Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
30332
Views
10
Helpful
4
Replies

How to prevent 'rogue' DHCP servers on a LAN segment?

rgordon-qsc
Level 1
Level 1

‎01-25-2014 04:10 PM - edited ‎03-07-2019 05:47 PM

Is there a way for me to be able to 'lock down' a VLAN so that DHCP requests are answered by ONLY the specific DHCP server that I haev assgined to that VLAN's subnet?

Would this be accomplished by just putting an ip-helper line in the VLAN configuration, that points to the one DHCP server I want serving addresses to that VLAN segment?

1 person had this problem
Labels:
0 Helpful
4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

‎01-25-2014 05:09 PM

You would need to configure dhcp snooping on your vlan. It's funny that you ask because I jus completed this earlier today with an external database on an scp server.

To keep it simple though, depending on the equipment that you're working with, you would trust the port that the dhcp server connects to and trust all of your links that connect switches. Then keep all of your edge ports that connect to hosts as untrusted:

Ip dhcp snooping
Ip dhcp snooping vlan 1

Int fa0/0
Description dhcp server
Ip dhcp snooping trust

As far as you other question, helpers redirect traffic across vlans for when you have a dhcp server on one vlan and hosts on another vlan need to get their addresses from that dhcp server. It won't help protect the dhcp server or rogue servers.

Hth,
John

Sent from Cisco Technical Support iPhone App

HTH, John *** Please rate all useful posts ***

mali786
Level 1
Level 1

‎01-26-2014 01:38 AM

DHCP Snooping is an option to prevent rogue DHCP servers on the Lan segment.

Commands:

switch(config)#      Ip dhcp snooping

switch(config)#      ip dhcp snooping vlan 100,200,250-252

For trusted servers

switch(config)#    Int fa2/10

                         Description DHCP Server

                         Ip dhcp snooping trust

For more information read the following link.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_53_se/configuration/guide/swdhcp82.html#wp1078853

Regards,

Ali

0 Helpful

TimothyOBrien
Level 1
Level 1
In response to mali786

‎02-17-2015 12:09 PM

I am going to try to configure this on my Switch. 

 

Am I correct in the thinking if my ASA provides DHCP and is connected to switch Int fa2/10

 

I would use the commands? 

switch(config)#      Ip dhcp snooping

switch(config)#      ip dhcp snooping vlan 1,3 (The Switch I am testing uses Default Vlan1 and Vlan3 (Guest)

 

For trusted servers

switch(config)#    Int fa2/10

                         Description DHCP Server

                         Ip dhcp snooping trust

0 Helpful

Chris Bailey
Level 1
Level 1
In response to mali786

‎04-23-2015 10:15 AM

I'm looking to do something similar...I have a Cisco 1841 configured as a dhcp server and would like to block any other dhcp servers from the lan.  I recently had a repurposed dsl router that I had configured for use as a wireless AP(disabled dhcp server, wan interface, etc.)  Something(lightning, power surge, or an employee possibly) caused the device to factory reset which in turn re-enabled the internal dhcp server which brought down internet access for all clients depending on dhcp.  Can dhcp snooping be configured to run on the 1841 which should be the only dhcp server on the lan or is this something that can only be handled through a switch config(we have multiple SLM2024 switches spread across this lan and I don't see an option to enable this feature and I don't believe there is a CLI for these switches either?)

Thanks,

Chris

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card