Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DHCP Snooping

I would like to enable DHCP snooping on our network. We just had someone plug in an rogue DHCP server which assigned invalid IP Addresses to a bunch of client machines.

How would we go about configuring DHCP snooping?

Out network setup consists of 2 6500 core switches that have trunk ports to our 3750 stacks. One of our DHCP servers (physical server) is plugged directly into one of the 6500 switches. The other DHCP server is a VMware client. The ESX host is also plugged into the 6500 switch.

Note we also have a trunk between the 6500 switches, all 3750 switch stacks have redundant links back to each 6500 switch.

4 REPLIES

Re: DHCP Snooping

I'll refrain from making comments about the infrastructure - however you might want to have a read of some of the Campus Switching documents at the SRND site:

http://www.cisco.com/go/srnd

Anyway that aside, DHCP snooping is pretty easy to implement. You need to enable DHCP snooping on the access switches where your DHCP clients are for each VLAN using the global command:

ip dhcp snooping vlan 10,20,30,40

If you are using Windows 2000/2003 as the DHCP server then you need to disable Option 82 insertion as they won't understand it and DHCP will fail.

no ip dhcp snooping information option

Then enable DHCP snooping globally:

ip dhcp snooping

On your uplinks (trunks or access ports) you need to enable DHCP snooping trust:

interface GigabitEthernet1/0/1

ip dhcp snooping trust

Additionally if your DHCP servers are attached to switches with DHCP snooping enabled you need to trust these access ports as well using the same command.

Optionally (though recommended) you can rate-limit DHCP requests on client access ports to mitigate DHCP DoS attacks:

interface FastEthernet1/0/1

ip dhcp snooping limit rate 100

HTH

Andy

New Member

Re: DHCP Snooping

Do we need to do "ip dhcp snooping trust" on the ports at the core and access side?

Re: DHCP Snooping

By default, all ports are untrusted. You'll need to configure the ports that have DHCP servers connected to them as trusted ports.

--John

HTH, John *** Please rate all useful posts ***

Re: DHCP Snooping

If you enable DHCP snooping on the core switch then you will need to enable trust on any layer-2 uplinks (as well as the ports where the DHCP servers are connected).

Andy

174
Views
0
Helpful
4
Replies
CreatePlease login to create content