All -
I have a 3750 stack group that all my users are plugged into as their core switch, however, I also have a 3524 hanging off this stack group as well. Recently, someone plugged a rouge DHCP server into the 3524, causing me all sorts of grief. My question is since my 3750 supports DHCP Snooping, can I turn this on to solve all my problems?
Thanks, Andrew
Hmmm, I suspect not -- DHCP snooping is, if I understand correctly, for the case where you might have to relay a DHCP request over a router.
Would it perhaps work to turn on an ACL on the 3750 to block the DHCP replies from the 3524 ?
That is DHCP forwarding.
It has cheered me up no end that just once in a while Walter has misssed the target. It is nice to see that there is a regular fallible human on the other end of the handle.
I don't like the name Cisco have chosen for this feature though:) I find it confusing too.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You can use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.
--------------------------------------------------------------------------------
Note For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces.
;-)
I have an excuse -- hang on, it's right here, I saw it just a few days ago, it was on my desk in one of these piles... or was it in the computer room.... lemme see.... oh, I hope I didn't take it home, because if my spouse borrowed it, I might not get it back for weeks!
Hi Andrew,
I have to disagree with Walter on this (although he has vastly more experience than I), about 2 weeks ago I started investigating this functionality (DHCP Snooping) as well and as near as we can see, DHCP Snooping does exactly what you (we) want., IE when enabled on a Layer
2 ACCESS port it blocks DHCP Server messages arriving FROM that port.Its not clear from what I have read so far, but I can't see how/why one would use it on Trunk ports if all your ACCESS ports are covered correctly. In our case we would be using it on 2950's only.
Cheers................pk.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.