Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1133
Views
0
Helpful
3
Replies

DHCP Snooping to prevent illegitimate DHCP server

tiwariharish44
Level 1
Level 1

‎08-23-2016 03:20 AM - edited ‎03-08-2019 07:07 AM

Dear all,

We have cisco 4507 at the distribution layer, where several VLANs are there. For past few days we are observing that users of one vlan VLAN 52 are unable to connect to the network. On investigation, we found out that the users of this VLAN 52 were not getting the IP addresses that they were supposed to get.(It should have been 10.222.52.x series IP but instead they were getting IP addresses of the series 192.168.10.x series. On further troubleshooting, we found a rogue wi-fi router connected on one of the interfaces of VLAN 52 working as a DHCP server and handing out the IP addresses to the clients of VLAN 52. As soon as we shut that interface, the users started getting the proper IP address of 10.222.52.x series.

But for this we had to shut down each interface belonging to VLAN 52 one by one and then check if the clients were getting proper IP address or not.

This process was very time-consuming.

Please help how do we overcome this problem in the future. Can DHCP snooping be used to overcome such problems in the future or not?

If yes, then how do we do the same.

NOTE: We are not using the 4507 as the DHCP server. We have DHCP server connected at a central position of the network, not on the 4507 switch chassis itself. We are using following configuration on the Interface vlan 52

Interface vlan 52

IP address 10.222.52.1 255.255.255.0

IP helper-address 10.7.10.2(Actual DHCP server IP address)

Labels:
0 Helpful
3 Replies 3

sarathpa
Level 1
Level 1

‎09-01-2016 12:09 AM

Hi,

Yes, you can configure DHCP snooping to over come this problem.

It is not necessary to connect the DHCP server directly to the switch. However, you should know the port for DHCP traffic will come into the switch. 

For eg: If DHCP traffic is coming through fa0/1 of switch port. Then you need to configure the fa0/1 interface as trusted interface. All other interface will be considered as untrusted interface.

So DHCP offer message only allowed in trusted interface. If any other DHCP tries to send DHCP offer message in untrusted port will be dropped.

0 Helpful

tiwariharish44
Level 1
Level 1
In response to sarathpa

‎09-02-2016 03:40 AM

Dear Sarathpa,

We have DHCP server connected multiple hops away from this 4507, we have routed port connectivity between this 4507 and Nexus 7K, then from nexus 7K we have nexus 5K, after which our DHCP server is connected. So just tell me how do I specify trust port , should I specify the 10 Gig interface that is connected to Nexus 7K as trusted port(I doubt it would take this command, being DHCP snooping a L2 feature). Please guide further.

0 Helpful

Austin Sabio
Level 4
Level 4

‎09-02-2016 09:37 AM

For layer 3 -routed-interfaces, configure dhcp relay agent. 

#ip dhcp relay information trusted 

Keep in mind, DHCP Snooping is an access layer security feature. so you should avoid deploying it at the core level. Typically, all your 4500 uplinks can be trusted plus trunk links to the trusted devices "switches, routers, and servers". Note that ip dhcp snooping trust statement can be only applied on physical interfaces not SVI. 

Please see 

http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpre.html

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/31sg/configuration/guide/conf/dhcp.html#wp1073418

Thank you.

0 Helpful
Customers Also Viewed These Support Documents