Solved

IP DHCP SNOOPING

Posted on 2011-03-10
8
869 Views
Last Modified: 2012-05-11
Do the below commands get used 'ASWELL' as being attached to a win 2003 server/dchp for example?

ip dhcp snooping
ip dhcp information option
ip dhcp snoopng vlan 100,150
ip arp inspection vlan 100,150
ip arp inspection validate src-dst-ip

int fa0/2
switchport mode access
ip dhcp snooping vlan 100
ip dhcp snooping trust

int fa0/3
switchport mode access
ip dhcp snooping vlan 150
ip verify source vlan dhcp-snooping port-security
ip dhcp snooping limit rate 150
0
Comment
Question by:mikey250
  • 5
  • 3
8 Comments
 
LVL 4

Accepted Solution

by:
cdowdy earned 500 total points
ID: 35102195
Yes, the commands you have listed help to provide security against dhcp pool exhaustion, man-in-the-middle attacks etc. They are used in conjunction with a dhcp server such as a win 2003 server. Keep in mind that uplinks from your switch need to be trusted explicitly for dhcp snooping and DAI. Also remember that any access ports connected to statically IP addressed devices will need to be arp inspection trusted, or a trusted DAI ACL will need to be configured.
0
 

Author Comment

by:mikey250
ID: 35110101
hi thanks for this useful reply and as you suggest these are the kinds of commands I would add in 'Global config' mode and the other configurations are specific to those interfaces:

ip dhcp snooping - presumably informing switch that 'dhcp' is taking place
ip dhcp information option - specific to client pc attached that are classed as 'untrusted'
ip dhcp snoopng vlan 100,150 - vlans allowed
ip arp inspection vlan 100,150 - Dynamic arp inspection
ip arp inspection validate src-dst-ip - Validates dhcp bindings

- Im also aware that the physical DCHP plugged into a specific port is classed as 'Trusted'

have these commands always been around but if NOT what was in place when win 2003/dhcp was being used?
0
 

Author Comment

by:mikey250
ID: 35121753
what if an sbs 2003 is used does using 'ip dhcp snooping' being added still apply to previous comment from expert?
0
 
LVL 4

Assisted Solution

by:cdowdy
cdowdy earned 500 total points
ID: 35123023
These commands are useful regardless of the server being used to provide DHCP services. Keep in mind that these commands and their functions are not at all necessary to make DHCP functional on your network. Rather, these provide additional security by leveraging DHCP in order to build a table on the switch and allow of disallow traffic etc. Again, you do not need to employ these features simply to make DHCP function on your network, but they do offer additional security features if used in conjunction with a DHCP server. I would recommend that you read Cisco's documentation for DHCP snooping as well as their documentation on Dynamic Arp Inspection before employing these features as you will need to have a firm understanding of them in order to support and troubleshoot these features.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:mikey250
ID: 35146883
thanks for that extra advice.  I have not long completed my ccnp course but these are the parts for whatever dum reason I did not ask due to my assumptions.
0
 

Author Comment

by:mikey250
ID: 35255309
last comment/question - i suppose with regards to the last experts comments although i do understand.  That if dhcp was configured on a router instead of a server then the commands in my MAIN thread could ALSO be ideal to use?
0
 
LVL 4

Expert Comment

by:cdowdy
ID: 35256485
correct.
0
 

Author Comment

by:mikey250
ID: 35256521
perfect!!!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now