Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
0
Helpful
2
Replies

DHCP Snooping with IPSourceGuard and DAI on access port

oguarisco
Level 3
Level 3

‎09-25-2012 02:01 AM - edited ‎03-07-2019 09:05 AM

Hello to all,

we've an infrastructure were the Access is based on Cat3750G Stacks connected to both Cores using L3 connections.

On the Access Switches are implemented the following features DHCP Snooping, IP Source Guard and Dynamic ARP Inspection and all is working fine since years...the DHCP Servers are on a dedicated stack which act as a SFarm.

On the Access Switches the port configuration is the following:

  • the Uplink Ports to both of the Cores are configured in TRUST for DHCP Snooping and ARP Inspection
  • the Access Ports, where the end-device are connected, are UNTRUST for DHCP and ARP Inspection with IP Source Guard Active

Right now I've to add a new L2 switch on one of the Access Port and I'm wondering if this is possible since I've to keep on the Stack Access Ports all the security feature active and I've also to implement DHCP Snooping on the new L2 switch to avoid rouge DHCP Server...

I suppose that the uplink to the L2 switch on the Stack Access Switch should be left as it is connected to an end device...but the uplink port on the L2 switch should be set up as TRUST...isn'it? Keeping in mind that I want to implement DHCP Snooping also on this L2 switch to avoid that Rogue DHCP Servers will impact the end-device connected to this L2 switch...is this scenario possible??? or I can't do that and should leave DHCP Snooping only on the Access Stack.

Any ideas are appreciated...

Omar G.

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-25-2012 02:16 AM

Hello Omar,

you should change the configuration of the port to the new downstream to trust DHCP snooping and DAI as this job will be done on the new downstream switch or devices connected to the new switch may be not able to get an IP address.

You move the DHCP snooping and DAI to the access level close to the end users so the port in the existing switch is part of your core and not part of access anymore.

Hope to help

Giuseppe

0 Helpful

oguarisco
Level 3
Level 3
In response to Giuseppe Larosa

‎09-25-2012 02:38 AM

Hello Giuseppe,

Thanks a lot for the fast answer... you're right but moving the DHCP Snooping to the L2 switch (since it's an old one - Cat2950G) I'll lose the other Security feature like DAI and IP SourceGuard since are not supported on this L2 switch.

On the other way if I leave the DHCP Snooping DAI and IP Source Guard for this port (where the L2 is connected) on the Access Stack ...the L2 switch end devices connected are vulnerable to DHCP Rouge Server, IP and MAC Spoofing attack since there will be no security feature implemented.

To implement your suggestion we should install as L2 platform the 2960S which support IP Source Guard and DAI...

so I'm sure that all the L2 security feature are still active on the entire Access Layer.

Omar

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card