Solved: dhcp snooping when a switch acts as the dhcp server

Brian Cartledge · ‎10-31-2011

I have a question about enabling dhcp snooping on a switch that is also configured as a dhcp server. Where would you configure the ip dhcp snooping trust command?

e.g.

ip dhcp pool desktop

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

interface g0/1

switchport access vlan 2

switchport mode access

int vlan 2

descrption desktop

ip address 192.168.0.1 255.255.255.0

TIA

cadet alain · ‎10-31-2011

Hi,

Then I would leave all ports as untrusted which is the default.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎10-31-2011

Hi,

why configure DHCP snooping on the DHCP server? It makes no sense.

This feature is meant to prevent rogue DHCP servers and DHCP startvation attacks and it should be configured on access switches to prevent users from installing rogue DHCP servers and use it for MiTM attacks.

Alain.

Don't forget to rate helpful posts.

Brian Cartledge · ‎10-31-2011

thanks for the response.

I understand what you are getting at. What about a situation though with a remote branch office with 1 switch and no servers to run DHCP. Is dhcp snooping a good option to use here to stop users from connecting rogue servers?

cadet alain · ‎10-31-2011

Hi,

Then I would leave all ports as untrusted which is the default.

Alain.

Don't forget to rate helpful posts.

Brian Cartledge · ‎10-31-2011

I just tested this and as you say just leave everything untrusted. I thought it might be necessary to use the ip dhcp snooping trust command on the SVI interface but thats not the case.