Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DHCP snooping with local DHCP server on router

Hello.

I use the IOS build-in DHCP server feature to provide DHCP services for all my VLANs.

No, I want to configure DHCP Snooping for those VLANs. I read the documentation about DHCP snooping and I as far as I understand it, the use of "ip dhcp snooping trust" is a mandatory command.

But I don't have a trusted interface that is connected to a DHCP server -> because I use the build-in DHCP server in the router.

So the question is:

Which interface is the "trusted interface" when I use the build-in DHCP server?

Or can I just ignore that command (even if it seems to be mandatory)?

Does anyone have experience with that scenario?

Is there a (Windows) tool I could use to test if it is working as expected?

Thanks

Frank

  • LAN Switching and Routing
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: DHCP snooping with local DHCP server on router

Hello Frank,

First, proving that the DHCP Snooping works should begin by using the various commands under show ip dhcp snooping. There are various possibilites to see if the snooping is really in place and what MAC/IP mappings has the snooping recorded on your switch.

Further, you can use the Wireshark packet sniffer on a PC to see that if another workstation on a different switchport broadcasts a DHCP Discover or Request message, you will not receive that DHCP message. Also, you will not receive any DHCP Offer or Acks even if they are broadcasted.

Also, you can connect an external DHCP server to one of your untrusted switchports and prove that it does not receive any requests and that it does not assign any addresses.

I don't know about a complex tool how to test that the DHCP Snooping is working but you can always test the individual behavior patterns.

Best regards,

Peter

6 REPLIES
Cisco Employee

Re: DHCP snooping with local DHCP server on router

Hello Frank,

The DHCP Snooping feature is intended to be used on switches or multilayer switches but not on routers. On what device do you run your DHCP server and where do you want to deploy the DHCP Snooping?

Best regards,

Peter

New Member

Re: DHCP snooping with local DHCP server on router

Hi Peter.

Sorry for not being clear enough. I have Cat4506 running as multilayer switches.

Regards

Frank

New Member

Re: DHCP snooping with local DHCP server on router

>I have Cat4506 running as multilayer switches.

I have the DHCP server(s) running on the 4506 and I want to deploy DHCP snooping on them.

Regards

Frank

Cisco Employee

Re: DHCP snooping with local DHCP server on router

Hello,

The command "ip dhcp snooping trust" is for physical switchports only. You do not need to enter any special command on the VLAN interfaces. Simply turn on the DHCP Snooping using the commands:

ip dhcp snooping

ip dhcp snooping vlan X

for every VLAN X and you should be up and going.

Best regards,

Peter

New Member

Re: DHCP snooping with local DHCP server on router

Hello Peter.

What you said is exactely what I thought.

Nevertheless I wasn't able to find any document on CCO that would describe this situation.

(any Cisco guys reading this -> this would be a suggestion for improvement ;-))

One last point - do you know a (Windows) tool that I could use to prove my DHCP snooping works as expected?

Regards

Frank

Cisco Employee

Re: DHCP snooping with local DHCP server on router

Hello Frank,

First, proving that the DHCP Snooping works should begin by using the various commands under show ip dhcp snooping. There are various possibilites to see if the snooping is really in place and what MAC/IP mappings has the snooping recorded on your switch.

Further, you can use the Wireshark packet sniffer on a PC to see that if another workstation on a different switchport broadcasts a DHCP Discover or Request message, you will not receive that DHCP message. Also, you will not receive any DHCP Offer or Acks even if they are broadcasted.

Also, you can connect an external DHCP server to one of your untrusted switchports and prove that it does not receive any requests and that it does not assign any addresses.

I don't know about a complex tool how to test that the DHCP Snooping is working but you can always test the individual behavior patterns.

Best regards,

Peter

222
Views
0
Helpful
6
Replies
This widget could not be displayed.