Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1369
  • Last Modified:

DHCP Snooping and ASA

Hello. We are implementing DHCP Snooping, and everything works fine except for the vlan thar are behind a Firewall. Disabling DHCP Snooping, all host on differents VLAN receive IP from DHCP Server, but with this feature enabled VLAN behind the firewall does not recieve IP from DHCP Server

Another question will be (according to the graph) wich ports must be set as "Trusted"? The por 1 in SW1 in wich the DHCP Server is connected for sure, but in SW2 for example, should be the Trunk Port1 trusted too?

SW: Catalyst 3750 (12.2(35)SE5)
FW: ASA 5520 8.0(4)

Thanks in advance and best regards

 DHCP Smooping
0
gan_nazer
Asked:
gan_nazer
  • 5
  • 3
2 Solutions
 
Istvan KalmarHead of IT Security Division Commented:
Hi,

YOu need to enable all vlan DHCP snnoping, and you need to enable on all DHCP servers_
so:

PORT1
PORT3
0
 
Istvan KalmarHead of IT Security Division Commented:
And you need to add heper address on the firewall VLAN2 interface to DHCP server!
0
 
gan_nazerAuthor Commented:
Thanks ikalmar, I'll try "trusting" in Port3 that was the only that we didn't. What about SW2 Port1, should be trusted to for assign IPs to host in that switch?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Istvan KalmarHead of IT Security Division Commented:
yep on SW1 you need to config to trusted port!
0
 
gan_nazerAuthor Commented:
It doesn't work behind the firewall, even for vlan 1 when i change the SW1 port 1 (DHCP Server) as untrusted, the host does not recieve IP (I think that is ok), but VLAN 2 (behind firewall) still receiving IP, that does not make sense for me...
0
 
Istvan KalmarHead of IT Security Division Commented:
you need to configure trusted for:
sw1: Port1
sw2: Port1,Port3

Did you configured helper address n the firewall?

0
 
gan_nazerAuthor Commented:
We will focused just in SW1 for the moment, I configured DHCP Relay in FW intrface connected to VLAN2 with the IP of DHCP Server, it works without DHCP Snooping feature enabled
0
 
Istvan KalmarHead of IT Security Division Commented:
you need to enable DHCP snooping for VLAN1 and VLAN2, and you need to give trusted port the Port1, if it isn't working you need to add Port3
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now