Jeffrey D Sessler wrote:

> Do you have a modern Cisco driven network? If so, the following will help.
> We use Cisco 3750 edge devices that have two important features for stopping
> "bad stuff" like a rogue DHCP server.
> First, there is DHCP snooping which allows you to define the "trusted" DHCP
> server. Once you define your trusted DHCP servers, all other servers are
> blocked preventing a rogue from causing a problem.

Well, as you see from the delay of this answer, budgeting sometimes takes very
loooong... ;-)

the DHCP snooping works perfectly. Just one thing surprises me:

we have two stacked pairs of Cisco 3570/3570G switches. They are in different
buildings, connected with a 2xGbit fiber link, configured as a channel.

For VLAN1 dhcp snooping is enabled.
For the switchstack, the DHCP server is attached to, this port is DHCP trusted.

The thing I didn't expect is, that the channel between the switches has to be
"dhcp trusted" in both directions. I expected, that this is just necessary from
the side of the switchstack, the DHCP server is *NOT* attached to directly: For
the switch, the DHCP server *IS* attached to directly, I expected, that this
would *NOT* be necessary, as there is no dhcp server /behind/ that channel --
it's attached directly to a "dhcp trusted" port. Amazing.

> Second, the Cisco devices support VLAN-filters. These filters work between
> ports in the same switch.

Does this also work for all ports of all cisco switches, that belong to the same

> One application is to use it to block all DHCP server
> activity except from your "trusted" DHCP server thus preventing

can you perhaps post a copy/paste example from your cisco's "sh ru", that do that

> a rogue DHCP
> server from communicating on the network. We use this feature for rogue DHCP,
> blocking of Microsoft's Universal plug-n-play, etc.

Thanks for your help,


IT-Beratung Rudolf Thilo
Schweinfurter Str. 131
97464 Niederwerrn
t: +49 (0)9721/6464840
f: +49 (0)9721/6464841
m: +49(0)171/685 9 685