LAN dhcp snooping configuration

Answered Question
Oct 25th, 2009
User Badges:

Hi,

We have Windows DHCP server running on the existing LAN setup consosting many L2 and L3 switches. Switches are connected to each other by trunks. We are planning to configure DHCP server on each switch seperately. I need to make sure that once swicth is configured as a DHCP server all hosts connected to that swicth will get IP address only from that switch. Even if by some chance, if any host gets an IP from windows DHCP server it will be in different subnet and it will not be able to communicate with any other device. For that I need to configure DHCP snooping on the trunk port in such a way that it will "NOT accept" any DHCP replies. In our case reply from windows DHCP server. In notmal case DHCP replies are accepted only from trunk ports but in out case it is exactly opposite.

Please share the experience.

Any link on cisco.com is highly appreciable.

Thanks in advance.

Subodh

Correct Answer by Giuseppe Larosa about 7 years 8 months ago

Hello Subodh,



>> We are planning to configure DHCP server on each switch seperately


Well, let me say this is quite uncommon, centralized DHCP servers have their advantages.

I guess you are in the middle of an address plan migration.

I would consider using ip address secondary on default gateways and resizing current dhcp scopes


However, if you enable DHCP snooping it is enough to let the trunk port untrusted (that is by default) to block DHCP server activity.


see

interface range GigabitEthernet 1/1 - 2


switchport mode trunk


switchport trunk encapsulation dot1q


>>>no ip dhcp snooping trust




Hope to help

Giuseppe


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Mon, 10/26/2009 - 00:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Subodh,



>> We are planning to configure DHCP server on each switch seperately


Well, let me say this is quite uncommon, centralized DHCP servers have their advantages.

I guess you are in the middle of an address plan migration.

I would consider using ip address secondary on default gateways and resizing current dhcp scopes


However, if you enable DHCP snooping it is enough to let the trunk port untrusted (that is by default) to block DHCP server activity.


see

interface range GigabitEthernet 1/1 - 2


switchport mode trunk


switchport trunk encapsulation dot1q


>>>no ip dhcp snooping trust




Hope to help

Giuseppe


Actions

This Discussion