implementing dhcp snooping in production network

Unanswered Question
Apr 26th, 2010
User Badges:

Hi Friends,


i have a production network environment where i want to implement dhcp snooping and DAI. My setup is as below-

i have 35xx series switch at edge and 2 x 65xx series switcehs at the core. All edge swithc has 2 upink to the 2 core switches. STP is ruunig in the network, core switch 1 is configured as the primary root for all the valns and core switch 2 secondary root. An ether-channel is runnig between 2 core switches. Below are the stp commnds i run in both edge and core switches (uplinkfast is not runnig in the core switches)


spanning-tree mode pvst

spanning-tree loopguard default

spanning-tree uplinkfast

!

interface FastEthernet0/1

description *** User-Vlan-01 ***

switchport access vlan 10

switchport mode access

switch-port port-security

switch-port port-security aging time 300

switch-port port-security violation restrict    

spanning-tree portfast

spanning-tree bpduguard enable


Below are my querries-


1) Do i need to run any other stp related commands in the edge as well core switches in a typical production network?



Now i need to enable dhcp snooping and ARP inspection in my network. One point to mention is that there is a FWSM module in the core switch and the network setup is like FWSM>MSFC>Router. All the Vlans (User Vlan and Server Vlan) are the layer 3 interface of the FWSM. outside of the fwsm

connects to the MSFC.

My querry is -

2) What are the things i should take care before i implement dhcp snooping and DAI normally in a production LAN

3) Do i need to do any thing in the FWSM ? If YES, what are the things i should do ?


Appreciate your valuable inputs ASAP


Thanks and Regards

JCB

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Hitesh Vinzoda Fri, 05/07/2010 - 05:40
User Badges:
  • Silver, 250 points or more

You dont have to do anything on the FWSM


Enable the dhcp snooping based on the vlan, define the ports where hosts are connected as untrusted and uplink ports as trusted. there are other features with dhcp snoopint which you may use.


Hope this links will help


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html#wp1073418


Regards


Hitesh Vinzoda

Actions

This Discussion