×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Enterprise : DHCP Snooping

Answered Question
Oct 31st, 2013
User Badges:

Hi Guys,


I am planning to implement DHCP snooping in my enterprise network . So would like to take your advice before start with .


here is my network setup


user pc----Access switch - dist switch- core-switch - Serverfarm core switch - server farm - windows dhcp sever


Some users get the DHCP ip address from windows DHCP server and (ex : vlan 100)

Some users get the DHCP ip address from the dist sever configured on distrubution switch say vlan 200


DHCP snppoing should be implemented accross end to end .



Question 1

1.Do ip dhcp snopping command to be applied on all switch (Access switch - dist switch- core-switch - Serverfarm core switch - server farm )

2.which are ports to be configured as dhcp trust ports

3. FYI dhcp relay is used in distribuion say for vlan 100


Thanks

Correct Answer by John Blakley about 3 years 9 months ago

If you're going to enable it, I would enable it across all of your switches as I stated in my previous posts. You should enable it on the same vlans across all switches since you'll need to pass that information across all of your switches.



HTH,
John

*** Please rate all useful posts ***

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
John Blakley Thu, 10/31/2013 - 09:18
User Badges:
  • Purple, 4500 points or more

You would configure snooping on all of your access switches. Trust the switch uplinks and the port that the dhcp servers connect to.



HTH,
John

*** Please rate all useful posts ***

cisconell Thu, 10/31/2013 - 09:26
User Badges:

Thanks Jhon


1. You mean configure ip dhcp snooping command only on access switch but not on dist/core/server core / and server farm switch ?

2,and only trust the port connecting from servrfarm switch to serverfarm core ?


In that my whole config will be


Access switch


ip dhcp snooping

ip dhcp snooping vlan 100,200


server farm switch

Trust the dhcp server connected port

Trust the up link port


Did I missing some thing more

John Blakley Thu, 10/31/2013 - 10:06
User Badges:
  • Purple, 4500 points or more

Personally, I would enable it everywhere, but you're generally only worried about the access switches because a user can bring a wireless router from home to give themselves extra switchports or wireless where they may not have it, and they'll keep the dhcp server enabled. Once they connect it to the network, it can start handing out addresses. Of course, there are other malicious things users can do with dhcp, but the previous example is more common, at least in my environment.


The only ports that you should trust are all of the interswitch links (uplink ports) and the port that your dhcp server connects to.



HTH,
John

*** Please rate all useful posts ***

cisconell Thu, 10/31/2013 - 10:22
User Badges:

You are right its required only on the access swtich ,


Now my next query is for the command on the interface ip dhcp snooping trust  to be effective do I need to apply the command ip dhcp snooping global on the switch for example dist switch .


would require more clarity on the interswitch links (uplink ports)--


That mean all the trunks starting from the user side to dhcp server side ?


example trust both the ports on distribure one towards user side and other toward dhcp server side ?


Thanks again 

John Blakley Thu, 10/31/2013 - 10:44
User Badges:
  • Purple, 4500 points or more

Suppose you have the following:


PC --- (f0/1) Access SWA (f0/2) ----- (f0/2) Access SWB (f0/3) ----- (f0/3) Distribution (f0/4) ---- (f0/4) Core (f0/5) ----- Server


PC connects to fa0/1

Access SWA fa0/2 connects to SWB on fa0/2

Access SWB fa0/3 connects to Distribution on fa0/3

Distribution fa0/4 connects to Core on fa0/4


Server connects to Core on fa0/5



Run "ip dhcp snooping" on all of the switches.


On SWA, trust fa0/2

SWB trust fa0/2 and fa0/3

Distribution trust fa0/3 and fa0/4

Core trust fa0/4 and fa0/5


To trust, go under the interface:


int fa0/5

ip dhcp snooping trust


You need to have ip dhcp snooping global to enable snooping.


HTH,
John

*** Please rate all useful posts ***

cisconell Thu, 10/31/2013 - 12:49
User Badges:

Thanks again..I will try to implement accordingly. Any think specific if I have dhcp relay in dist switch...

John Blakley Thu, 10/31/2013 - 13:01
User Badges:
  • Purple, 4500 points or more

DHCP relays shouldn't be affected as long as you have the appropriate ports trusted. Just remember that it needs to be trusted if it leads to a dhcp server.



HTH,
John

*** Please rate all useful posts ***

cisconell Fri, 11/01/2013 - 12:53
User Badges:

Alrigth , Any way I am going to try this implementation next week.


have another query do I need to apply ip dhcp snooping vlan 100 , 200 in all switches  access for sure how about on


dist, core and server access switch ?


Thanks in advance

Correct Answer
John Blakley Fri, 11/01/2013 - 14:59
User Badges:
  • Purple, 4500 points or more

If you're going to enable it, I would enable it across all of your switches as I stated in my previous posts. You should enable it on the same vlans across all switches since you'll need to pass that information across all of your switches.



HTH,
John

*** Please rate all useful posts ***

Elton Babcock Fri, 11/01/2013 - 20:14
User Badges:
  • Bronze, 100 points or more

DHCP snooping only needs to be trusted on ports that will receive a DHCP offer inbound on the interface.

Sent from Cisco Technical Support iPhone App

cisconell Sun, 11/03/2013 - 10:38
User Badges:

There are many discussion I could found on this topic . Thanks a lot Jhonfor sharing your knowledge .


Elton . Does that mean I need care about only the uplink port of the access switch and nothing to be done with core and dist switch ports


I could also fine much details on some of previous disucssion


May help other as well


https://supportforums.cisco.com/thread/2097580

Elton Babcock Sun, 11/03/2013 - 16:45
User Badges:
  • Bronze, 100 points or more

I would say it depends on where your DHCP server sits on your network. We are doing DHCP snooping on all of the downstream paths from
The core where the DHCP server sits.

Sent from Cisco Technical Support iPhone App

Actions

This Discussion