I have a question about DHCP snooping. I want to enable this feature on two 6509 Catalyst switches that are doing Layer 3 Etherchannel towards the DHCP server and relaying DHCP requests by using the ip helper-address command. Here's the topology: http://img442.imageshack.us/img442/6159/dhcpsnoop.jpg
After reading a few articles, I'm still not sure where to put some of the commands to enable that feature Ð°nd I don't feel like experimenting on a live production network (unfortunately I can't lab it up). I was planning on issuing the following commands:
1) ip dhcp snooping information option (global conf mode) ---- to enable DHCP option-82 data insertion
2) ip dhcp snooping vlan 10 (global conf mode) ---- enables DHCP snooping on a VLAN
3) Then I need to configure DHCP trust state on the appropriate interfaces, but I can't apply the "ip dhcp snooping trust" command to the Port-Channel interfaces because there's no such command. So I figured I'd apply this command to the interfaces that compose the EtherChannel, but I can't do that either for the same reason. Do I really need to apply that command in my case?
4*) Some people say that I also need to apply the "ip dhcp relay information trusted" command to the SVI interface, but Cisco says the opposite -
"When DHCP snooping is enabled, these Cisco IOS DHCP commands are not available on the switch:
- ip dhcp relay information trusted interface configuration command
If you enter these commands, the switch returns an error message, and the configuration is not applied."
5) And, of course, I enable it by issuing the "ip dhcp snooping" command.
If anybody has any suggestions on how to enable DHCP snooping in my case or have the same setup up and running, your help will be greatly appreciated. Thanks.
1) On switches I had experience with, the "ip dhcp snooping information option" is already active. However, entering it should not do any harm.
3) Interesting. I am looking on my 3560G running 12.2(52)SE and the command "ip dhcp snooping trust" is available on Port-channel interfaces. I would personally think that this command is necessary and cannot be omitted, however, you are suggesting that the command is not available on the Port-channel nor the member interfaces. That is strange. What exact IOS version are you running?
4) The command "ip dhcp relay information trusted" is necessary for the following reason: When a DHCP request is forwarded by a switch running the DHCP snooping feature, the Option 82 (so-called relay information option) will be added to the request by the swich. However, the IP address of the relay agent in the DHCP request (the GIADDR) will remain set to 0.0.0.0 because the switch is not a real DHCP relay, it justs added the Option 82 for its own DHCP snooping purposes. If the DHCP server is running on a different switch than the one doing the DHCP snooping, it will reject this DHCP packet because it will contain the Option 82, yet the IP address of the relay agent in the request will be set to 0.0.0.0 which is illogical to the DHCP server (if there is no relay agent, how come that the request contains the relay agent information option?) In this case, the problem can be corrected by the command "ip dhcp relay information trusted" that allows the DHCP server to process DHCP requests with the relay IP address set to 0.0.0.0.
In short: use that command if the DHCP server is on another switch than the one doing the DHCP snooping.
5) Correct, this command is necessary.
Clearly, there is something strange regarding the "ip dhcp snooping trust" command in your case. Let's first see what is your exact IOS version and then look up some details in the configuration guides for that version.
First of all, I'd like to thank you for your attention to my problem and for your detailed input and suggestions. Looks like the only thing left to figure out is where I should or shouldn't apply the "ip dhcp snooping trust" command :)
As for the IOS version that I'm running, it's as follows:
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...