DHCP Snooping

Unanswered Question
Nov 13th, 2008
User Badges:

I would like to enable DHCP snooping on our network. We just had someone plug in an rogue DHCP server which assigned invalid IP Addresses to a bunch of client machines.


How would we go about configuring DHCP snooping?


Out network setup consists of 2 6500 core switches that have trunk ports to our 3750 stacks. One of our DHCP servers (physical server) is plugged directly into one of the 6500 switches. The other DHCP server is a VMware client. The ESX host is also plugged into the 6500 switch.


Note we also have a trunk between the 6500 switches, all 3750 switch stacks have redundant links back to each 6500 switch.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andrew.butterworth Thu, 11/13/2008 - 13:09
User Badges:
  • Gold, 750 points or more

I'll refrain from making comments about the infrastructure - however you might want to have a read of some of the Campus Switching documents at the SRND site:


http://www.cisco.com/go/srnd


Anyway that aside, DHCP snooping is pretty easy to implement. You need to enable DHCP snooping on the access switches where your DHCP clients are for each VLAN using the global command:


ip dhcp snooping vlan 10,20,30,40


If you are using Windows 2000/2003 as the DHCP server then you need to disable Option 82 insertion as they won't understand it and DHCP will fail.


no ip dhcp snooping information option


Then enable DHCP snooping globally:


ip dhcp snooping


On your uplinks (trunks or access ports) you need to enable DHCP snooping trust:


interface GigabitEthernet1/0/1

ip dhcp snooping trust


Additionally if your DHCP servers are attached to switches with DHCP snooping enabled you need to trust these access ports as well using the same command.


Optionally (though recommended) you can rate-limit DHCP requests on client access ports to mitigate DHCP DoS attacks:


interface FastEthernet1/0/1

ip dhcp snooping limit rate 100


HTH


Andy

brianwagerer Thu, 11/13/2008 - 13:34
User Badges:

Do we need to do "ip dhcp snooping trust" on the ports at the core and access side?

John Blakley Thu, 11/13/2008 - 13:43
User Badges:
  • Purple, 4500 points or more

By default, all ports are untrusted. You'll need to configure the ports that have DHCP servers connected to them as trusted ports.


--John

andrew.butterworth Thu, 11/13/2008 - 14:41
User Badges:
  • Gold, 750 points or more

If you enable DHCP snooping on the core switch then you will need to enable trust on any layer-2 uplinks (as well as the ports where the DHCP servers are connected).


Andy

Actions

This Discussion