I am working in a environment that is classed as collapssed Layer 3 environment. We have a core 6500 with routed links to 3560's which are access switches.
We have layer 3 vlans on the access switches, one for data one for voice.
On the layer 3 vlans we have ip helper addresses that are used for DHCP. The DHCP servers are located on the 6500.
I recently had a incident where someone plugged a netgear router into a desk point because they thought they could use it for a switch. This router then started to dish out IP addresses to people in the morning for those who came in and docked their laptops. 99% of people weren't affected because they have desktop PC's are their leases hadn't expired.
Now we have bpduguard, bpdufilter to prevent people from plugging in switches that send out BPDU's. However this doesn't prevent the above senario where someone plugs a router or a 'dumb' switch that doesn't send BPDU's.
Because of the above senario I started looking at DHCP Snooping, but I am unsure on a couple of things.
With the topology of our network I understand that I don't need to configure IP DHCP Snooping Trust on the L3 uplinks to our core switch. From what I understand I just need to enable IP DHCP Snooping globaly and then on the VLAN's on the access switch (because of the L3 topology VLAN's are local to the access switches). Only if I had L2 uplinks to the core would I need to configure IP DHCP Snooping Trust on the trunk links.
Can anyone confirm if my understanding is correct, or perhaps provide further info for me. Most examples/configurations I have seen are for L2 configurations only.
To my best understanding, your judgement of the situation is correct. As the trusted DHCP state is configured only on switchports and not on routed ports, you should be fine with simply activating the DHCP Snooping globally and on selected VLANs, but you should not be required to configure any port as trusted port.
Testing out this configuration should be largely easy because after activating the DHCP Snooping, the worst thing that can happen is your clients becoming unable to obtain their IP config via DHCP - but as this operation is performed infrequently, your clients should not notice anything during your testing period if performed swiftly.
Does anyone have or know of any Powershell scripts to collect information from Cisco switches (Nexus, layer 2) and output to csv or Excel? Need to document a number of Cisco switches with port, vlan, routes, ACL information. Thanks
Community Live- Basic Wireshark for Networking Students
(Live event - formerly known as Webcast- Tuesday 14 April, 2020 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris)
This event will have place on Tuesday 14th, April 2020 at 10hrs PDT
Cisco IOS-XE 17.2.1 – Catalyst Switching Updates
Cisco has announced the availability of the latest IOS-XE release - IOS-XE Amsterdam 17.2. This release IOS-XE 17.2 is the next Standard Maintenance Release after 17.1 which also has a sustaining lifetime o...
In this article, we are going to talk about Cisco Umbrella Initial Setup.- The continuity of IT is the basis of today’s business environment. Almost every single decision made by business is either based on an IT data or done using the IT platform. And so...