DHCP snooping with local DHCP server on router

Answered Question
Aug 14th, 2009

Hello.

I use the IOS build-in DHCP server feature to provide DHCP services for all my VLANs.

No, I want to configure DHCP Snooping for those VLANs. I read the documentation about DHCP snooping and I as far as I understand it, the use of "ip dhcp snooping trust" is a mandatory command.

But I don't have a trusted interface that is connected to a DHCP server -> because I use the build-in DHCP server in the router.

So the question is:

Which interface is the "trusted interface" when I use the build-in DHCP server?

Or can I just ignore that command (even if it seems to be mandatory)?

Does anyone have experience with that scenario?

Is there a (Windows) tool I could use to test if it is working as expected?

Thanks

Frank

I have this problem too.
0 votes
Correct Answer by Peter Paluch about 7 years 3 months ago

Hello Frank,

First, proving that the DHCP Snooping works should begin by using the various commands under show ip dhcp snooping. There are various possibilites to see if the snooping is really in place and what MAC/IP mappings has the snooping recorded on your switch.

Further, you can use the Wireshark packet sniffer on a PC to see that if another workstation on a different switchport broadcasts a DHCP Discover or Request message, you will not receive that DHCP message. Also, you will not receive any DHCP Offer or Acks even if they are broadcasted.

Also, you can connect an external DHCP server to one of your untrusted switchports and prove that it does not receive any requests and that it does not assign any addresses.

I don't know about a complex tool how to test that the DHCP Snooping is working but you can always test the individual behavior patterns.

Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Peter Paluch Fri, 08/14/2009 - 02:31

Hello Frank,

The DHCP Snooping feature is intended to be used on switches or multilayer switches but not on routers. On what device do you run your DHCP server and where do you want to deploy the DHCP Snooping?

Best regards,

Peter

fherlan Fri, 08/14/2009 - 03:05

Hi Peter.

Sorry for not being clear enough. I have Cat4506 running as multilayer switches.

Regards

Frank

fherlan Fri, 08/14/2009 - 03:17

>I have Cat4506 running as multilayer switches.

I have the DHCP server(s) running on the 4506 and I want to deploy DHCP snooping on them.

Regards

Frank

Peter Paluch Fri, 08/14/2009 - 04:22

Hello,

The command "ip dhcp snooping trust" is for physical switchports only. You do not need to enter any special command on the VLAN interfaces. Simply turn on the DHCP Snooping using the commands:

ip dhcp snooping

ip dhcp snooping vlan X

for every VLAN X and you should be up and going.

Best regards,

Peter

fherlan Fri, 08/14/2009 - 04:39

Hello Peter.

What you said is exactely what I thought.

Nevertheless I wasn't able to find any document on CCO that would describe this situation.

(any Cisco guys reading this -> this would be a suggestion for improvement ;-))

One last point - do you know a (Windows) tool that I could use to prove my DHCP snooping works as expected?

Regards

Frank

Correct Answer
Peter Paluch Fri, 08/14/2009 - 04:54

Hello Frank,

First, proving that the DHCP Snooping works should begin by using the various commands under show ip dhcp snooping. There are various possibilites to see if the snooping is really in place and what MAC/IP mappings has the snooping recorded on your switch.

Further, you can use the Wireshark packet sniffer on a PC to see that if another workstation on a different switchport broadcasts a DHCP Discover or Request message, you will not receive that DHCP message. Also, you will not receive any DHCP Offer or Acks even if they are broadcasted.

Also, you can connect an external DHCP server to one of your untrusted switchports and prove that it does not receive any requests and that it does not assign any addresses.

I don't know about a complex tool how to test that the DHCP Snooping is working but you can always test the individual behavior patterns.

Best regards,

Peter

Actions

This Discussion