Block DHCP completely on a single specific 3750G port

The 3750G (v12) is issuing dhcp to a bunch of voip phones.

When I connect another segment into the switch (for a maintenance workstation), that segments DHCP server is in competition when a DHCP request comes in. Oddly enough it replies faster than the one on the switch which itself seems odd but that's yet another subject.

The question is how can I block DHCP activity both ways on a single port of this switch?
LVL 1
Salad-DodgerInstrumentationAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
There is no need to block DHCP in both directions. Configure DHCP snooping on switch for specific VLANs (opr all VLANs if that's what you want). Only port in direction of your "good DHCP server" mark as DHCP snooping trusted ports. That will drop DHCPoffer, DHCPack packets in inbound direction on untrusted ports. Untrusted ports will forward DHCPdiscovery and DHCPrecquest packets. If switch itself is DHCP server there is no need to mark any of ports as DHCP snooping trusted on that particular switch.
Salad-DodgerInstrumentationAuthor Commented:
I read the cisco doc on snooping - best I could grasp... it appears that all I need to do is

IP dhcp snooping
ip dhcp snooping vlan 1 (tried adding this no change) 
end

Open in new window


Thats it.

Since this switch is the ONLY DHCP server I want on this network - the single line should automatically prevent any other dhcp offers.
But that is not enough. the other dhcp server still gets through.  What  did I miss?
JustInCaseCommented:
ip dhcp snooping vlan 1-4094                          <-- enables DHCP Snooping for all vlans
no ip dhcp snooping information option       <-- removes DHCP Snooping Option-82 Data Insertion
ip dhcp snooping

Verify that DHCP snooping is configured on interfaces with:
show ip dhcp snooping

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Salad-DodgerInstrumentationAuthor Commented:
I saw option 82 ..  . what exactly is that?
JustInCaseCommented:
Salad-DodgerInstrumentationAuthor Commented:
oh man, I am far outside my depth :)
JustInCaseCommented:
Just ignore it... it has something to do with security and the way switch and DHCP servers deal/relay DHCP requests.
:)
Salad-DodgerInstrumentationAuthor Commented:
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1-4094
DHCP snooping is operational on following VLANs:
1
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id default format: vlan-mod-port
   remote-id: 081f.f34b.7d80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------

Open in new window


look right?
JustInCaseCommented:
If all interfaces are marked as untrusted - than yes.

Additionally, general recommendation is not to use VLAN 1 for anything.

Cisco switches can be configured with voice VLAN (and some variations to it), on ports where hosts and phones are attached portfast should be configured, etc... but, at least configure switch to use rapid PVST (should speedup interface change from down to forwarding from 30 to few seconds) .
spanning-tree mode rapid-pvst
;)
Salad-DodgerInstrumentationAuthor Commented:
I didn't specifically mark any ports trusted or untrusted. Its just how they are by default. The switch is behind a locked door so rogue plugins are unlikely.

I thought vlan 1 was the default for "include everybody" , which in this case is fine. .. but upon a moments reflection a couple contradicting thoughts surface...

1. Had I not used vlan1 for this I may never have seen this alternate DHCP server issue in the first place would I?  

2. But then I have to tag all the clients and there is no way to do that without tagging each one by hand. i.e. dhcp cant issue a vlan tag to a device right?

Any reason to entertain "Storm control" on a port? that was suggested elsewhere but seemed unrelated.

I will add the pvst line tonight.
JustInCaseCommented:
1. Had I not used vlan1 for this I may never have seen this alternate DHCP server issue in the first place would I?  
It might not change anything. But most likely in your case it would, but be careful to have all necessary routes if you will configure different VLAN, so traffic don't get blackholed (if Voice server is not directly connected to the same VLAN).
2. But then I have to tag all the clients and there is no way to do that without tagging each one by hand. i.e. dhcp cant issue a vlan tag to a device right?
Different VLAN does not mean tagging if now traffic is not tagged then it does not need to be tagged in different vlan. You can create vlan 10 on switch and assign ports to VLAN 10.

You can check if port traffic is currently tagged by issuing (x is port with phone attached to it):
show interface gi1/0/x switchport

if traffic is untagged than you can issue:

vlan 10
name VoIP
!
interface vlan 10
 ip address 172.16.0.1 255.255.255.0
!
interface range gi1/0/1-24
 switchport mode access
 switchport acceess vlan 10
 spanning-tree portfast

However, have in mind that switch by default is overwritting DSCP markings to zeroes on data ports, so there should be configured trust, or conditional trust for end devices.

Also, you can implement storm control if you want to.
Craig BeckCommented:
You need to configure DHCP trust on the port where your DHCP server is connected, or any trunks that lead towards the switch where it is connected.

As Predrag said, disable option 82 and never worry about it.  It will cause you no end of headaches if it is enabled.
JustInCaseCommented:
The point is - devices are connected directly to switch that is DHCP server (from previous questions). Other devices should be blocked, so, from that perspective, there should be no trusted DHCP ports on device - only this device should assign IP addresses (at least, that's how I understood issue).
Craig BeckCommented:
Yes, you are right @Predrag. If the switch is the DHCP server there's nothing else to do.
Salad-DodgerInstrumentationAuthor Commented:
Once again I'm in your debt.
Thank you.
JustInCaseCommented:
You're welcome.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.