Solved

IP DHCP SNOOPING

Posted on 2011-03-10
8
873 Views
Last Modified: 2012-05-11
Do the below commands get used 'ASWELL' as being attached to a win 2003 server/dchp for example?

ip dhcp snooping
ip dhcp information option
ip dhcp snoopng vlan 100,150
ip arp inspection vlan 100,150
ip arp inspection validate src-dst-ip

int fa0/2
switchport mode access
ip dhcp snooping vlan 100
ip dhcp snooping trust

int fa0/3
switchport mode access
ip dhcp snooping vlan 150
ip verify source vlan dhcp-snooping port-security
ip dhcp snooping limit rate 150
0
Comment
Question by:mikey250
  • 5
  • 3
8 Comments
 
LVL 4

Accepted Solution

by:
cdowdy earned 500 total points
ID: 35102195
Yes, the commands you have listed help to provide security against dhcp pool exhaustion, man-in-the-middle attacks etc. They are used in conjunction with a dhcp server such as a win 2003 server. Keep in mind that uplinks from your switch need to be trusted explicitly for dhcp snooping and DAI. Also remember that any access ports connected to statically IP addressed devices will need to be arp inspection trusted, or a trusted DAI ACL will need to be configured.
0
 

Author Comment

by:mikey250
ID: 35110101
hi thanks for this useful reply and as you suggest these are the kinds of commands I would add in 'Global config' mode and the other configurations are specific to those interfaces:

ip dhcp snooping - presumably informing switch that 'dhcp' is taking place
ip dhcp information option - specific to client pc attached that are classed as 'untrusted'
ip dhcp snoopng vlan 100,150 - vlans allowed
ip arp inspection vlan 100,150 - Dynamic arp inspection
ip arp inspection validate src-dst-ip - Validates dhcp bindings

- Im also aware that the physical DCHP plugged into a specific port is classed as 'Trusted'

have these commands always been around but if NOT what was in place when win 2003/dhcp was being used?
0
 

Author Comment

by:mikey250
ID: 35121753
what if an sbs 2003 is used does using 'ip dhcp snooping' being added still apply to previous comment from expert?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Assisted Solution

by:cdowdy
cdowdy earned 500 total points
ID: 35123023
These commands are useful regardless of the server being used to provide DHCP services. Keep in mind that these commands and their functions are not at all necessary to make DHCP functional on your network. Rather, these provide additional security by leveraging DHCP in order to build a table on the switch and allow of disallow traffic etc. Again, you do not need to employ these features simply to make DHCP function on your network, but they do offer additional security features if used in conjunction with a DHCP server. I would recommend that you read Cisco's documentation for DHCP snooping as well as their documentation on Dynamic Arp Inspection before employing these features as you will need to have a firm understanding of them in order to support and troubleshoot these features.
0
 

Author Comment

by:mikey250
ID: 35146883
thanks for that extra advice.  I have not long completed my ccnp course but these are the parts for whatever dum reason I did not ask due to my assumptions.
0
 

Author Comment

by:mikey250
ID: 35255309
last comment/question - i suppose with regards to the last experts comments although i do understand.  That if dhcp was configured on a router instead of a server then the commands in my MAIN thread could ALSO be ideal to use?
0
 
LVL 4

Expert Comment

by:cdowdy
ID: 35256485
correct.
0
 

Author Comment

by:mikey250
ID: 35256521
perfect!!!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cannot Change Local DNS 9 63
VLAN Question! 9 62
Where is running-config located at in ASR9K? 3 18
Layer 3 switch recommendation 15 11
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question