Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
5
Helpful
2
Replies

DAI/IPSG question

Xavier Lloyd
Level 1
Level 1

‎07-09-2012 02:19 PM - edited ‎03-07-2019 07:41 AM

Hey folks, looking for some insight with this situation. The customer's wireless network is completely separated from their LAN...air gapped, so to speak. Until a careless employee decided to bridge his wireless adapter for whatever reason. This is causing wireless users to get DHCP from the LAN's DHCP server instead of the wireless router.

Is IP source guard with DHCP snooping the answer to their troubles?

My reasoning is something like this. DHCP snooping will stop DHCP going from the wireless to the wired LAN since the bridged laptop would be an untrusted port. IPSG is supposed to ensure that only the IP addressed assigned via DHCP (as seen in the snooping table) is seen coming out of a particular switch port. My only red flag is "does IPSG let through DHCP packets if an address has already been assigned"?

The PC that gets an IP via DHCP is now behaving like a switch, which is sending on more DHCP requests. Port security won't work because that works based on MAC addresses which will always be the MAC of the PC (right?).

Is there an application of any of these technologies that can make this work or am I on the wrong track?

Cheers,

Xavier

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-10-2012 12:45 AM

Hello Xavier,

>> The PC that gets an IP via DHCP is now behaving like a switch, which is sending on more DHCP requests. Port security won't work because that works based on MAC addresses which will always be the MAC of the PC (right?)

No, if the PC is bridging between its own wireless NIC and its ethernet NIC the DHCP requests will be sourced by the wireless NICs of the other devices speaking on air, so port security could provide some benefits.

DHCP snooping with IP source guard is also a possible solution to this issue.as you have noted.

Hope to help

Giuseppe

Xavier Lloyd
Level 1
Level 1
In response to Giuseppe Larosa

‎07-10-2012 07:36 AM

Really? I thought that the bridge will change the source MAC address of the frame to it's own when it does the bridging?

So the IPSG won't let through the other DHCP requests thinking that they are legitimate because the source MAC is the original MAC and not a new one.

Sounds good, thanks a lot!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card