Hi all. The corp that I work for have a process where all our configurations are analysed against a Cisco benchmark and any security issues are recorded & logged for us to deal with, with the solution given to us. One such security hole that is highlighted to be plugged is that bootp is not disabled, and the solution given to us in this case being listed as 'no ip bootp server'.
I understand that from a certain IOS revision the configuration command had changed from:
>no ip bootp server
>ip dhcp bootp ignore
But on some switches we have (for example 2950's with c2950-i6q4l2-mz.121-22.EA13 IOS) neither option seems to be available to enter against either the general config or an uplink interface. This I don't understand as the security vulnerability logged is as mentioned based upon a Cisco benchmarking process - but as the IOS revision does not permit remediation so far as I can see by way of entering a diabling config line why is it being logged as a security hole to be plugged? Was bootp disabling an afterthought on some IOS, or am I missing something?
On devices that do not support either of these commands, you may want to try using the no service dhcp in the global configuration mode. Please be aware, however, that this command will completely disable all DHCP/BOOTP functionality on the device including DHCP server or relay agent. I am not sure about DHCP Snooping - can anyone fill me here please?
According to documentation the 2950 does not support DHCP. So I am no sure if no service dhcp is an available command. These may also be the reason why the command is not available.
The 2950 does support DHCP snooping though.
To my best knowledge, 2950 does support DHCP Server or Relay functionality, albeit in a quite limited fashion as there can be at most one SVI active at any time. Regarding the support for DHCP Relay on 2950, I have tested it and described it in this thread:
There is also the no service dhcp command available:
Switch(config)#do sh ver | i IOS
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
Switch(config)#no service dhcp ?
Switch(config)#no service dhcp
I hesitated to post because I did not have a 2950 at my disposal but the documentation was pretty clear so I fired away : )
Documentation states "The DHCP server feature is only available on Catalyst 2955 switches." immediately after it described what a DHCP server is (assigns IP addresses to DHCP clients). It goes on to describe DHCP relay agent and snooping. Snooping commands are found in the command lookup tool and command reference. DHCP server or relay agent commands are not. It does not explicitly state that DHCP relay is not supported and your comments in the previous thread confirm that it is. I also could not find service dhcp but yet again there it is.
At the present moment I am of the belief that if it does not support dhcp server (assigning and managing IP addresses) it should not support bootp. This is all speculation at this point as the documentation is not very clear..
Oh well, I guess I will have to live with the errors being logged against the 2950's! Thanks for all the replies, but I can't knock out DHCP!
Are you using DHCP Server or DHCP Relay functionality on your 2950? I doubt it. Using the no service dhcp will not block DHCP messages from flowing through your 2950 - it wil just deactivate the internal DHCP services on the 2950 that are obviously unused by you.