Solved: Block DHCP service for certain interface - Cisco 2960X

lplooh888 · ‎10-17-2016

Hi,

I am a beginner user for Cisco products. I hope someone can advice me about my problem.

My network got use DHCP server (Windows Server 2012 R2) with differences VLAN. I want to block the DHCP server for certain port in Cisco 2960X. That port is connected to a Wireless Router that has own DHCP server. How do i do the configuration about this.

Thank you

Georg Pauwen · ‎10-19-2016

Hello,

the access list would have been the easy way. Since that isn;t working, you could have a look at configuring DHCP snooping, which is kind of overkill, but it might work in your situation. Have a look at the configuration example below:

http://blog.router-switch.com/2012/08/how-to-configure-dhcp-snooping/

View solution in original post

Georg Pauwen · ‎10-17-2016

Hello,

not sure if your IOS and platform support ACLs on interfaces, but you could define an access lists that denies DHCP traffic and apply it to the switch port where the wireless router is connected to (in this example, the wireless router is connected to FastEthernet0/12):

ip access-list extended Deny_DHCP
deny udp any any eq bootpc
deny udp any any eq bootps
permit ip any any

interface FastEthernet0/12
ip access-group Deny_DHCP in

lplooh888 · ‎10-18-2016

Hi,

My IOS and platform cannot support ACL on interface. Once i apply the access list to denies the DHCP, i totally cannot access the VLAN.

Anyone can guard me ??

thank you

Georg Pauwen · ‎10-19-2016

Hello,

the access list would have been the easy way. Since that isn;t working, you could have a look at configuring DHCP snooping, which is kind of overkill, but it might work in your situation. Have a look at the configuration example below:

http://blog.router-switch.com/2012/08/how-to-configure-dhcp-snooping/

lplooh888 · ‎10-20-2016

Dear gpauwen,

Thank you for you reply. i have done the setting and success.

Georg Pauwen · ‎03-29-2017

Hello James,

DHCP snooping should have no effect on inter-Vlan routing. That said, the 2960X has limited Layer 3 functionality.

Try to make the following changes:

2960X#conf t
2960X(config)#sdm prefer lanbase-routing

2960X#conf t
2960X(config)#ip routing

lplooh888 · ‎03-30-2017

Hi Georg,

Sorry ya. no understand about the above statement.

for the sdm prefer lanbase-routing, what should i put to complete the statement?

can you give me some example?

Georg Pauwen · ‎03-30-2017

Hello,

in order to install the template, type:

2960X#conf t
2960X(config)#sdm prefer lanbase-routing
2960X(config)#end
2960X#wr

Then reload the switch,

lplooh888 · ‎03-29-2017

Hi Georg,

How are you ? Sorry for disturb you again.

I facing 1 problem on DHCP snooping.

DHCP snooping command as below :

IP DHCP snooping VLAN 400

IP DHCP snooping

I facing the problem is i cannot access to others vlan. For example as below :

VLAN 400 = 192.168.50.0

VLAN 1 = 168.168.0.0

I cannot ping to vlan 1 from vlan400.

what should i do ? Should i add in any command?

Hope you understand the problem.

thank you

From,

James Looh