Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20094
Views
0
Helpful
6
Replies

Missing config options: 'no ip bootp server' & 'ip dhcp bootp ignore' not valid

kbolderson
Level 1
Level 1

‎01-19-2012 08:46 AM - edited ‎03-07-2019 04:26 AM

Hi all. The corp that I work for have a process where all our configurations are analysed against a Cisco benchmark and any security issues are recorded & logged for us to deal with, with the solution given to us. One such security hole that is highlighted to be plugged is that bootp is not disabled, and the solution given to us in this case being listed as 'no ip bootp server'.

I understand that from a certain IOS revision the configuration command had changed from:

>no ip bootp server

to

>ip dhcp bootp ignore

But on some switches we have (for example 2950's with c2950-i6q4l2-mz.121-22.EA13 IOS) neither option seems to be available to enter against either the general config or an uplink interface. This I don't understand as the security vulnerability logged is as mentioned based upon a Cisco benchmarking process - but as the IOS revision does not permit remediation so far as I can see by way of entering a diabling config line why is it being logged as a security hole to be plugged? Was bootp disabling an afterthought on some IOS, or am I missing something?

Cheers,

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Peter Paluch
Cisco Employee
Cisco Employee

‎01-19-2012 09:37 AM

Hello,

On devices that do not support either of these commands, you may want to try using the no service dhcp in the global configuration mode. Please be aware, however, that this command will completely disable all DHCP/BOOTP functionality on the device including DHCP server or relay agent. I am not sure about DHCP Snooping - can anyone fill me here please?

Best regards,

Peter

0 Helpful

Ryan Newell
Cisco Employee
Cisco Employee
In response to Peter Paluch

‎01-19-2012 09:47 AM

Hello Peter,

According to documentation the 2950 does not support DHCP. So I am no sure if no service dhcp is an available command. These may also be the reason why the command is not available.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea5/configuration/guide/swdhcp82.html#wp1098054

The 2950 does support DHCP snooping though.

Regards,
Ryan

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Ryan Newell

‎01-19-2012 10:13 AM

Hello Ryan,

To my best knowledge, 2950 does support DHCP Server or Relay functionality, albeit in a quite limited fashion as there can be at most one SVI active at any time. Regarding the support for DHCP Relay on 2950, I have tested it and described it in this thread:

https://supportforums.cisco.com/message/3530376#3530376

There is also the no service dhcp command available:

Switch(config)#do sh ver | i IOS  
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
Switch(config)#no service dhcp ?
  
Switch(config)#no service dhcp

Best regards,

Peter

https://supportforums.cisco.com/message/3530376#3530376BestBest
0 Helpful

Ryan Newell
Cisco Employee
Cisco Employee
In response to Peter Paluch

‎01-19-2012 10:45 AM

I hesitated to post because I did not have a 2950 at my disposal but the documentation was pretty clear so I fired away : )

Documentation states "The DHCP server feature is only available on Catalyst 2955 switches." immediately after it described what a DHCP server is (assigns IP addresses to DHCP clients). It goes on to describe DHCP relay agent and snooping. Snooping commands are found in the command lookup tool and command reference. DHCP server or relay agent commands are not. It does not explicitly state that DHCP relay is not supported and your comments in the previous thread confirm that it is. I also could not find service dhcp but yet again there it is.

At the present moment I am of the belief that if it does not support dhcp server (assigning and managing IP addresses) it should not support bootp. This is all speculation at this point as the documentation is not very clear..

Regards,
Ryan

0 Helpful

kbolderson
Level 1
Level 1

‎01-20-2012 05:13 AM

Oh well, I guess I will have to live with the errors being logged against the 2950's! Thanks for all the replies, but I can't knock out DHCP!

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to kbolderson

‎01-20-2012 05:15 AM

Hi,

Are you using DHCP Server or DHCP Relay functionality on your 2950? I doubt it. Using the no service dhcp will not block DHCP messages from flowing through your 2950 - it wil just deactivate the internal DHCP services on the 2950 that are obviously unused by you.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card