1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DHCP Snooping - Does it Error disable port ?

Discussion in 'Routing & Switching' started by diesel, May 26, 2011.

  1. diesel

    diesel Bit Poster

    24
    2
    3
    Was watching the CBT Nuggets Switch series today and Jeremy states that when DHCP snooping is enabled it will error disable a port on which it detects a rogue DHCP Server. When doing his config he also doesn't define which VLANs it should be applied on. He doesn't actually go on to test the config.

    Correct me if I'm wrong but I am sure this is incorrect.

    I'm sure all it will do is stop DHCP packets travelling through that port but still allow other traffic through. The only time the port is err-disabled is when it exceeds the DHCP rate limit if you set it ? You also need to define which VLAN is being used.

    e.g.
    #ip dhcp snooping
    #ip dhcp snooping vlan 1
    [config-if]#ip dhcp snooping trust

    looking at the results of #show errdisable detect shows the following:
    Switch> show errdisable detect
    ErrDisable Reason Detection Mode
    ----------------- --------- ----
    arp-inspection Enabled
    bpduguard Enabled
    channel-misconfig Enabled
    community-limit Enabled
    dhcp-rate-limit Enabled
    dtp-flap Enabled
    link-flap Enabled
    loopback Enabled
    lsgroup Enabled
    pagp-flap Enabled
    psecure-violation Enabled
    security-violatio Enabled
    storm-control Enabled
    udld Enabled
    vmps Enabled
     
    Last edited: May 26, 2011
  2. cisco lab rat

    cisco lab rat Megabyte Poster

    660
    62
    116
    Nope, snooping will silently drop "offers" on the port, the port will not go into err-disable, rate limit is to prevent a client from demanding multiple ip addresses from the DHCP server and therefore depleting the scope.

    I demostrate DHCP snooping in the class and never has a port ever gone into err-disable even when I have set err-disable to "detect all"

    On our videos we demostrate everything, we show you it all in action, warts and all.

    The CBT videos are ok as a primer but not enough detail to really get to grips with the topics.

    The cisco press manuals are also guilty of this.

    (Unless JC is using a special IOS)
     
    Last edited: May 26, 2011
    Certifications: Yes I pretty much am!!
    WIP: Fizzicks Degree
  3. diesel

    diesel Bit Poster

    24
    2
    3
    Thanks Joe, as I suspected. I thought it was a bit funny that he didn't test the config.
     
  4. cisco lab rat

    cisco lab rat Megabyte Poster

    660
    62
    116
    No worries, remember that the command "ip dhcp snooping" is the command to turn it all on, I always forget and go straight for the "ip dhcp snooping vlan "

    Wait till you get to ip source guard and DAI, see if he demos that with a proper Man in the Middle attack.
     
    Last edited: May 26, 2011
    Certifications: Yes I pretty much am!!
    WIP: Fizzicks Degree

Share This Page

Loading...