Cincinnerdi Tech Stuff

A mind-numbing read if ever there was one

Pretty severe penalty for excessive DHCP-ing

with one comment

Cisco allows you to monitor any switchport to limit the rate of DHCP client activity. Presumably, someone flooding a network with spurious DISCOVER packets could give a DHCP server headaches.

I figured extra packets would just be dropped, but was in for somewhat of a shock when the port was placed into a permanent ERR-DISABLE status. That means a SysAdmin would need to reset the port manually, unless other provisions were made.

So what’s reasonable number of packets per minute? Maybe 3? I set it to 2 to see what the result. Pretty drastic!

The IOS:

interface range fa0/2 – 5

switchport mode access

switchport port-security

switchport port-security mac-address sticky

switchport port-security maximum 1

switchport port-security violation restrict

ip dhcp snooping limit rate 5

no ip address

spanning-tree portfast

no shutdown


Written by scottledyard

2007, April 11th at 9:28 am

One Response

Subscribe to comments with RSS.

  1. I didn’t even know this feature existed! I must say, Cisco’s documentation is a bit confusing on the subject of what DHCP snooping is actually *for*. They say something to the effect that it is for protection from DHCP packets originating from outside your network – something that seems unlikely since most people would have a firewall in place, you’d have thought.

    I’d have thought that DHCP snooping is just another part of port security – can you set port security to “notify” or something, and then do “snmp-server enable traps port-security”?


    2007, June 7th at 5:43 am

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: