Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

IP DHCP SNOOPING

Posted on 2011-03-10
8
Medium Priority
?
880 Views
Last Modified: 2012-05-11
Do the below commands get used 'ASWELL' as being attached to a win 2003 server/dchp for example?

ip dhcp snooping
ip dhcp information option
ip dhcp snoopng vlan 100,150
ip arp inspection vlan 100,150
ip arp inspection validate src-dst-ip

int fa0/2
switchport mode access
ip dhcp snooping vlan 100
ip dhcp snooping trust

int fa0/3
switchport mode access
ip dhcp snooping vlan 150
ip verify source vlan dhcp-snooping port-security
ip dhcp snooping limit rate 150
0
Comment
Question by:mikey250
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 4

Accepted Solution

by:
cdowdy earned 2000 total points
ID: 35102195
Yes, the commands you have listed help to provide security against dhcp pool exhaustion, man-in-the-middle attacks etc. They are used in conjunction with a dhcp server such as a win 2003 server. Keep in mind that uplinks from your switch need to be trusted explicitly for dhcp snooping and DAI. Also remember that any access ports connected to statically IP addressed devices will need to be arp inspection trusted, or a trusted DAI ACL will need to be configured.
0
 

Author Comment

by:mikey250
ID: 35110101
hi thanks for this useful reply and as you suggest these are the kinds of commands I would add in 'Global config' mode and the other configurations are specific to those interfaces:

ip dhcp snooping - presumably informing switch that 'dhcp' is taking place
ip dhcp information option - specific to client pc attached that are classed as 'untrusted'
ip dhcp snoopng vlan 100,150 - vlans allowed
ip arp inspection vlan 100,150 - Dynamic arp inspection
ip arp inspection validate src-dst-ip - Validates dhcp bindings

- Im also aware that the physical DCHP plugged into a specific port is classed as 'Trusted'

have these commands always been around but if NOT what was in place when win 2003/dhcp was being used?
0
 

Author Comment

by:mikey250
ID: 35121753
what if an sbs 2003 is used does using 'ip dhcp snooping' being added still apply to previous comment from expert?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 4

Assisted Solution

by:cdowdy
cdowdy earned 2000 total points
ID: 35123023
These commands are useful regardless of the server being used to provide DHCP services. Keep in mind that these commands and their functions are not at all necessary to make DHCP functional on your network. Rather, these provide additional security by leveraging DHCP in order to build a table on the switch and allow of disallow traffic etc. Again, you do not need to employ these features simply to make DHCP function on your network, but they do offer additional security features if used in conjunction with a DHCP server. I would recommend that you read Cisco's documentation for DHCP snooping as well as their documentation on Dynamic Arp Inspection before employing these features as you will need to have a firm understanding of them in order to support and troubleshoot these features.
0
 

Author Comment

by:mikey250
ID: 35146883
thanks for that extra advice.  I have not long completed my ccnp course but these are the parts for whatever dum reason I did not ask due to my assumptions.
0
 

Author Comment

by:mikey250
ID: 35255309
last comment/question - i suppose with regards to the last experts comments although i do understand.  That if dhcp was configured on a router instead of a server then the commands in my MAIN thread could ALSO be ideal to use?
0
 
LVL 4

Expert Comment

by:cdowdy
ID: 35256485
correct.
0
 

Author Comment

by:mikey250
ID: 35256521
perfect!!!
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question