Solved: How to block all DHCP for a single port on 3750G

Lee Mac · ‎12-31-2017

The switch in question is the DHCP server for all the devices (voip phones) plugged into it, but I also have a connection to another subnet (for maintenance purposes) that also has a DHCP server on it. As you might guess when I restart a phone, its a race to see which DHCP server gets there first. Oddly its usually the wrong one.
I have been leaving the other Lan cable unplugged until I need it, but how do I set a single port on this switch to block any form of DHCP from passing through it?

(I posted this same question on a similar thread from 2007 but etiquette normally dictates I start a new thread, but forums differ, so here i am :) )

Francesco Molino · ‎01-01-2018

Hi

To avoid the second dhcp server to serve IP you can use acl or dhcp snooping.
Dhcp snooping is the best solution to control who can act as authorized dhcp (from where dhcp request are passing through) and eliminate all rogue dhcp server.

Take a look here on Cisco documentation:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_52_se/configuration/guide/3750scg/swdhcp82.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎01-03-2018

What's your vlan id for your phones?
You need to use this vlan id in your dhcp snooping vlan command.
If your dhcp server is internal to the switch it doesn't matter, then you won't have any trusted interfaces and all dhcp requests going to any interfaces will be dropped.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎01-01-2018

Hi

To avoid the second dhcp server to serve IP you can use acl or dhcp snooping.
Dhcp snooping is the best solution to control who can act as authorized dhcp (from where dhcp request are passing through) and eliminate all rogue dhcp server.

Take a look here on Cisco documentation:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_52_se/configuration/guide/3750scg/swdhcp82.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Lee Mac · ‎01-03-2018

I am trying to grasp what I need from that doc. I am uneducated.

This 3750G switch is the ONLY dhcp server I want available on this network.

It consists of a phone server with a dedicated NIC and 15 Phones, thats it.

If I simply dont plug another network into it I'm golden so this is just in case I do and reboot something connected to it. Just making it idiot proof. well . . . idiot resistant. I do want to plug in a machine on the business lan to monitor the switch GUI, again because I'm uneducated and cant function as well on CLI, but I'm trying.

So it appears that the commands

ip dhcp snooping

ip dhcp snoooping vlan 1

should be all I need. but its not quite enough, the other dhcp still gets through. What did I miss?

Could you show me the commands I need to do what I need to do?

Francesco Molino · ‎01-03-2018

What's your vlan id for your phones?
You need to use this vlan id in your dhcp snooping vlan command.
If your dhcp server is internal to the switch it doesn't matter, then you won't have any trusted interfaces and all dhcp requests going to any interfaces will be dropped.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Georg Pauwen · ‎01-02-2018

Hello,

on a side note, you might want to try and suppress all broadcasts on that port with storm control:

interface GigabitEthernet0/0

storm-control broadcast level 0.00

paul driver · ‎01-02-2018

Hello

@Georg Pauwen wrote:

Hello,

on a side note, you might want to try and suppress all broadcasts on that port with storm control:

interface GigabitEthernet0/0

storm-control broadcast level 0.00

Just remember doing this will also negate mutlicast traffic aswell.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎01-02-2018

Hello

@Lee Mac wrote:

The switch in question is the DHCP server for all the devices (voip phones) plugged into it, but I also have a connection to another subnet (for maintenance purposes) that also has a DHCP server on it. As you might guess when I restart a phone, its a race to see which DHCP server gets there first. Oddly its usually the wrong one.
I have been leaving the other Lan cable unplugged until I need it, but how do I set a single port on this switch to block any form of DHCP from passing through it?

(I posted this same question on a similar thread from 2007 but etiquette normally dictates I start a new thread, but forums differ, so here i am :) )

It seems that you have dual dhcp servers servicing the same scope, if so you need to make sure they dont conflict with each other by splitting the scopes over the two servers.

Now to negate one or the other dhcp servers from responding to client requests, DHCP snooping is indeed one way to avoid this however my understanding is it shouldn’t be applied on the same device where the dhcp server is active and in any case you do still want dhcp to service this port but from a specific dhcp server -correct? One possible way to negate one of the dhcp servers on a switch could be via a static mac address so it drops traffic from that server, this can be applied on a per vlan basis.

mac address-table static xxxx.xxxx.xxxx vlan xx drop

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Lee Mac · ‎01-03-2018

I do have dual DHCP situation - but I only want the one built into the switch to affect anyting connected to the switch, nothing external to the switch. Appears that snooping is looking at interfaces and an internal one doesnt have an interface.

Francesco Molino · ‎01-03-2018

If your dhcp server is internal to the switch it doesn't matter, then you won't have any trusted interfaces and all dhcp requests going to any interfaces will be dropped.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Lee Mac · ‎01-04-2018

What would make me want to "trust" an interface. It sounds as if trust is a bit like a firewall that can be enabled/disabled.

BTW I had to turn off option 82 to stop the rogue DHCP. So an untrusted I/F still passed the rogue DHCP until option 82 was disabled.

I don't pretend to understand why, I tried reading on option 82 it but it requires more knowledge just to grasp whet the explanation is.