08-14-2009 01:30 AM - edited 03-06-2019 07:14 AM
Hello.
I use the IOS build-in DHCP server feature to provide DHCP services for all my VLANs.
No, I want to configure DHCP Snooping for those VLANs. I read the documentation about DHCP snooping and I as far as I understand it, the use of "ip dhcp snooping trust" is a mandatory command.
But I don't have a trusted interface that is connected to a DHCP server -> because I use the build-in DHCP server in the router.
So the question is:
Which interface is the "trusted interface" when I use the build-in DHCP server?
Or can I just ignore that command (even if it seems to be mandatory)?
Does anyone have experience with that scenario?
Is there a (Windows) tool I could use to test if it is working as expected?
Thanks
Frank
Solved! Go to Solution.
08-14-2009 04:54 AM
Hello Frank,
First, proving that the DHCP Snooping works should begin by using the various commands under show ip dhcp snooping. There are various possibilites to see if the snooping is really in place and what MAC/IP mappings has the snooping recorded on your switch.
Further, you can use the Wireshark packet sniffer on a PC to see that if another workstation on a different switchport broadcasts a DHCP Discover or Request message, you will not receive that DHCP message. Also, you will not receive any DHCP Offer or Acks even if they are broadcasted.
Also, you can connect an external DHCP server to one of your untrusted switchports and prove that it does not receive any requests and that it does not assign any addresses.
I don't know about a complex tool how to test that the DHCP Snooping is working but you can always test the individual behavior patterns.
Best regards,
Peter
08-14-2009 02:31 AM
Hello Frank,
The DHCP Snooping feature is intended to be used on switches or multilayer switches but not on routers. On what device do you run your DHCP server and where do you want to deploy the DHCP Snooping?
Best regards,
Peter
08-14-2009 03:05 AM
Hi Peter.
Sorry for not being clear enough. I have Cat4506 running as multilayer switches.
Regards
Frank
08-14-2009 03:17 AM
>I have Cat4506 running as multilayer switches.
I have the DHCP server(s) running on the 4506 and I want to deploy DHCP snooping on them.
Regards
Frank
08-14-2009 04:22 AM
Hello,
The command "ip dhcp snooping trust" is for physical switchports only. You do not need to enter any special command on the VLAN interfaces. Simply turn on the DHCP Snooping using the commands:
ip dhcp snooping
ip dhcp snooping vlan X
for every VLAN X and you should be up and going.
Best regards,
Peter
08-14-2009 04:39 AM
Hello Peter.
What you said is exactely what I thought.
Nevertheless I wasn't able to find any document on CCO that would describe this situation.
(any Cisco guys reading this -> this would be a suggestion for improvement ;-))
One last point - do you know a (Windows) tool that I could use to prove my DHCP snooping works as expected?
Regards
Frank
08-14-2009 04:54 AM
Hello Frank,
First, proving that the DHCP Snooping works should begin by using the various commands under show ip dhcp snooping. There are various possibilites to see if the snooping is really in place and what MAC/IP mappings has the snooping recorded on your switch.
Further, you can use the Wireshark packet sniffer on a PC to see that if another workstation on a different switchport broadcasts a DHCP Discover or Request message, you will not receive that DHCP message. Also, you will not receive any DHCP Offer or Acks even if they are broadcasted.
Also, you can connect an external DHCP server to one of your untrusted switchports and prove that it does not receive any requests and that it does not assign any addresses.
I don't know about a complex tool how to test that the DHCP Snooping is working but you can always test the individual behavior patterns.
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: