Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
10
Helpful
4
Replies

dhcp snooping

gcdudley
Level 1
Level 1

‎12-07-2007 03:55 PM - last edited on ‎03-25-2019 03:57 PM by Community Manager

I'm having trouble determining where/how to implement DHCP snooping on our campus.

The core for our campus is a pair of 6506's etherchanneled to each other and 3750 stacks which serve as the distribution layer. The 3750's are trunked to our access layer switches (3560Gs, 3550s and some 3500XLs). The 6506s have MSFCs configured with the SVIs for each of 50+ end-to-end VLANs and run HSRP. DHCP is enabled on a few nets/vlans currently. Those nets/vlans have the ip-helper address configured. In addition, the supervisors on the 6506s serve as VTP servers and are the only CatOS on campus. We're trying to test dhcp snooping but haven't had much success.

Our DHCP server is located near the core. DHCP snooping is enabled on most of the 3560Gs globally and only the uplinks are trusted. All of our access switches are in a stacked configuration similar to... core -> bldg1 dist -> bldg1a -> bldg1b -> bldg1c... It didn't make sense to trust offers from downstream. My understanding of trust relates to where offers are originating. Is this correct or is there more information exchanged that requires bidirectional trust?

The VLAN SVIs don't seem to allow for snooping configuration. Should I be looking at the dist. or access levels? The access level seems like it would be an administrative nightmare in a large VTP domain!

Thanks for any advice.

Chris Dudley

Labels:
0 Helpful
4 Replies 4

richf
Level 1
Level 1

‎12-07-2007 06:07 PM

You want to do it at the access layer since that is where your clients are. If you have your DHCP servers at the core then it shouldn't be too much of an administrative nightmare, but I am not familiar with your network so I don't really know. Make sure you trust your uplinks.

-Rich

gcdudley
Level 1
Level 1
In response to richf

‎12-07-2007 07:44 PM

My global config says nothing more than "ip dhcp snooping" and the uplink port is configured with "ip dhcp snooping trust". Should I also configure "ip dhcp snooping vlan 10" if vlan 10 is assigned to an access port on the switch (and also do that for each switch that has a port configured for vlan 10) + each additional vlan assigned on the switch. Sorry - I know that sounded rambling...

0 Helpful

schmij01
Level 1
Level 1
In response to gcdudley

‎12-08-2007 09:42 PM

Yes, you enable snooping first globally (like you already did) and then per-vlan that you want protection on.

After you enable snooping, you might want to look into IP Source Guard and Dynamic ARP Inspection too. These are additional security features you can utilize once you have a working snooping setup. Please do take care that you understand what these features do before turning them on, or you'll be scrambling to fix a mess.

0 Helpful

schmij01
Level 1
Level 1

‎12-07-2007 07:03 PM

Yeah, snooping should be enabled at the access layer. That is kind of the point of the feature. It then prevents users from running rogue DHCP servers. Yes, it is quite the job to implement on a large network with lots of vlans, but it can be done.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card