IP DHCP Snooping Feature

Answered Question
Apr 14th, 2008
User Badges:

Hi NetPro,


just to confirme with the DHCP configuration is that correct.

thanks.


Core-Switch

-----------


interface Vlan312

description Vlan

ip address x.x.x.x 255.255.255.0

ip helper-address x.x.x.x

no ip igmp snooping explicit-tracking

ip ospf message-digest-key 5 md5 7 xxx

no ipv6 mld snooping explicit-tracking

no ipv6 mld snooping

standby 112 ip x.x.x.x

standby 112 timers 2 4

standby 112 preempt delay minimum 15



ip dhcp snooping vlan 312

no ip dhcp snooping information option

ip dhcp snooping


Access Switch:

--------------

interface FastEthernet6/41

description user

switchport access vlan 312

switchport mode access

spanning-tree portfast

ip dhcp snooping trust


your reply will be highly appreciated.


thanks


Regards,

jack

Correct Answer by andrew.butterworth about 9 years 1 month ago

Hi, apologies for not replying to your earlier message regarding option 82 insertion - I had gone to bed... However it looks like your query was answered anyway.


With DHCP snooping it is also recommended to rate limit the DHCP requests on the access ports using the command:


interface FastEthernet0/1

ip dhcp snooping limit rate 100


In the campus design presentation from Networkers 100-pps is recommended, however it may be worth tuning this down even further. On the DHCP server port or Layer-2 uplinks you can also enable rate limiting of DHCP requests however these are aggregation points so the rates will probably need to be higher.


Be aware though that if the limit is exceeded the port is err-disabled, the idea being this is a DoS attack mitigation technique. This can be automatically recovered with the global command:


errdisable recovery dhcp-rate-limit


HTH


Andy

Correct Answer by Istvan_Rabai about 9 years 1 month ago

Hi Jack,


In the "ip dhcp snooping" command the option vlan is actually a vlan-list.


You should select the vlans where you want to enable dhcp snooping.


Example:

ip dhcp snooping

ip dhcp snooping vlan 1,2-5,20


This will enable dhcp snooping on vlans 1, 2 to 5 and 20.


Cheers:

Istvan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (5 ratings)
Loading.
Istvan_Rabai Tue, 04/15/2008 - 12:26
User Badges:
  • Gold, 750 points or more

Hi Jack,


ip dhcp snooping information option is enabled by default. Is there any reason why you disabled it?


Otherwise, your config is alright if the DHCP server is located on FastFthernet 6/41.


Cheers:

Istvan


andrew.butterworth Tue, 04/15/2008 - 13:04
User Badges:
  • Gold, 750 points or more

Not all DHCP servers support Option 82 insertion and leaving it enabled prevents DHCP from working. Windows 2000 & 2003 don't support it and as most of the world uses these as DHCP servers it generally gets disabled....


HTH


Andy

ney25 Tue, 04/15/2008 - 19:26
User Badges:



Hi Andy,


thanks for your infomrations, it's really help me a lot.


which means i put no ip dhcp snooping information option is correct ?


and 1 more thing i need to confirm.


interface FastEthernet6/41 --> to DHCP server or to DHCP client

switchport access vlan 312

switchport mode access

spanning-tree portfast

ip dhcp snooping trust



so, below 3 lines command configure at Access Switch or Core-switch ?


ip dhcp snooping vlan 312

no ip dhcp snooping information option

ip dhcp snooping


your reply will be very appreciated.


thanks a lot.


regards,

Jack

Istvan_Rabai Tue, 04/15/2008 - 19:38
User Badges:
  • Gold, 750 points or more

Hi Jack,


The interface where you configure "ip dhcp snooping trust" should not be a DHCP client port.


Cliient ports should remain untrusted, otherwise dhcp snooping will lose its function.


The

ip dhcp snooping vlan 312

no ip dhcp snooping information option

ip dhcp snooping


lines should be entered on all access layer switches.


interface FastEthernet6/41 is the interface where your dhcp server is located, or the path where the dhcp replies arrive back from the dhcp server located somewhere else.


Cheers:

Istvan

ney25 Tue, 04/15/2008 - 20:27
User Badges:

Hi Istvan


your reply really help me alot.

but, i am curious about the " ip dhcp snooping VLAN-ID " . this VLAN-ID means DHCP server VLAN ? coz, as you know DHCP Server pool many VLANS for Client. so, which means i dont have to pool for all individual vlans ? says VLAN 312 (Server Farm), VLAN 3(Admin Office user) , VLAN 4(Printer). so, when i put " ip dhcp snooping vlan 312 " will consist all ?


thanks man :)


your reply will be higly appreciated.


Regards,

Jack

Correct Answer
Istvan_Rabai Tue, 04/15/2008 - 21:11
User Badges:
  • Gold, 750 points or more

Hi Jack,


In the "ip dhcp snooping" command the option vlan is actually a vlan-list.


You should select the vlans where you want to enable dhcp snooping.


Example:

ip dhcp snooping

ip dhcp snooping vlan 1,2-5,20


This will enable dhcp snooping on vlans 1, 2 to 5 and 20.


Cheers:

Istvan

ney25 Tue, 04/15/2008 - 21:15
User Badges:

Hi Istvan,


Thanks for your answer.


you've answered my doubt.


thanks a lot.


have a nice day :)


Regards,

Jack

Istvan_Rabai Tue, 04/15/2008 - 21:19
User Badges:
  • Gold, 750 points or more

You're always welcome Jack!


Thank you very much for the ratings.


Istvan

Correct Answer
andrew.butterworth Wed, 04/16/2008 - 01:53
User Badges:
  • Gold, 750 points or more

Hi, apologies for not replying to your earlier message regarding option 82 insertion - I had gone to bed... However it looks like your query was answered anyway.


With DHCP snooping it is also recommended to rate limit the DHCP requests on the access ports using the command:


interface FastEthernet0/1

ip dhcp snooping limit rate 100


In the campus design presentation from Networkers 100-pps is recommended, however it may be worth tuning this down even further. On the DHCP server port or Layer-2 uplinks you can also enable rate limiting of DHCP requests however these are aggregation points so the rates will probably need to be higher.


Be aware though that if the limit is exceeded the port is err-disabled, the idea being this is a DoS attack mitigation technique. This can be automatically recovered with the global command:


errdisable recovery dhcp-rate-limit


HTH


Andy

Actions

This Discussion