as mentioned you can look at DHCP snooping.

Sent from Cisco Technical Support iPhone App

View solution in original post

Julio Carvajal · ‎09-02-2012

Hello Kuldeep,

DHCP works with broadcast messages from the clients to the server ( Broadcast are flooded on a switch to all the ports except the one the switch received the message on) So despite you configure a static IP on that host if he tries to get an IP he will be able to do it.

Now the brodcast it's split by 2 things: Layer 3 device or a vlan. So in your case a broadcast from a client on vlan 5 will go to all the host on vlan 5 unless you configure something extra ( ip-helper,etc)

Now how to avoid having rogue DHCP servers on your network?????

DHCP Snooping is the answer:

This feature will allow you to set the ports were the DHCP server is as trusted and the ones connecting to no DHCP server as untrusted ( By default all of them are untrusted) in your case that is how it should behave as on vlan 5 there is no DHCP server.

As soon as the switch receives a DHCP Offer from a server he will place the port on an err-disabled state

Hope this has been informative but you can also get more info from the following great blog that I used to understand it

http://cciesecure.blogspot.com/2010/01/dhcp-snooping-on-cisco-switches.html

Regards,

Julio

Rate the posts that help, for the community this is as good as a thanks

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jeff Van Houten · ‎09-02-2012

You need to post some configs, but if you are saying you configured your switch ports as access ports, that has nothing to do with whether or not a client can receive dhcp. If you are looking to disallow untrusted dhcp sources, you need to look into dhcp snooping.

Sent from Cisco Technical Support iPad App

Kuldeep singh · ‎09-02-2012

What is the Best way to apply Dhcp Snooping for my Network"

1. On Cisco 3560 Layer3 Switch only

OR

2. On cisco 2960 Layer2 switch only

OR

3. Particular Vlan only

OR

4. Particular Port only

5. All of these(1+2+3+4)

As per my Question, i have already mentioned that i am Using Both Dynamic

and Static Vlan's for Various Company Clients. Plz remember in my case,

Vlan 5 is Static. I m confuse here that how static vlan configured port understand Dynamic Snooping.

Plz tell me what to do

Note : Dynamic Vlan's configured on Cisco 3560 switch through "IP DHCP POOL" only, no any

"ip helper address" command on it.

Chad Spears · ‎09-02-2012

If you are running the network for clients, almost like a provider... Them give your clients the option. If they want to use and internal DHCP Server then just is able DHCP on your side. If they want you to provide the DHCP server then enable DHCP. Just ensure that if they configure a server then have them set the default gateway to the ip of your switch SVI. Also, as mentioned you can look at DHCP snooping.

Sent from Cisco Technical Support iPhone App

Kuldeep singh · ‎09-02-2012

What is the Best way to apply Dhcp Snooping for my Network"

1. On Cisco 3560 Layer3 Switch only

OR

2. On cisco 2960 Layer2 switch only

OR

3. Particular Vlan only

OR

4. Particular Port only

5. All of these(1+2+3+4)

As per my Question, i have already mentioned that i am Using Both Dynamic

and Static Vlan's for Various Company Clients. Plz remember in my case,

Vlan 5 is Static. I m confuse here that how static vlan configured port understand Dynamic Snooping.

Plz tell me what to do

Note : Dynamic Vlan's configured on Cisco 3560 switch through "IP DHCP POOL" only, no any

"ip helper address" command on it.

Julio Carvajal · ‎09-02-2012

Hello Kuldeep,

DHCP works with broadcast messages from the clients to the server ( Broadcast are flooded on a switch to all the ports except the one the switch received the message on) So despite you configure a static IP on that host if he tries to get an IP he will be able to do it.

Now the brodcast it's split by 2 things: Layer 3 device or a vlan. So in your case a broadcast from a client on vlan 5 will go to all the host on vlan 5 unless you configure something extra ( ip-helper,etc)

Now how to avoid having rogue DHCP servers on your network?????

DHCP Snooping is the answer:

This feature will allow you to set the ports were the DHCP server is as trusted and the ones connecting to no DHCP server as untrusted ( By default all of them are untrusted) in your case that is how it should behave as on vlan 5 there is no DHCP server.

As soon as the switch receives a DHCP Offer from a server he will place the port on an err-disabled state

Hope this has been informative but you can also get more info from the following great blog that I used to understand it

http://cciesecure.blogspot.com/2010/01/dhcp-snooping-on-cisco-switches.html

Regards,

Julio

Rate the posts that help, for the community this is as good as a thanks

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kuldeep singh · ‎09-02-2012

What is the Best way to apply Dhcp Snooping for my Network"

1. On Cisco 3560 Layer3 Switch only

OR

2. On cisco 2960 Layer2 switch only

OR

3. Particular Vlan only

OR

4. Particular Port only

5. All of these(1+2+3+4)

As per my Question, i have already mentioned that i am Using Both Dynamic

and Static Vlan's for Various Company Clients. Plz remember in my case,

Vlan 5 is Static. I m confuse here that how static vlan configured port understand Dynamic Snooping.

Plz tell me what to do

Note : Dynamic Vlan's configured on Cisco 3560 switch through "IP DHCP POOL" only, no any

"ip helper address" command on it.

Jeff Van Houten · ‎09-02-2012

As I said in the original post, you need to post some configs. The terminology you are using is, in my mind, confusing. Switch ports can be access ports (meaning traffic from only one vlan can traverse that port) or they can be dynamic meaning the port can be either an access port or a trunk port depending on what the device attached to that port negotiates. Neither of these configurations has ANYTHING. to do with allowing or disallowing DHCP. There is no such thing as a "static" vlan. There can be SUBNETS that you don't offer DHCP to and therefore the hosts on that subnet have to have an ip address statically defined.

What you CAN enforce from the switch is which ports have trusted dhcp servers and which don't. That is what DHCP snooping is for (partially). Snooping must be turned on at each switch that is going to participate (e.g., wherever a port exists in a vlan you want to snoop) and it is also enabled per vlan.

I'm not sure what the underlying concern is here so I'm not sure if anything I've written is helpful or not.

Sent from Cisco Technical Support iPad App

Julio Carvajal · ‎09-02-2012

Hello,

Based on your explanation, I will apply it just on vlan 5 and there will no be on that vlan any trusted port

Read the document I sent you so you can have a better understanding of how this works okay?

Remember to rate all the helpful posts, that is why we are here to help

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC