I am trying to find a dhcp rogue server on a 3750. I am suspecting that the device is connected to a couple of switch stacks. I tried to use the dhcp snooping option but i cant see the table being build. I dont run dhcp pool on switches, I use ip helper dhcp server Ip address on the cores. I have enabled dhcp only on the access switches. the following are the commands used :
ip dhcp snooping
ip dhcp snooping vlan X
please let me know if I am missing anything here. I have an ipbase image on the 3750s is that the problem?
if there are users Pcs affected ask them to open a shell and then have them perform
then look for the mac address of the fake GW on the cam tables of your switches it has to be on the same vlan of the affected user.
Be aware that there are also some virus worms that turn an infected PC in a DHCP rogue server passing wrong information.
Hope to help
You need to add "ip dhcp snooping trust " on the interfaces that dhcp server packets coming in. In your case you have to add this command on the uplinks to Coreswitch(ip helper is there).
Hopes I correctly understand your question.
You are missing some other guidelines:
If a switch port is connected to a DHCP server or to another switch|router, configure a port as trusted by entering the ip dhcp snooping trust interface configuration command.
â¢If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command.
Thanks for the reply and guidance, I was about to check the arp table on the machines, but some one tried a iprenew and the pc picked up a proper dhcp. The problem also seems very intermittent to. will try out your guidelines. Just a quick question is dhcp snooping only present in Enhanced feature set or IPbase?
I have managed to find the dhcp rogue and removed it. Thanks for all your support. I am planning to implement the IP DHCP snooping trust and untrusted ports on all our edge switches C3750, but I am a bit concerned about the CPU utilisation on the switch stack. Please let me know your thoughts if it will do more good or bad?
Thats a relief. I am planning to configure dhcp snooping on all the edge switch end user ports as untrusted and the uplink trunk ports to the core switch as trusted. The dhcp servers are connected to core switches. Now have a couple of queries, please help with this:
1.Should the downstream link on the cores that connect to these access switch needs to be configured as trusted too? Does that mean dhcp snooping should be globally enabled on the cores as well?
2.Is a database agent absolutely needed on the access switch? I understand that the agent helps in rebuilding the database after reload. But if the agent is not present does that mean that none of the egde ports will be able to get DHCP again?
Please help with this,
1. Yes and Yes.
2. The snooping database is dynamically created when DHCP snooping is enabled and it captures all the unstrusted interface information. You can't have snooping enabled without the binding database.
Thanks again Edison,
Since I dont want the cores to buld up any database, I will just configure dhcp snooping globally and just configure the downstream links as trusted. But in the access switches, I will enable the dhcp snooping globally, and the snooping for all the vlans as well as the trusted and untrusted port. Hope my understanding is clear.
Your understanding is not correct.
Enabling DHCP Snooping globally will automatically set all switchports on untrusted mode hence creating the database to maintain a state for those switchports.
I don't understand the angst on the database, it does not cause any CPU issue.
The only issue I had with the database was that we cant use the NVRAM for that( because we may overrun the free space) so, you will have to point the database somewhere else like tftp server or like that. In that case when the switch reloads the database is reloaded from the tftp as NVRAM database could be lost( I assume) .