dhcp snooping

Unanswered Question
May 14th, 2008
User Badges:

I am trying to set up dhcp snooping and was just wondering if the commands below are what I should be using for COS and IOS. Also, how would I do a test to see if the switch disables the port if it detects a DHCP server? I was thinking I could use ICS on a windows computer but I dont know if that would work.


COS

Code:

set securtity acl ip dhcpsnoop permit dhcp-snooping

set security acl ip dhcpsnoop permit ip any any

commit security acl dhcpsnoop

set acl map dhcpsnoop 1

set dhcp-snooping information host-tracking enable

set port dhcp-snooping 1/1 trust enable



Step 1

Configure the port as port based.

set port security-acl (port) port-based


Step 2

Enable IP source guard.

set port dhcp-snooping (port) source-guard enable


Step 3

Enable DHCP snooping.

set security acl ip dhcpsnoop permit dhcp-snooping


Step 4

Allow the port to forward other traffic.

set security acl ip dhcpsnoop permit ip any any


Step 5

Save the ACL configuration.

commit security acl dhcpsnoop


Step 6

Enable the ACL on the VLAN.

set security acl map dhcpsnoop 1


Step 7

Enable DHCP-snooping trust on a port.

set port dhcp-snooping (port) trust enable





IOS

Code:

conf t

ip dhcp snooping

ip dhcp snooping vlan 1

ip dhcp snooping information option

interface (mod/port)

ip dhcp snooping trust

ip verify source vlan dhcp-snooping port-security

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bvsnarayana03 Wed, 05/14/2008 - 10:56
User Badges:
  • Silver, 250 points or more

config looks ok for IOS.


try this command for output:

sh ip dhcp snooping binding

Istvan_Rabai Wed, 05/14/2008 - 20:18
User Badges:
  • Gold, 750 points or more

Hi Matthew,


You can test if dhcp snooping works by connecting another switch or router configured as DHCP server to any untrusted port and making the hosts send dhcp discover messages.


Of course, you'd better test the dhcp snooping trusted ports as well to see these ports do not block rightful dhcp packets.


Cheers:

Istvan


MZydorczyk2 Thu, 05/15/2008 - 06:33
User Badges:

So hook a switch to the switch with dhcp snooping and then hook a computer to that switch?

Istvan_Rabai Fri, 05/16/2008 - 23:19
User Badges:
  • Gold, 750 points or more

Hi Matthew,


On the port that is configured as "trusted" in dhcp snooping, the switch will allow dhcp packets from a dhcp server.


On all other ports, dhcp packets will be rejected and the port will be put in errdisable state if dhcp replies are detected.


So it doesn't matter, where your dhcp server is located: it may be another switch hooked to the switch directly or it may be several hops away.

But you need to enable the port as "trusted" where the dhcp reply packets from the trusted dhcp server are expected to come in.


Cheers:

Istvan


Actions

This Discussion