01-25-2014 04:10 PM - edited 03-07-2019 05:47 PM
Is there a way for me to be able to 'lock down' a VLAN so that DHCP requests are answered by ONLY the specific DHCP server that I haev assgined to that VLAN's subnet?
Would this be accomplished by just putting an ip-helper line in the VLAN configuration, that points to the one DHCP server I want serving addresses to that VLAN segment?
01-25-2014 05:09 PM
You would need to configure dhcp snooping on your vlan. It's funny that you ask because I jus completed this earlier today with an external database on an scp server.
To keep it simple though, depending on the equipment that you're working with, you would trust the port that the dhcp server connects to and trust all of your links that connect switches. Then keep all of your edge ports that connect to hosts as untrusted:
Ip dhcp snooping
Ip dhcp snooping vlan 1
Int fa0/0
Description dhcp server
Ip dhcp snooping trust
As far as you other question, helpers redirect traffic across vlans for when you have a dhcp server on one vlan and hosts on another vlan need to get their addresses from that dhcp server. It won't help protect the dhcp server or rogue servers.
Hth,
John
Sent from Cisco Technical Support iPhone App
01-26-2014 01:38 AM
DHCP Snooping is an option to prevent rogue DHCP servers on the Lan segment.
Commands:
switch(config)# Ip dhcp snooping
switch(config)# ip dhcp snooping vlan 100,200,250-252
For trusted servers
switch(config)# Int fa2/10
Description DHCP Server
Ip dhcp snooping trust
For more information read the following link.
Regards,
Ali
02-17-2015 12:09 PM
I am going to try to configure this on my Switch.
Am I correct in the thinking if my ASA provides DHCP and is connected to switch Int fa2/10
I would use the commands?
switch(config)# Ip dhcp snooping
switch(config)# ip dhcp snooping vlan 1,3 (The Switch I am testing uses Default Vlan1 and Vlan3 (Guest)
For trusted servers
switch(config)# Int fa2/10
Description DHCP Server
Ip dhcp snooping trust
04-23-2015 10:15 AM
I'm looking to do something similar...I have a Cisco 1841 configured as a dhcp server and would like to block any other dhcp servers from the lan. I recently had a repurposed dsl router that I had configured for use as a wireless AP(disabled dhcp server, wan interface, etc.) Something(lightning, power surge, or an employee possibly) caused the device to factory reset which in turn re-enabled the internal dhcp server which brought down internet access for all clients depending on dhcp. Can dhcp snooping be configured to run on the 1841 which should be the only dhcp server on the lan or is this something that can only be handled through a switch config(we have multiple SLM2024 switches spread across this lan and I don't see an option to enable this feature and I don't believe there is a CLI for these switches either?)
Thanks,
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide