cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1664
Views
0
Helpful
6
Replies

dhcp snooping question (for 2900 series switches)

aung.naingoo
Level 1
Level 1

Is it possible to implement dhcp snooping on the following switch series?

2940-8TT-S

2950-12

2950-24

2950G-24E

2950-8-LRE

2950-24-LRE

2960-24TC

2960-48TC

2960G-48TC

3550-24PWR

3560G-24TS

3750G-24TS-E

6 Replies 6

glen.grant
VIP Alumni
VIP Alumni

Yes those are all newer type switches and should support dhcp snooping .

No, it wasn't when I tested on 2940 and 2960. That's why I'm concerning whether it is supported on all models or not.

Below are the IOS images that I used on 2940 and 2960:

c2940-i6k2l2q4-mz.121-22.EA10b.bin

c2960-lanbasek9-mz.122-40.SE.bin

Not sure what you mean its not supported. It is right in the config guides for both models . You can go to the main cisco.com page and search on like " 2940 dhcp snooping " and this will bring up the config guides and the how to config is right in there . You can check all your models this way . This is out of a 2940 12.1.22ea7 config guide . If there is a conflict between their documentation and what the switch actually supports I don't know.

http://cisco.com/en/US/partner/docs/switches/lan/catalyst2940/software/release/12.1_22_ea7/configuration/guide/swdhcp82.html#wp1058259

It looks like dhcp snooping is supported on all of those models. May be my understanding concept is wrong.

I just want to disable rouge dhcp servers in the campus in case somebody (un)intentionally plug a device/workstation with dhcp running on it. All of my infrastructure servers are located in server farm connected to the core, and I want to implement dhcp snooping on all the access switches.

I test the configuration in the lab by configuring "ip dhcp snooping" (global command) and allow "ip dhcp snooping trust" on the trunk port only. After that, I put the rouge dhcp server on the untrusted port. A test workstation trying to get dhcp ip is still receiving from the rouge dhcp server. The switch port where the rouge dhcp server is connected ain't configured for "ip dhcp snooping trust" and also it wasn't went into "err-disable" nor see anything in the "ip dhcp snooping bindings"

Below is the sample config on the access switch in the lab:

!

ip dhcp snooping

!

interface GigabitEthernet0/1

description UPLINK to Distribution

switchport mode trunk

ip dhcp snooping trust

!

interface FastEthernet0/3

description User Workstation

switchport mode access

!

interface FastEthernet0/5

description Rouge DHCP Server !

switchport mode access

!

Upon the user workstation is requesting the IP, rouge DHCP is successfully assigning the IP address without it's interface went into "err-disable" state. Am I understanding the concept wrongly or am I missing something?

I haven't done a lot of work with this myself but from what i have read your interpretations sounds correct. Did you add this step ?

Step 3

ip dhcp snooping vlan vlan-range

Enable DHCP snooping on a VLAN or range of VLANs. The range is 1 to 4094.

You can enter a single VLAN ID identified by VLAN ID number, a series of VLAN IDs separated by commas, a range of VLAN IDs separated by hyphens, or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space.

What Glen described is correct. There are three steps to enabling DHCP Snooping:

1. Enable DHCP Snooping for the VLANs you require it on in global configuration:

ip dhcp snooping vlan [vlan-range]

2. Trust layer-2 uplinks to where your DHCP Servers are located (note physical Layer-3 interfaces inherantly trust so there is no additional configuration needed on these:

interface GigabitEthernet0/1

description Uplink to Distribution Layer

switchport mode trunk

ip dhcp snooping trust

3. Enable DHCP Snooping in globacl configuration.

ip dhcp snooping

Additionally if you are using a Windows DHCP Server you must disable option 82 insertion as it will not understand option 82:

no ip dhcp snooping information option

You should also rate-limit the DHCP requests on client interfaces to minimise any DoS attacks on your DHCP server:

interface FastEthernet0/1

ip dhcp snooping limit rate 100

HTH

Andy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco