DHCP Snooping on the LAN

Unanswered Question
Mar 25th, 2010
User Badges:

Dear all,

Have question about DHCP snooping, wanted to enable this feature to our LAN. here is below our LAN infrastructure:

2x 6500 as core switches L2/L3

2x6500 as access switches for server farms L2

50x3750 as access switches for users

All access switches are connected to the both 6500 core switches with redundant links

As I understood I have to enable first ip dhcp snooping to all those switches even on the core switches. And all access switches 6500 and 3750

After that I have to enable ip dhcp snooping trust to every uplinks

And finally have to enable ip dhcp snooping on the specific vlans that I want this feature.

So my question is:

Why have I to enable ip dhcp snooping to the four 6500 switches, if I enable ip dhcp snooping to only 3750 access switches for users and trust all uplink to the core switches, why this features doesn’t works ?

I probably missed some thing but I cannot find the answer on the Cisco site.

So thanks in advance for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 03/25/2010 - 10:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Belal,

your understanding is correct.


>> Why have I to enable ip dhcp snooping to the four 6500  switches, if I enable ip dhcp snooping to only 3750  access switches for users and trust all uplink to the core switches,  why this features doesn’t works ?


if DHCP is enabled only on the Vlans used on the access layer C3750 you can and you should enable DHCP snooping only at the access layer.

Likely vlans used in server farms don't use DHCP services (I would expect IP addresses to be statically configured on servers)

the risk is to waste cpu resources on devices that likely will never process DHCP requests of PCs directly connected to their ports.

There are some older threads about a similar scenario.


Hope to help

Giuseppe

belal.sadozai Tue, 03/30/2010 - 05:45
User Badges:

Hello giuslar,

Thanks for your answer, but I don’t really understand your explanation, I have all access switches 3750 L2 so there is no VLAN on those Switches, all vlan SVI are on the core switches 6500 and the two other 6500 are also only L2 for server farm. So my question is in this case why I have to enable snooping to all 6500? if I enable ip dhcp snooping to all my access switches 3750 and trust uplinks to both core, this should work according to cisco docs?

See attached file.

Thanks

Attachment: 

Actions

This Discussion