My first useful Cisco post (DHCP Snooping)

Well this is something that I ran into a few years back when a dummy connected his linksys router to our network and started serving up IP's. Well not only is this a pain in the ass to track down in a large campus but it can be prevented with this feature.

You can enable it at a global level via ip dhcp snooping or on a vlan via ip dhcp snooping vlan 50. you will then specify which ports belong to a trusted DHCP server:

Int gi 0/24

ip dhcp snooping trust

Verify Traffic:

show ip dhcp snooping binding.

More Info: Catalyst 6500 Release 12.2SX Software Configuration Guide - DHCP Snooping [Cisco Catalyst 6500 Series Switches] - Cisco Systems

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

ciscoman2012

Thanks for the info. FWIW, this is CCNP material that is tested on the SWITCH exam. Doesn't hurt to know for the CCNA either though but is not required.

MichaelPeterman

BPDU guard
Hard coded access ports
And switch port security

Or would that not stop a router?

atorven

@MichaelPeterman - Those features wouldn't stop a router from leasing DHCP addresses.

BobMead

Yea the nature of a broadcast to 255.255.255.255 would allow the DHCP request and reply providing you have layer 1-3 connectivity.