We had to put "no ip dhcp snooping information option" in because it was causing our DHCP servers grief.
DHCP snooping is local to the switch, you don't have to run it on intervening switches at all. It's very useful on the 35xx chassis with "ip verify source" as long as you know nobody is supposed to be hooking up minihubs. The 2960s don't support that, but they still keep spoofs off the network.
Do note you also have to put a trust statement on the ports connected to your DHCP servers, not just uplinks. :-)
Just as long as any switch that is running DHCP snooping is trusting any ports that replies from the DHCP server come in on, no other switch needs to be configured in any way.
I think the option 82 stuff still happens in the relay agent -- it is just that whatever DHCP snooping does additionally to option 82 seems to bollox things up on some servers. I may be wrong there, but I don't think you have to turn off option 82 anywhere but in the dhcp snooping config on switches running dhcp snooping, and depending on your servers, you may not even have to do that.
Just if you decide to use SCP for your switch database there are a few nuances -- you have to start with a tftp file and get it working, then switch to SCP to get a successful first write, then everything works normally.
For anything SSH related, I recommend 46SE or 50SE, a lot of the previous builds had memory issues in the SSH code.
Anyone know if the core switch configured as a relay with ip helper need to be configured with IP snooping?
We have this issue where our DHCP server had a connection in every VLAN. Now we just moved to a DHCP server in a secured zone with dhcp relays and ip helper on the layer 3 coreswitch, but it's not working. Right now dhcp snooping is only enabled on the access switches and I'm starting to think it needs to be enabled on the core as well. this is confusing
DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted DHCP message is a message that is received from outside the network or firewall causing denial of service attacks.
Option 82 is the Relay Agent Information Option as described in RFC 3046 to insert circuit specific information into a request that is being forwarded to a DHCP server.In it’s default configuration, the DHCP Relay Agent Information Option passes along port and agent information to a central DHCP server. It is useful in statistical analysis, as well as, indicating where an assigned IP address physically connects to the network.
The first step to configure DHCP Snooping is to turn on DHCP snooping in all Cisco Switches using the “ip dhcp snooping” command,All Cisco Switches (config)#ip dhcp snooping
Second step is to configure the trusted interfaces on trunk ports also to reach DHCP server.
Interface not explcicitly configured as a trust interface is treated as an untrusted interface.
ciscoswitch(config)# interface fa0/0 ciscoswitch(config-if)# ip dhcp snooping trust
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...