On a LAN I have a CAT3750 in ip routing mode that connects to a 2821 router configured for OSPF routing to jump across a wireless link to another site. The 3750 has two vlans: 1 and 2. All ports on the 3750 are in trunking mode. Also, the 3750 is configured as a dhcp server on vlan 2. Connected to the 3750 are cat 2960TC's. All but one of the 2960s is configured as follows:
The gig ports of the 2960 are all in trunking mode, the fast ethernet ports are all in vlan 2. Cascaded to these 2960TC's using the gig ports are 1 or 2 2960TT's. (TC-gig fiber & gig ethernet, TT-gig ehternet only).Everything was working fine until one day, I found out that clients in vlan 2 were getting dhcp info from outside the vlan 2 ip subnet. The dhcp scope for vlan 2 is 172.17.0.0/16. Somehow, the clients were getting dhcp info 192.168.10.0/24 from 192.168.10.1. I traced this beast across the wireless link to the other site. As indicated above, the other site is a trusted network connected via 2821 routers with OSPF configured. To stop the DHCP info from traveling over the wireless link, I put in an ACL on the corresponding 3750 droping the 192.168.10.0 traffic. However, I also want to prevent rogue dhcp servers from answering dhcp requests on the local LAN.
Would this work?
On the 3750:
ip dhcp snooping
ip dhcp snooping vlan 2
no ip dhcp snooping infomation option
On the gig ports on the 2960TCs that connect to the 3750:
ip dhcp snooping trust
and on the fast ethernet ports of the 2960TCs:
no ip dhcp snooping trust.
On the gig0/2 of the 2960TC that cascades to the 2960, I don't configure any snooping option.
However, on the 2960TT all fast ethernet ports have the no ip dhcp snooping trust. But, the gig port that connects to the 2960TC would have the ip dhcp snooping trust configuration.
As well, do I have to configure the snooping binding database and ntp server or are they optional?
As per Cisco docs,"Each entry is 72 bytes, followed by a space and then the checksum value." in the database
You can approx. the number of entries that you can fit in on your flash.
You can also distribute the load by having snooping only on the 2960s that have the hosts directly conned to them :)