Solved: Re: DHCP snooping on 3750 in ip routing mode and 2960 switches i

murray-davis · ‎09-11-2008

On a LAN I have a CAT3750 in ip routing mode that connects to a 2821 router configured for OSPF routing to jump across a wireless link to another site. The 3750 has two vlans: 1 and 2. All ports on the 3750 are in trunking mode. Also, the 3750 is configured as a dhcp server on vlan 2. Connected to the 3750 are cat 2960TC's. All but one of the 2960s is configured as follows:

The gig ports of the 2960 are all in trunking mode, the fast ethernet ports are all in vlan 2. Cascaded to these 2960TC's using the gig ports are 1 or 2 2960TT's. (TC-gig fiber & gig ethernet, TT-gig ehternet only).Everything was working fine until one day, I found out that clients in vlan 2 were getting dhcp info from outside the vlan 2 ip subnet. The dhcp scope for vlan 2 is 172.17.0.0/16. Somehow, the clients were getting dhcp info 192.168.10.0/24 from 192.168.10.1. I traced this beast across the wireless link to the other site. As indicated above, the other site is a trusted network connected via 2821 routers with OSPF configured. To stop the DHCP info from traveling over the wireless link, I put in an ACL on the corresponding 3750 droping the 192.168.10.0 traffic. However, I also want to prevent rogue dhcp servers from answering dhcp requests on the local LAN.

Would this work?

----------------

On the 3750:

ip dhcp snooping

ip dhcp snooping vlan 2

no ip dhcp snooping infomation option

On the gig ports on the 2960TCs that connect to the 3750:

int gig0/1

ip dhcp snooping trust

and on the fast ethernet ports of the 2960TCs:

int fa0/X

no ip dhcp snooping trust.

On the gig0/2 of the 2960TC that cascades to the 2960, I don't configure any snooping option.

However, on the 2960TT all fast ethernet ports have the no ip dhcp snooping trust. But, the gig port that connects to the 2960TC would have the ip dhcp snooping trust configuration.

---------

As well, do I have to configure the snooping binding database and ntp server or are they optional?

nbarodia · ‎09-18-2008

As per Cisco docs,"Each entry is 72 bytes, followed by a space and then the checksum value." in the database

You can approx. the number of entries that you can fit in on your flash.

You can also distribute the load by having snooping only on the 2960s that have the hosts directly conned to them :)

View solution in original post

nbarodia · ‎09-17-2008

You have it nailed down by the right. The aobve configuration will work.

By default, after enabling DHCP snooping, the ports will be placed in untrusted state.

You need trust on only those ports through which the DHCP offer and DHCP ack messages are allowed to come in.

For the database, it is optional since the switch can maintain the database on its own memory. However, if there will be a large number of hosts, it would be advisable to store it on a TFTP server.

HTH,

Nirav

murray-davis · ‎09-18-2008

Thank you, Nirav, for responding. I am curious about the "large number of hosts". The site that I am trying to configure is a hotel/work camp. Currently, there are about 2500 guests, but that will grow to around 4000 within the next year. At the most, I would think that 1/4 of guests would have laptops. So, let's say we have 1000 connections max. Would a 3750 be able to handle that number of DHCP leases?

nbarodia · ‎09-18-2008

As per Cisco docs,"Each entry is 72 bytes, followed by a space and then the checksum value." in the database

You can approx. the number of entries that you can fit in on your flash.

You can also distribute the load by having snooping only on the 2960s that have the hosts directly conned to them :)

DHCP snooping on 3750 in ip routing mode and 2960 switches in simpe LAN