04-14-2008 06:45 PM - edited 03-05-2019 10:23 PM
Hi NetPro,
just to confirme with the DHCP configuration is that correct.
thanks.
Core-Switch
-----------
interface Vlan312
description Vlan
ip address x.x.x.x 255.255.255.0
ip helper-address x.x.x.x
no ip igmp snooping explicit-tracking
ip ospf message-digest-key 5 md5 7 xxx
no ipv6 mld snooping explicit-tracking
no ipv6 mld snooping
standby 112 ip x.x.x.x
standby 112 timers 2 4
standby 112 preempt delay minimum 15
ip dhcp snooping vlan 312
no ip dhcp snooping information option
ip dhcp snooping
Access Switch:
--------------
interface FastEthernet6/41
description user
switchport access vlan 312
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
your reply will be highly appreciated.
thanks
Regards,
jack
Solved! Go to Solution.
04-15-2008 09:11 PM
Hi Jack,
In the "ip dhcp snooping" command the option vlan is actually a vlan-list.
You should select the vlans where you want to enable dhcp snooping.
Example:
ip dhcp snooping
ip dhcp snooping vlan 1,2-5,20
This will enable dhcp snooping on vlans 1, 2 to 5 and 20.
Cheers:
Istvan
04-16-2008 01:53 AM
Hi, apologies for not replying to your earlier message regarding option 82 insertion - I had gone to bed... However it looks like your query was answered anyway.
With DHCP snooping it is also recommended to rate limit the DHCP requests on the access ports using the command:
interface FastEthernet0/1
ip dhcp snooping limit rate 100
In the campus design presentation from Networkers 100-pps is recommended, however it may be worth tuning this down even further. On the DHCP server port or Layer-2 uplinks you can also enable rate limiting of DHCP requests however these are aggregation points so the rates will probably need to be higher.
Be aware though that if the limit is exceeded the port is err-disabled, the idea being this is a DoS attack mitigation technique. This can be automatically recovered with the global command:
errdisable recovery dhcp-rate-limit
HTH
Andy
04-15-2008 12:26 PM
Hi Jack,
ip dhcp snooping information option is enabled by default. Is there any reason why you disabled it?
Otherwise, your config is alright if the DHCP server is located on FastFthernet 6/41.
Cheers:
Istvan
04-15-2008 01:04 PM
Not all DHCP servers support Option 82 insertion and leaving it enabled prevents DHCP from working. Windows 2000 & 2003 don't support it and as most of the world uses these as DHCP servers it generally gets disabled....
HTH
Andy
04-15-2008 07:26 PM
Hi Andy,
thanks for your infomrations, it's really help me a lot.
which means i put no ip dhcp snooping information option is correct ?
and 1 more thing i need to confirm.
interface FastEthernet6/41 --> to DHCP server or to DHCP client
switchport access vlan 312
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
so, below 3 lines command configure at Access Switch or Core-switch ?
ip dhcp snooping vlan 312
no ip dhcp snooping information option
ip dhcp snooping
your reply will be very appreciated.
thanks a lot.
regards,
Jack
04-15-2008 07:38 PM
Hi Jack,
The interface where you configure "ip dhcp snooping trust" should not be a DHCP client port.
Cliient ports should remain untrusted, otherwise dhcp snooping will lose its function.
The
ip dhcp snooping vlan 312
no ip dhcp snooping information option
ip dhcp snooping
lines should be entered on all access layer switches.
interface FastEthernet6/41 is the interface where your dhcp server is located, or the path where the dhcp replies arrive back from the dhcp server located somewhere else.
Cheers:
Istvan
04-15-2008 08:27 PM
Hi Istvan
your reply really help me alot.
but, i am curious about the " ip dhcp snooping VLAN-ID " . this VLAN-ID means DHCP server VLAN ? coz, as you know DHCP Server pool many VLANS for Client. so, which means i dont have to pool for all individual vlans ? says VLAN 312 (Server Farm), VLAN 3(Admin Office user) , VLAN 4(Printer). so, when i put " ip dhcp snooping vlan 312 " will consist all ?
thanks man :)
your reply will be higly appreciated.
Regards,
Jack
04-15-2008 09:11 PM
Hi Jack,
In the "ip dhcp snooping" command the option vlan is actually a vlan-list.
You should select the vlans where you want to enable dhcp snooping.
Example:
ip dhcp snooping
ip dhcp snooping vlan 1,2-5,20
This will enable dhcp snooping on vlans 1, 2 to 5 and 20.
Cheers:
Istvan
04-15-2008 09:15 PM
Hi Istvan,
Thanks for your answer.
you've answered my doubt.
thanks a lot.
have a nice day :)
Regards,
Jack
04-15-2008 09:19 PM
You're always welcome Jack!
Thank you very much for the ratings.
Istvan
04-16-2008 01:53 AM
Hi, apologies for not replying to your earlier message regarding option 82 insertion - I had gone to bed... However it looks like your query was answered anyway.
With DHCP snooping it is also recommended to rate limit the DHCP requests on the access ports using the command:
interface FastEthernet0/1
ip dhcp snooping limit rate 100
In the campus design presentation from Networkers 100-pps is recommended, however it may be worth tuning this down even further. On the DHCP server port or Layer-2 uplinks you can also enable rate limiting of DHCP requests however these are aggregation points so the rates will probably need to be higher.
Be aware though that if the limit is exceeded the port is err-disabled, the idea being this is a DoS attack mitigation technique. This can be automatically recovered with the global command:
errdisable recovery dhcp-rate-limit
HTH
Andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: