12-28-2009 03:09 AM - edited 03-06-2019 09:05 AM
Hi all,
In one of our local networks, we have a dhcp server running on several switchports.
Now i would like to deny any DHCP server replies on all client interfaces.
DHCP snooping would not work, because of a few static IP addresses in this network.
Is there any IOS security feature available, to protect my local network, from unwanted DHCP services?
Solved! Go to Solution.
12-28-2009 03:56 PM
Hello Dieter,
I'd like to add a word or two to the Jon's reply.
The DHCP Snooping works by limiting the DHCP messages that are either accepted or transmitted out a switch interface. Also, the DHCP Snooping makes some sanity checks on the contents of the DHCP message. The DHCP Snooping indeed builds its DHCP snooping database but until further mechanisms like IP Source Guard or Dynamic ARP Inspection are used, this database does not further prevent traffic flows so you do not have to worry about some stations having static IPs while others having their addresses assigned by DHCP.
As you probably know, the DHCP Snooping divides ports on a switch into two categories - trusted and untrusted. The trusted ports are those through which DHCP server(s) can be reached. The untrusted ports are all remaining ports, as they usually lead to end stations.
The DHCP Snooping feature drops the DHCP packets according to the following rules:
If a message is not dropped according to these rules, it will be forwarded as follows:
As you can see, there are no problems with some stations having static IP addresses - the rules that govern the operation of the DHCP Snooping do not care about static IP assignments. I still believe that the DHCP Snooping is most probably the feature you are looking for.
Best regards,
Peter
12-28-2009 03:48 AM
Hello Dieter,
Can you please explain in more detail why the DHCP Snooping would not be an option for you? Having some addresses assigned statically should not be a problem with DHCP Snooping.
Best regards,
Peter
12-28-2009 08:04 AM
Hello Peter,
i'm not completely sure.
to my knowledge for DHCP snooping you need a "dhcp snooping" database.
Only if hw- and ip-address is in this database the switch forwards packets via its backplane.
Due to a lot of static entries, i'll have a lot of clients whithout getting their IP via dhcp and so these clients will never included to the dhcp snooping database.
But to be honest, i dont know the exact functionality of dhcp snooping. Maybe i'll find a whitepaper regarding this.
Dieter
12-28-2009 09:32 AM
Dieter.Bez wrote:
Hello Peter,
i'm not completely sure.
to my knowledge for DHCP snooping you need a "dhcp snooping" database.
Only if hw- and ip-address is in this database the switch forwards packets via its backplane.
Due to a lot of static entries, i'll have a lot of clients whithout getting their IP via dhcp and so these clients will never included to the dhcp snooping database.
But to be honest, i dont know the exact functionality of dhcp snooping. Maybe i'll find a whitepaper regarding this.
Dieter
Dieter
You can configure your non-DHCP ports as trusted ports which would solve this problem -
Jon
12-28-2009 12:07 PM
Hello Jon,
thanks for your feedback.
I'm currently discussing with the local admin of this network the ways to find out all of the static configured devices.
The relevant network is in Taiwan, and i'm in Germany.
To be honest, i do not exactly know what kind of clients (DHCP or non DHCP) they are using in the relevant VLAN, and so it's difficult to figure out
which ports needs to be configured as trusted.
12-28-2009 03:56 PM
Hello Dieter,
I'd like to add a word or two to the Jon's reply.
The DHCP Snooping works by limiting the DHCP messages that are either accepted or transmitted out a switch interface. Also, the DHCP Snooping makes some sanity checks on the contents of the DHCP message. The DHCP Snooping indeed builds its DHCP snooping database but until further mechanisms like IP Source Guard or Dynamic ARP Inspection are used, this database does not further prevent traffic flows so you do not have to worry about some stations having static IPs while others having their addresses assigned by DHCP.
As you probably know, the DHCP Snooping divides ports on a switch into two categories - trusted and untrusted. The trusted ports are those through which DHCP server(s) can be reached. The untrusted ports are all remaining ports, as they usually lead to end stations.
The DHCP Snooping feature drops the DHCP packets according to the following rules:
If a message is not dropped according to these rules, it will be forwarded as follows:
As you can see, there are no problems with some stations having static IP addresses - the rules that govern the operation of the DHCP Snooping do not care about static IP assignments. I still believe that the DHCP Snooping is most probably the feature you are looking for.
Best regards,
Peter
12-29-2009 12:47 AM
Hi Peter,
thanks for your help, you got it.
the problems i knew with dhcp snooping and static ip's were combined with "ip verify source".
Now i've configured dhcp snooping at one switch in Taiwan. and based on the experiences we'll get with this, we will roll out in the complete LAN on 12th of January.
Thanks again, this was very helpful
Dieter
12-29-2009 01:05 AM
Hi Jon,
thanks for your help.
now i've configured dhcp snooping.
Let's see what'll happen.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide