Many thanks for your reply Guiseppe.

We are using Supervisor 720-3B in our 6500's on software 12.2(18)SXF8, and will be upgrading to 12.2(33)SXH very soon. I have tested some dhcp snooping config by setting interswitch links, and ports that connect to DHCP servers as trusted, followed by the two global config commands "ip dhcp snooping" and "ip dhcp snooping vlan x", and it appears to work fine.

I am a little confused about your last statement, "DHCP snooping should be deployed at access layer only if possible".

We do employ a strict hierachical design where access layer Vlans terminate on access layer switches, aggregated by dual distribution layer switches, which are all in turn connected via 2 6509 core switches. A similar dual distribution layer aggregates a number of access layer switches providing connectivity to our server farm.

In order to rollout dhcp snooping across the campus (using Vlan 10 as an example), I would expect to deploy the following:

Access Layer

------------

1) Enable "ip dhcp snooping trust" on the two uplinks to the distribution layer.

2) Disable option 82 with "no ip dhcp snooping information option"

3) Enable dhcp snooping with "ip dhcp snooping" and "ip dhcp snooping vlan 10"

Distribution Layer

------------------

1) Enable "ip dhcp snooping trust" on all links to every access switch, the etherchannel connecting to the other resilient distribution switch and the links to the core.

2) Disable option 82 with "no ip dhcp snooping information option"

3) Enable "ip dhcp snooping" and "ip dhcp snooping vlan 10"

Core Layer

----------

1) Enable "ip dhcp snooping trust" on all links to every distribution switch (including that which aggregates the server access layer), and also on the link to the other core switch.

2) Disable option 82 with "no ip dhcp snooping information option"

3) Enable "ip dhcp snooping" and "ip dhcp snooping vlan 10"

In addition to this I would also then configure "ip dhcp snooping trust" on the server switch port that connects to our DHCP Servers and also on the uplinks to its distribution switch block.

Apologies for the long post.

Hello Chris,

>> I am a little confused about your last statement, "DHCP snooping should be deployed at access layer only if possible".

look at your action plan:

you are going to enable IP DHCP snooping on your distribution and core switches with all interesting ports trusted.

for this reason I would consider to enable it only at access layer.

if no end users are on core switches you don't need it.

if no end users ports are on distribution switches again you don't need it.

Hope to help

Giuseppe

Thanks again Giuseppe.

Thinking about it this makes perfect sense. I just need to enable DHCP snooping on the DHCP server ports (in line with enabling dhcp snooping on access switches as discussed), and trust the uplinks, leaving the core / distribution alone.

Hi all,

Just did a lab where I have a use vlan 30 on another switch block and a dhcp server in vlan 10(a router ) on another switch block.  The switch blocks communicate via the 2 core routers.

I have also the trouble of finding out where to enable the dhcp snooping feature.  With hit and miss configs, what I did was enable this 3 global commands on the access switch on the user side or vlan 30 (it's an L3 switch because I need to enable the L0 interface for management).

ip dhcp snooping vlan 30
no ip dhcp snooping information option
ip dhcp snooping

and then enable ip dhcp snooping trust on the uplink port to the distribution switch.

interface Ethernet2/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust

From there, I would just remove ip add dhcp and again add ip add dhcp on the interface of my router that emulates as the pc of the user in vlan 30.

The router successfully acquire the IP address.

Is this the proper steps to implement this?  No need to put ip dhcp snooping or ip dhcp snooping trust on the ports that connect to the DHCP server?.

Cheers,