cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
951
Views
0
Helpful
6
Replies

DHCP snooping with local DHCP server on router

fherlan
Level 1
Level 1

Hello.

I use the IOS build-in DHCP server feature to provide DHCP services for all my VLANs.

No, I want to configure DHCP Snooping for those VLANs. I read the documentation about DHCP snooping and I as far as I understand it, the use of "ip dhcp snooping trust" is a mandatory command.

But I don't have a trusted interface that is connected to a DHCP server -> because I use the build-in DHCP server in the router.

So the question is:

Which interface is the "trusted interface" when I use the build-in DHCP server?

Or can I just ignore that command (even if it seems to be mandatory)?

Does anyone have experience with that scenario?

Is there a (Windows) tool I could use to test if it is working as expected?

Thanks

Frank

1 Accepted Solution

Accepted Solutions

Hello Frank,

First, proving that the DHCP Snooping works should begin by using the various commands under show ip dhcp snooping. There are various possibilites to see if the snooping is really in place and what MAC/IP mappings has the snooping recorded on your switch.

Further, you can use the Wireshark packet sniffer on a PC to see that if another workstation on a different switchport broadcasts a DHCP Discover or Request message, you will not receive that DHCP message. Also, you will not receive any DHCP Offer or Acks even if they are broadcasted.

Also, you can connect an external DHCP server to one of your untrusted switchports and prove that it does not receive any requests and that it does not assign any addresses.

I don't know about a complex tool how to test that the DHCP Snooping is working but you can always test the individual behavior patterns.

Best regards,

Peter

View solution in original post

6 Replies 6

Peter Paluch
Cisco Employee
Cisco Employee

Hello Frank,

The DHCP Snooping feature is intended to be used on switches or multilayer switches but not on routers. On what device do you run your DHCP server and where do you want to deploy the DHCP Snooping?

Best regards,

Peter

Hi Peter.

Sorry for not being clear enough. I have Cat4506 running as multilayer switches.

Regards

Frank

>I have Cat4506 running as multilayer switches.

I have the DHCP server(s) running on the 4506 and I want to deploy DHCP snooping on them.

Regards

Frank

Hello,

The command "ip dhcp snooping trust" is for physical switchports only. You do not need to enter any special command on the VLAN interfaces. Simply turn on the DHCP Snooping using the commands:

ip dhcp snooping

ip dhcp snooping vlan X

for every VLAN X and you should be up and going.

Best regards,

Peter

Hello Peter.

What you said is exactely what I thought.

Nevertheless I wasn't able to find any document on CCO that would describe this situation.

(any Cisco guys reading this -> this would be a suggestion for improvement ;-))

One last point - do you know a (Windows) tool that I could use to prove my DHCP snooping works as expected?

Regards

Frank

Hello Frank,

First, proving that the DHCP Snooping works should begin by using the various commands under show ip dhcp snooping. There are various possibilites to see if the snooping is really in place and what MAC/IP mappings has the snooping recorded on your switch.

Further, you can use the Wireshark packet sniffer on a PC to see that if another workstation on a different switchport broadcasts a DHCP Discover or Request message, you will not receive that DHCP message. Also, you will not receive any DHCP Offer or Acks even if they are broadcasted.

Also, you can connect an external DHCP server to one of your untrusted switchports and prove that it does not receive any requests and that it does not assign any addresses.

I don't know about a complex tool how to test that the DHCP Snooping is working but you can always test the individual behavior patterns.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: