Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
0
Helpful
5
Replies

Untrusted DHCP

Go to solution
Andy White
Level 3
Level 3

‎01-07-2013 12:34 AM - edited ‎03-07-2019 10:56 AM

Hello,

We had a user put a home router on our network as it had a hub, however the router had DHCP enabled so we started to get users phone up saying they had connectivity issues.  It took me ages to find out there was another DHCP device on the network.  Firstly how can I stop this and secondly how could I of located this issue quicker?

We use 2960s, 3560s and 3750s.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-07-2013 12:38 AM

You need DHCP-Snooping:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swdhcp82.html

With that you mark your uplinks as trusted and only on these links the DHCP-Answers are allowed.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎01-07-2013 12:36 AM

Andy,

DHCP Snooping is your answer, definitely. Are you aware of this feature? See

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/15.0_2_se/configuration/guide/swdhcp82.html

Best regards,

Peter

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎01-07-2013 12:38 AM

You need DHCP-Snooping:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swdhcp82.html

With that you mark your uplinks as trusted and only on these links the DHCP-Answers are allowed.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Andy White
Level 3
Level 3
In response to Karsten Iwen

‎01-07-2013 12:43 AM

Hello,

I couldn't get that URL to work.

Is this VMPS that I have just noticed coudl be a solution?

Regards

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Andy White

‎01-07-2013 12:52 AM

Hi,

just get rid of the partner subdirectory in the url and it will be functional.

No VMPS is not a solution, this is for dynamic vlan port assignment not for mitigating rogue dhcp servers.

You definitely need the DHCP snooping feature that Peter and Karsten told you about before.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Andy White

‎01-07-2013 12:54 AM

just removed the "partner" in the link ... I always forget that when posting links ...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card