Block Rogue DHCP Server’s on Cisco Equipment
Network loops are not the only issue that you may face in simple or complex LAN setup; you may face Client-Installed DHCP server.
Well, such issue can be overcome by implementing one of two:
- By enabling DHCP snooping as bellow:
- Enable the feature globally with the ip dhcp snooping global configuration command.
- Enable the feature for individual VLANs with the ip dhcp snooping #VLAN# global configuration command.
- Configure the trusted interfaces with the ip dhcp snooping trust interface configuration command.
- Rate-limit DHCP on untrusted interfaces with the ip dhcp snooping limit rate interface configuration command.
- By applying an ACL that prevent DHCP traffic, as known DHCP offers are flooded on port 68 from DHCP server to DHCP client; so, you can apply an inbound extended ACL on the interface facing the would-be rogue servers. This is the relevant configuration:
ip access-list 100 deny udp any any eq 68
ip access-list 100 permit ip any any
int [interface facing the would-be rogue]
ip access-group 100 in
That will block any DHCP server sending an offer or an acknowledgment into that interface, but it will not block a client sending a discover or a request into the interface.
Number of views: (1569)