Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
4
Replies

DHCP Snooping

brianwagerer
Level 1
Level 1

‎11-13-2008 12:57 PM - edited ‎03-06-2019 02:28 AM

I would like to enable DHCP snooping on our network. We just had someone plug in an rogue DHCP server which assigned invalid IP Addresses to a bunch of client machines.

How would we go about configuring DHCP snooping?

Out network setup consists of 2 6500 core switches that have trunk ports to our 3750 stacks. One of our DHCP servers (physical server) is plugged directly into one of the 6500 switches. The other DHCP server is a VMware client. The ESX host is also plugged into the 6500 switch.

Note we also have a trunk between the 6500 switches, all 3750 switch stacks have redundant links back to each 6500 switch.

Labels:
0 Helpful
4 Replies 4

andrew.butterworth
Level 7
Level 7

‎11-13-2008 01:09 PM

I'll refrain from making comments about the infrastructure - however you might want to have a read of some of the Campus Switching documents at the SRND site:

http://www.cisco.com/go/srnd

Anyway that aside, DHCP snooping is pretty easy to implement. You need to enable DHCP snooping on the access switches where your DHCP clients are for each VLAN using the global command:

ip dhcp snooping vlan 10,20,30,40

If you are using Windows 2000/2003 as the DHCP server then you need to disable Option 82 insertion as they won't understand it and DHCP will fail.

no ip dhcp snooping information option

Then enable DHCP snooping globally:

ip dhcp snooping

On your uplinks (trunks or access ports) you need to enable DHCP snooping trust:

interface GigabitEthernet1/0/1

ip dhcp snooping trust

Additionally if your DHCP servers are attached to switches with DHCP snooping enabled you need to trust these access ports as well using the same command.

Optionally (though recommended) you can rate-limit DHCP requests on client access ports to mitigate DHCP DoS attacks:

interface FastEthernet1/0/1

ip dhcp snooping limit rate 100

HTH

Andy

0 Helpful

brianwagerer
Level 1
Level 1
In response to andrew.butterworth

‎11-13-2008 01:34 PM

Do we need to do "ip dhcp snooping trust" on the ports at the core and access side?

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to brianwagerer

‎11-13-2008 01:43 PM

By default, all ports are untrusted. You'll need to configure the ports that have DHCP servers connected to them as trusted ports.

--John

HTH, John *** Please rate all useful posts ***
0 Helpful

andrew.butterworth
Level 7
Level 7
In response to brianwagerer

‎11-13-2008 02:41 PM

If you enable DHCP snooping on the core switch then you will need to enable trust on any layer-2 uplinks (as well as the ports where the DHCP servers are connected).

Andy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card