Hi , I have this scenario :
I want to implement DHCP snooping in one site. Let`say I have a single Cat 6509 switch , that acts as a both Core and Access switch and it`s acting also as a DHCP server.
All the devices in the infrastructure are connected to this switch.
How can I implement DHCP snooping , what are the "trusted" ports ?
Thanks for your help.
I'm assuming you have either a single SVI or multiple SVI's on this 6509? I'm guessting you would put 'ip dhcp snooping trust' on the SVI's. Just a guess, I'll try and do some research if no on else answers your question in a little bit.
The trusted port)s) would be those that connect to the DHCP servers.
Note that if you had PCs etc. with static IPs you should also make the ports trusted although a better and more commonly used solution is to us DAI (Dynamic Arp Inspection), which uses the DHCP snooping database, and then enter static IP to mac bindings in that database to allow those static IPs.
I have multiple SVI`s on the 6509. This is production so until a scheduled downtime I cannot experiment putting ip dhcp snopping trust.
I don't understand your last post. You asked which ports to trust and i told you.
What do you mean by you cannot experiment as i am not asking you to experiment.
The trusted ports would be the DHCP servers and any devices with static IPs such as routers/firewall/servers etc.
See this link for full details -
Edit - DAI would be used for end devices with static IPs but switches/routers/firewalls etc. should be trusted ports.
Sorry for the missunderstanding , as I specified in the initial post there are no DHCP servers , the switch itself is acting as the DHCP server.
He doesn't necessary have a DHCP server off of another switch port, his 6509 is acting as both core/access layers, and is providing DHCP from itself. So if he were to trust every single port, it would kinda nigate the purpose of DHCP Snooping, unless you want to use the database for other reasons other than DHCP Snooping.
Apologies, that will teach me to read the question more carefully as John obviously did
I would have thought that all ports would be untrusted except for trusted devices such as routers/firewalls etc because the actual DHCP server is not tied to any physical port.
I'm going to do some more research after coffee This question is actually rather interesting. But I'm guess you would have all ports untrusted, which from my understanding, if you have a DHCP Discover hit an untrusted port, it will only be forwarded out of trusted ports. So you could have all prots untrusted, except your SVIs which would be trusted???? But that's just a guess.
Thank you for your quick answers , I`ve also done some research but I have not reached a conclusion yet. We have to admit , this is not a very unlikely scenario , having 6500 or 4500 as Cores and also providing DHCP services. Enjoy you cofee.
Adrian I am right now.
So, I was thinking Adrian... You can enable dhcp snooping for a specific vlan as well. So waht you could do is enable dhcp snooping and then enable it for a test vlan. Get a laptop, or computer if you know where it's connected to on the 6509 and test that out. This shouldn't have any downtime involved. Most people will already have their DHCP IP addresses anyway.
Would be interested to hear what you find out but i can't see how applying trust to the SVI is going to do anything. The SVI only comes into it for L3 switched traffic and the DHCP broadcast would be within the actual vlan. Add to that the SVI is not a physical port and i can't see why it would be needed.
Still i may well be wrong, wouldn't be the first time
To be completely honestly with you, I don't think doing it on the SVI will work either to an extent... Obviously an SVI is L3, I think everyone agrees on that.
I've just never heard of anyone wanting to run DHCP Snooping on a swich that is also providing DHCP, so I'm trying to cover all angles...
I would just enable dhcp snooping on a test vlan, and start by doing the following.
1. Configure 'ip dhcp snooping trust' on that port and see if you can get a DHCP IP address from a test pool.
2. You may have to configure 'ip dhcp snooping information option' to prevent adding Option 82.
3. Try configure the port as untrusted, and see if you can get a DHCP IP
4. Try configurign the port as untrusted, and configure 'ip dhcp snooping trust' on the SVI if you can.
Just like to add some information regards my understanding of dhcp snooping.
1) requires to be active via ip dhcp snooping command and also the given vlan you wish to snoop
ip dhcp snooping
ip dhcp snooping vlan xx
2) if applied to just to one switch with uplinks switches, then the uplink switch will require snooping enabled also and it trunk links trusted ONLY if the dhcp server is originating from the uplink switch.
3) if dhcp server is attached to the same switch as the snooping database then just trust
the interface where the server is situated
4) if the dhcp server is originating on the switch then no need to apply the trusted command.
5) dhcp snooping will do nothing on all trusted ports, It just listens on all the untrusted ports and snoops ip & macs relating to them ports via dhcp dora's
6) Snooping database WILL NOT be populated with existing clients,it will only be populated the next time dhcp clients renew releases
and lastly on its own this snooping DB does nothing without enabling DAI or ip source guard
Please don't forget to rate any posts that have been helpful.
This sounds interesting , it may be the answer that I`m looking for :
4) if the dhcp server is originating on the switch then no need to applly the trusted command.
That makes sense. I"m assuming that since if an untrusted port on a switch with DHCP Snooping enabled, and enabled for that specific vlan, has a DHCP Broadcast hit that port, it will forward it out all trusted ports, but in theory, since they're arent really any trusted ports, since the DHCP Server is on the switch itself, then the port would just need to be untrusted.
Hello John ( there a lot of johns / jons on this forum dont you think - )
All ports are untrusted by default when DHCP snoping is enabled as you aware and because dhcp DORA's are not orignating from any of them, there is no need to tust any,
That how I remember from testing Snooping/DAI/IPSG it in the past.