Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DHCP snooping on 6509

Hi , I have this scenario :

I want to implement DHCP snooping in one site. Let`say I have a single Cat 6509 switch , that acts as a both Core and Access switch and it`s acting also as a DHCP server.

All the devices in the infrastructure are connected to this switch.

How can I implement DHCP snooping , what are the "trusted" ports ?

Thanks for your help.

18 REPLIES

Re: DHCP snooping on 6509

I'm assuming you have either a single SVI or multiple SVI's on this 6509? I'm guessting you would put 'ip dhcp snooping trust' on the SVI's. Just a guess, I'll try and do some research if no on else answers your question in a little bit.

Hall of Fame Super Blue

Re: DHCP snooping on 6509

The trusted port)s) would be those that connect to the DHCP servers.

Note that if you had PCs etc. with static IPs you should also make the ports trusted although a better and more commonly used solution is to us DAI (Dynamic Arp Inspection), which uses the DHCP snooping database, and then enter static IP to mac bindings in that database to allow those static IPs.

Jon

New Member

Re: DHCP snooping on 6509

I have multiple SVI`s on the 6509. This is production so until a scheduled downtime I cannot experiment putting ip dhcp snopping trust.

Hall of Fame Super Blue

Re: DHCP snooping on 6509

I don't understand your last post. You asked which ports to trust and i told you.

What do you mean by you cannot experiment as i am not asking you to experiment.

The trusted ports would be the DHCP servers and any devices with static IPs such as routers/firewall/servers etc.

See this link for full details -

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html#wp1114389

Edit - DAI would be used for end devices with static IPs but switches/routers/firewalls etc. should be trusted ports.

Jon

New Member

DHCP snooping on 6509

Jon ,

Sorry for the missunderstanding , as I specified in the initial post there are no DHCP servers , the switch itself is acting as the DHCP server.

DHCP snooping on 6509

Jon,

He doesn't necessary have a DHCP server off of another switch port, his 6509 is acting as both core/access layers, and is providing DHCP from itself. So if he were to trust every single port, it would kinda nigate the purpose of DHCP Snooping, unless you want to use the database for other reasons other than DHCP Snooping.

Hall of Fame Super Blue

Re: DHCP snooping on 6509

Adrian

Apologies, that will teach me to read the question more carefully as John obviously did

I would have thought that all ports would be untrusted except for trusted devices such as routers/firewalls etc because the actual DHCP server is not tied to any physical port.

Jon

Re: DHCP snooping on 6509

Jon,

I'm going to do some more research after coffee This question is actually rather interesting. But I'm guess you would have all ports untrusted, which from my understanding, if you have a DHCP Discover hit an untrusted port, it will only be forwarded out of trusted ports. So you could have all prots untrusted, except your SVIs which would be trusted???? But that's just a guess.

New Member

Re: DHCP snooping on 6509

Thank you for your quick answers , I`ve also done some research but I have not reached a conclusion yet. We have to admit , this is not a very unlikely scenario , having 6500 or 4500 as Cores and also providing DHCP services. Enjoy you cofee.

Re: DHCP snooping on 6509

Adrian I am right now.

So, I was thinking Adrian... You can enable dhcp snooping for a specific vlan as well. So waht you could do is enable dhcp snooping and then enable it for a test vlan. Get a laptop, or computer if you know where it's connected to on the 6509 and test that out. This shouldn't have any downtime involved. Most people will already have their DHCP IP addresses anyway.

Hall of Fame Super Blue

DHCP snooping on 6509

John

Would be interested to hear what you find out but i can't see how applying trust to the SVI is going to do anything. The SVI only comes into it for L3 switched traffic and the DHCP broadcast would be within the actual vlan. Add to that the SVI is not a physical port and i can't see why it would be needed.

Still i may well be wrong, wouldn't be the first time

Jon

Re: DHCP snooping on 6509

Jon,

To be completely honestly with you, I don't think doing it on the SVI will work either to an extent... Obviously an SVI is L3, I think everyone agrees on that.

I've just never heard of anyone wanting to run DHCP Snooping on a swich that is also providing DHCP, so I'm trying to cover all angles...

Re: DHCP snooping on 6509

Adrian,

I would just enable dhcp snooping on a test vlan, and start by doing the following.

1. Configure 'ip dhcp snooping trust' on that port and see if you can get a DHCP IP address from a test pool.

2. You may have to configure 'ip dhcp snooping information option' to prevent adding Option 82.

3. Try configure the port as untrusted, and see if you can get a DHCP IP

4. Try configurign the port as untrusted, and configure 'ip dhcp snooping trust' on the SVI if you can.

Re: DHCP snooping on 6509

Hello

Just like to add some information  regards my understanding of dhcp snooping.


1) requires to be active via ip dhcp snooping command and also  the given vlan you wish to snoop

ip dhcp snooping

ip dhcp snooping vlan xx

2) if applied to just to one switch with uplinks switches, then the uplink switch will require snooping enabled also and it trunk links trusted  ONLY if the dhcp server is originating from the uplink switch.

3) if dhcp server is attached to the same switch as the snooping database then just trust

the interface where the server is situated

4) if the dhcp server is originating on the switch then no need to apply the trusted command.

5) dhcp snooping will do nothing on all trusted ports, It just listens on all the untrusted ports and snoops  ip & macs relating to them ports via dhcp dora's

6) Snooping database WILL NOT be populated with existing clients,it will only be populated the next time dhcp clients renew releases

and lastly on its own this snooping DB does nothing without enabling DAI or ip source guard

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Re: DHCP snooping on 6509

This sounds interesting , it may be the answer that I`m looking for :

 

4) if the dhcp server is originating on the switch then no need to applly the trusted command.

Re: DHCP snooping on 6509

Pdriver,

That makes sense. I"m assuming that since if an untrusted port on a switch with DHCP Snooping enabled, and enabled for that specific vlan, has a DHCP Broadcast hit that port, it will forward it out all trusted ports, but in theory, since they're arent really any trusted ports, since the DHCP Server is on the switch itself, then the port would just need to be untrusted.

Hall of Fame Super Blue

DHCP snooping on 6509

That makes sense.

So it makes sense when someone else says it just not me

Jon

DHCP snooping on 6509

Hello John ( there a lot of johns / jons on this forum dont you think - )

All ports are untrusted by default when DHCP snoping is enabled as you aware and because dhcp DORA's are not orignating from any of them, there is no need to tust any,

That how I remember from testing Snooping/DAI/IPSG it in the past.

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
382
Views
0
Helpful
18
Replies
CreatePlease login to create content