[c-nsp] DHCP Snopping with 3560 switches as DHCP server
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Thu Jan 25 09:14:04 EST 2007
Hi,
> I have recently implemented a few 3560 switches and 1 2960G and am running
> the DHCP servers for the vlan on the 3560 switches.. I am facing a problem
> because someone will always plug in their SOHO Linksys WRT54G and start
> leasing out unauthorized IP.
>
> Now how do I configure DHCP snooping. I have narrowed the rogue linksys
> wireless router to be on the 2960G on a specific vlan. do i configure all
> access ports on that switch as untrust and trust only the trunk uplinks to
> my core switch?
on the 2950 do the following
ip dhcp snooping vlan XXX
! where XXX is the trusted vlan list
ip dhcp snooping
then, on the interface which is the uplink to your 3560 enable trust
as thats where the DHCP can come FROM
eg
int gi0/x
ip dhcp snooping trust
this will cause the 2950 to block any ingress DHCP responses from all its other
ports and only allow DHCP to leak through that uplink. which is where your trusted
DHCP server (aka switch) lives
alan
More information about the cisco-nsp
mailing list