dchp snooping

Unanswered Question
Jan 19th, 2009
User Badges:

Hi all, after a rogue adsl router nearly bought my clients to a halt over the weekend. I am going to look into implenting dhcp snooping.

Firstly, Can anyone tell me where we do this, do we do it on all switches, or do layer 3 switches only support this ? also how does it work in a simple way, i believe you simply set the port for dhcp to trusted and the others to non trusted, is this right ?, and can it cause any issues ?


cheers


Carl

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
John Blakley Mon, 01/19/2009 - 06:36
User Badges:
  • Purple, 4500 points or more

Carl,


You would add dhcp snooping on all of the switches that interconnect. When you enable dhcp snooping globally, I believe (others can correct me) ALL ports are untrusted, and you have to enable the trusted port (the port that you KNOW a valid DHCP server is on) manually. You can run DHCP snooping on 2950 (L2) switches, but I can't speak for, say the Cisco Express 500 series.


Here's a link for more reading:


http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/swdhcp82.html


HTH,


John

carl_townshend Mon, 01/19/2009 - 08:34
User Badges:

I have been reading some docs, it says I should have my uplink ports to other swithes as trusted, does this sound about right ?

John Blakley Mon, 01/19/2009 - 09:21
User Badges:
  • Purple, 4500 points or more

Yes. If you have switches connected to multiple switches, then the connected trunk ports should be trusted. If you have an untrusted trunk port and it sees a dhcp packet come across it, it will shut the port down in an err-disabled state (I believe).


HTH,


John

Actions

This Discussion