Solved

IP DHCP SNOOPING

Posted on 2011-03-10
8
870 Views
Last Modified: 2012-05-11
Do the below commands get used 'ASWELL' as being attached to a win 2003 server/dchp for example?

ip dhcp snooping
ip dhcp information option
ip dhcp snoopng vlan 100,150
ip arp inspection vlan 100,150
ip arp inspection validate src-dst-ip

int fa0/2
switchport mode access
ip dhcp snooping vlan 100
ip dhcp snooping trust

int fa0/3
switchport mode access
ip dhcp snooping vlan 150
ip verify source vlan dhcp-snooping port-security
ip dhcp snooping limit rate 150
0
Comment
Question by:mikey250
  • 5
  • 3
8 Comments
 
LVL 4

Accepted Solution

by:
cdowdy earned 500 total points
ID: 35102195
Yes, the commands you have listed help to provide security against dhcp pool exhaustion, man-in-the-middle attacks etc. They are used in conjunction with a dhcp server such as a win 2003 server. Keep in mind that uplinks from your switch need to be trusted explicitly for dhcp snooping and DAI. Also remember that any access ports connected to statically IP addressed devices will need to be arp inspection trusted, or a trusted DAI ACL will need to be configured.
0
 

Author Comment

by:mikey250
ID: 35110101
hi thanks for this useful reply and as you suggest these are the kinds of commands I would add in 'Global config' mode and the other configurations are specific to those interfaces:

ip dhcp snooping - presumably informing switch that 'dhcp' is taking place
ip dhcp information option - specific to client pc attached that are classed as 'untrusted'
ip dhcp snoopng vlan 100,150 - vlans allowed
ip arp inspection vlan 100,150 - Dynamic arp inspection
ip arp inspection validate src-dst-ip - Validates dhcp bindings

- Im also aware that the physical DCHP plugged into a specific port is classed as 'Trusted'

have these commands always been around but if NOT what was in place when win 2003/dhcp was being used?
0
 

Author Comment

by:mikey250
ID: 35121753
what if an sbs 2003 is used does using 'ip dhcp snooping' being added still apply to previous comment from expert?
0
 
LVL 4

Assisted Solution

by:cdowdy
cdowdy earned 500 total points
ID: 35123023
These commands are useful regardless of the server being used to provide DHCP services. Keep in mind that these commands and their functions are not at all necessary to make DHCP functional on your network. Rather, these provide additional security by leveraging DHCP in order to build a table on the switch and allow of disallow traffic etc. Again, you do not need to employ these features simply to make DHCP function on your network, but they do offer additional security features if used in conjunction with a DHCP server. I would recommend that you read Cisco's documentation for DHCP snooping as well as their documentation on Dynamic Arp Inspection before employing these features as you will need to have a firm understanding of them in order to support and troubleshoot these features.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:mikey250
ID: 35146883
thanks for that extra advice.  I have not long completed my ccnp course but these are the parts for whatever dum reason I did not ask due to my assumptions.
0
 

Author Comment

by:mikey250
ID: 35255309
last comment/question - i suppose with regards to the last experts comments although i do understand.  That if dhcp was configured on a router instead of a server then the commands in my MAIN thread could ALSO be ideal to use?
0
 
LVL 4

Expert Comment

by:cdowdy
ID: 35256485
correct.
0
 

Author Comment

by:mikey250
ID: 35256521
perfect!!!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now