Prakadeesh,

You need to add "ip dhcp snooping trust " on the interfaces that dhcp server packets coming in. In your case you have to add this command on the uplinks to Coreswitch(ip helper is there).

Please check out this link : http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swdhcp82.html#wp1058243

Hopes I correctly understand your question.

Toshi

Guiseppe will have to remember that arp -g trick on a machine that is having a problem . Learn something new everyday :-)

Hello all,

Thanks for the reply and guidance, I was about to check the arp table on the machines, but some one tried a iprenew and the pc picked up a proper dhcp. The problem also seems very intermittent to. will try out your guidelines. Just a quick question is dhcp snooping only present in Enhanced feature set or IPbase?

Prakadeesh,

IPBase is fine for dhcp snooping.

Here you go: http://www.cisco.com/go/fn

HTH,

Toshi

Hello Folks,

I have managed to find the dhcp rogue and removed it. Thanks for all your support. I am planning to implement the IP DHCP snooping trust and untrusted ports on all our edge switches C3750, but I am a bit concerned about the CPU utilisation on the switch stack. Please let me know your thoughts if it will do more good or bad?

Thanks,

Prakadeesh

The process runs completely in hardware and it will not affect your CPU.

__

Edison.

Thanks Edison,

Thats a relief. I am planning to configure dhcp snooping on all the edge switch end user ports as untrusted and the uplink trunk ports to the core switch as trusted. The dhcp servers are connected to core switches. Now have a couple of queries, please help with this:

1.Should the downstream link on the cores that connect to these access switch needs to be configured as trusted too? Does that mean dhcp snooping should be globally enabled on the cores as well?

2.Is a database agent absolutely needed on the access switch? I understand that the agent helps in rebuilding the database after reload. But if the agent is not present does that mean that none of the egde ports will be able to get DHCP again?

Please help with this,

Thanks,

1. Yes and Yes.

2. The snooping database is dynamically created when DHCP snooping is enabled and it captures all the unstrusted interface information. You can't have snooping enabled without the binding database.

__

Edison.

Thanks again Edison,

Since I dont want the cores to buld up any database, I will just configure dhcp snooping globally and just configure the downstream links as trusted. But in the access switches, I will enable the dhcp snooping globally, and the snooping for all the vlans as well as the trusted and untrusted port. Hope my understanding is clear.

thanks,

Prakadeesh

Your understanding is not correct.

Enabling DHCP Snooping globally will automatically set all switchports on untrusted mode hence creating the database to maintain a state for those switchports.

I don't understand the angst on the database, it does not cause any CPU issue.

Thanks Edison,

The only issue I had with the database was that we cant use the NVRAM for that( because we may overrun the free space) so, you will have to point the database somewhere else like tftp server or like that. In that case when the switch reloads the database is reloaded from the tftp as NVRAM database could be lost( I assume) .

-thanks

deesh