cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
550
Views
0
Helpful
5
Replies

dhcp snooping

MZydorczyk2
Level 1
Level 1

I am trying to set up dhcp snooping and was just wondering if the commands below are what I should be using for COS and IOS. Also, how would I do a test to see if the switch disables the port if it detects a DHCP server? I was thinking I could use ICS on a windows computer but I dont know if that would work.

COS

Code:

set securtity acl ip dhcpsnoop permit dhcp-snooping

set security acl ip dhcpsnoop permit ip any any

commit security acl dhcpsnoop

set acl map dhcpsnoop 1

set dhcp-snooping information host-tracking enable

set port dhcp-snooping 1/1 trust enable

Step 1

Configure the port as port based.

set port security-acl (port) port-based

Step 2

Enable IP source guard.

set port dhcp-snooping (port) source-guard enable

Step 3

Enable DHCP snooping.

set security acl ip dhcpsnoop permit dhcp-snooping

Step 4

Allow the port to forward other traffic.

set security acl ip dhcpsnoop permit ip any any

Step 5

Save the ACL configuration.

commit security acl dhcpsnoop

Step 6

Enable the ACL on the VLAN.

set security acl map dhcpsnoop 1

Step 7

Enable DHCP-snooping trust on a port.

set port dhcp-snooping (port) trust enable

IOS

Code:

conf t

ip dhcp snooping

ip dhcp snooping vlan 1

ip dhcp snooping information option

interface (mod/port)

ip dhcp snooping trust

ip verify source vlan dhcp-snooping port-security

5 Replies 5

bvsnarayana03
Level 5
Level 5

config looks ok for IOS.

try this command for output:

sh ip dhcp snooping binding

Are ACL's not needed for snooping to work?

Istvan_Rabai
Level 7
Level 7

Hi Matthew,

You can test if dhcp snooping works by connecting another switch or router configured as DHCP server to any untrusted port and making the hosts send dhcp discover messages.

Of course, you'd better test the dhcp snooping trusted ports as well to see these ports do not block rightful dhcp packets.

Cheers:

Istvan

So hook a switch to the switch with dhcp snooping and then hook a computer to that switch?

Hi Matthew,

On the port that is configured as "trusted" in dhcp snooping, the switch will allow dhcp packets from a dhcp server.

On all other ports, dhcp packets will be rejected and the port will be put in errdisable state if dhcp replies are detected.

So it doesn't matter, where your dhcp server is located: it may be another switch hooked to the switch directly or it may be several hops away.

But you need to enable the port as "trusted" where the dhcp reply packets from the trusted dhcp server are expected to come in.

Cheers:

Istvan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco