Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 882
  • Last Modified:

IP DHCP SNOOPING

Do the below commands get used 'ASWELL' as being attached to a win 2003 server/dchp for example?

ip dhcp snooping
ip dhcp information option
ip dhcp snoopng vlan 100,150
ip arp inspection vlan 100,150
ip arp inspection validate src-dst-ip

int fa0/2
switchport mode access
ip dhcp snooping vlan 100
ip dhcp snooping trust

int fa0/3
switchport mode access
ip dhcp snooping vlan 150
ip verify source vlan dhcp-snooping port-security
ip dhcp snooping limit rate 150
0
mikey250
Asked:
mikey250
  • 5
  • 3
2 Solutions
 
cdowdyCommented:
Yes, the commands you have listed help to provide security against dhcp pool exhaustion, man-in-the-middle attacks etc. They are used in conjunction with a dhcp server such as a win 2003 server. Keep in mind that uplinks from your switch need to be trusted explicitly for dhcp snooping and DAI. Also remember that any access ports connected to statically IP addressed devices will need to be arp inspection trusted, or a trusted DAI ACL will need to be configured.
0
 
mikey250Author Commented:
hi thanks for this useful reply and as you suggest these are the kinds of commands I would add in 'Global config' mode and the other configurations are specific to those interfaces:

ip dhcp snooping - presumably informing switch that 'dhcp' is taking place
ip dhcp information option - specific to client pc attached that are classed as 'untrusted'
ip dhcp snoopng vlan 100,150 - vlans allowed
ip arp inspection vlan 100,150 - Dynamic arp inspection
ip arp inspection validate src-dst-ip - Validates dhcp bindings

- Im also aware that the physical DCHP plugged into a specific port is classed as 'Trusted'

have these commands always been around but if NOT what was in place when win 2003/dhcp was being used?
0
 
mikey250Author Commented:
what if an sbs 2003 is used does using 'ip dhcp snooping' being added still apply to previous comment from expert?
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
cdowdyCommented:
These commands are useful regardless of the server being used to provide DHCP services. Keep in mind that these commands and their functions are not at all necessary to make DHCP functional on your network. Rather, these provide additional security by leveraging DHCP in order to build a table on the switch and allow of disallow traffic etc. Again, you do not need to employ these features simply to make DHCP function on your network, but they do offer additional security features if used in conjunction with a DHCP server. I would recommend that you read Cisco's documentation for DHCP snooping as well as their documentation on Dynamic Arp Inspection before employing these features as you will need to have a firm understanding of them in order to support and troubleshoot these features.
0
 
mikey250Author Commented:
thanks for that extra advice.  I have not long completed my ccnp course but these are the parts for whatever dum reason I did not ask due to my assumptions.
0
 
mikey250Author Commented:
last comment/question - i suppose with regards to the last experts comments although i do understand.  That if dhcp was configured on a router instead of a server then the commands in my MAIN thread could ALSO be ideal to use?
0
 
cdowdyCommented:
correct.
0
 
mikey250Author Commented:
perfect!!!
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now