dchp snooping

Unanswered Question
Jan 19th, 2009

Hi all, after a rogue adsl router nearly bought my clients to a halt over the weekend. I am going to look into implenting dhcp snooping.

Firstly, Can anyone tell me where we do this, do we do it on all switches, or do layer 3 switches only support this ? also how does it work in a simple way, i believe you simply set the port for dhcp to trusted and the others to non trusted, is this right ?, and can it cause any issues ?

cheers

Carl

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
John Blakley Mon, 01/19/2009 - 06:36

Carl,

You would add dhcp snooping on all of the switches that interconnect. When you enable dhcp snooping globally, I believe (others can correct me) ALL ports are untrusted, and you have to enable the trusted port (the port that you KNOW a valid DHCP server is on) manually. You can run DHCP snooping on 2950 (L2) switches, but I can't speak for, say the Cisco Express 500 series.

Here's a link for more reading:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/swdhcp82.html

HTH,

John

carl_townshend Mon, 01/19/2009 - 08:34

I have been reading some docs, it says I should have my uplink ports to other swithes as trusted, does this sound about right ?

John Blakley Mon, 01/19/2009 - 09:21

Yes. If you have switches connected to multiple switches, then the connected trunk ports should be trusted. If you have an untrusted trunk port and it sees a dhcp packet come across it, it will shut the port down in an err-disabled state (I believe).

HTH,

John

griffijo@elizab... Tue, 01/20/2009 - 06:50

I just wanted to add one comment, because it is a mistake I have made in the past. If you have Etherchannel trunks between your switches, you have to trust both your phycical ports that belong to the channel-group and the logical interface, i.e. "interface Port-channel1".

Actions

This Discussion