DHCP snooping in 2960 switch

Unanswered Question
Apr 20th, 2009

Hi all,


If I have a new 2 x 2960 (Sw1, Sw2) switch connected with G0/1 together. If the real dhcp

server is connected to Sw1 port 1 and an unauthorized dhcp server is connected in Sw2 port 1.


What command I need to use to turn on dhcp snooping to reject unauthorized dhcp server (Sw2, port1) to allocate ip address to other dhcp client.

Also, How can dhcp client can get ip address from authorized dhcp server (Sw1 port1).


Thanks for your help


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
thotsaphon Tue, 04/21/2009 - 00:11

Hi Jack IP, Are you IPv4 or IPv6? (grin)

Let's assume you are using VLAN_1 for servers and clients.



Switch1:


Switch(config)# ip dhcp snooping

Switch(config)# ip dhcp snooping vlan 1

Switch(config)# ip dhcp snooping information option

--FOR THE DHCP SERVER--

Switch(config)#int f0/1

Switch(config-if)#ip dhcp snooping trust

--FOR THE UPLINK(TRUNK) PORT--

Switch(config)#int g0/1

Switch(config-if)#ip dhcp snooping trust



Switch2:


Switch(config)# ip dhcp snooping

Switch(config)# ip dhcp snooping vlan 1

Switch(config)# ip dhcp snooping information option

--FOR THE UPLINK(TRUNK) PORT--

Switch(config)#int g0/1

Switch(config-if)#ip dhcp snooping trust



Let's check this link for more information.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swdhcp82.html


HTH,

Toshi

andrew.butterworth Tue, 04/21/2009 - 01:22

Not many DHCP servers support the insertion of Option 82 information so you will probably want to disable this feature:


no ip dhcp snooping information option


Certainly if the servers are Windows 2003 or earlier then they definitely won't work if this is enabled. Other than that Toshi's reply is sound - trusting needs to be on the layer-2 uplinks and the port where the actual server is connected.


Andy

thotsaphon Tue, 04/21/2009 - 02:02

Andrew,

I thought that option would be used for DHCP relay agent packets. In this case it's not. I'm not sure that why cisco puts this on by default.

However Thanks for letting this issue.


5P! Andy

Toshi

andrew.butterworth Tue, 04/21/2009 - 03:49

Option 82 insertion is where the switch inserts the physical interface information into the DhCP request along with the source MAc address. I think it is more useful in a cable/broadband network where you want to know more information regarding your subscribers.

Reasonable explanation here:


http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/dhcp.html#wp1128786


I am not sure about what Cisco DHCP servers understand it but as for MS only Server 2008 supports it, however I have never configured it.


Andy

Actions

This Discussion