Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

DHCP Snooping

Hello my friends,

I need to config DHCP snooping at my catalyst 3560 switch, i did that but i have the following questions:

- all access ports "to clients" must be untrusted, and the untrusted state determined by the limit rate command, and as i read Cisco recommend the limit rate to 100, right?

- For the remote sites, i have PCs and Cisco IP Phones, i have configured a trunk link from the switch to the Router "gateway" with subinterfaces at the router ethernet ports for intervlan routing with ip helper command at the router subinterfaces, i think when the DHCP snooping is enabled at the remote site switch, i will see the DHCP snooping binding table, right? but in my case i can't see it, is it required to config the ip helper-address at the Switch i.e: the switch will be the gateway for both PCs and the IP phones using SVIs? and assign the ip helper-address at the SVI to see the binding table?

- i think the binding table is required in order to config the dynamic ARP inspection and the IP source guard, right?

Thanks in advance

Abd Alqader

  • LAN Switching and Routing
4 REPLIES
New Member

Re: DHCP Snooping

Hi,

Remember that when using dhcp snooping with ip helper you must use the following on the ip helper interface:

ip dhcp relay information trusted

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf1c.html

Happy holidays.

Gabi.

Bronze

Re: DHCP Snooping

Hello Gabi,

Thanks for your response.

O.k i will add this interface command and update you. But is it necessary to be the ip helper address at the switch itself? or the switch can detect the DHCP traffic and build the binding table?

Since i have a topology at my remote sites where the PCs and the IP Phones are connected to the switch with Data and Voice VLANs and their gateway is the subinterface at the router. I.E. the ip helper address is set at this subinterface not at the switch itself.

Thanks in advance

Abd Alqader

New Member

Re: DHCP Snooping

Hi,

IP helper needs to be specified only on routed or vlan interfaces for DHCP traffic to pass them. You can't and it makes no sense to use ip helper in layer 2 environment.

The binding table is constructed only when DHCP traffic _is_ passing the switch. If you have the dhcp server beind a router that does not pass dhcp traffic then dhcp will not work on your network and the binding table will be empty.

I hope that helped.

Gabi.

Bronze

Re: DHCP Snooping

Hi,

Sure no sense to put the ip helper at layer2 interface, this is not my question.

I have PCs connected to Cisco IP phones, and these phones connected to Cisco 3560 switch, and i have a trunk link to Cisco router, in this router two subinterfaces created for the two vlans at the switch "data and voice", i set the ip helper at the subinterfaces at the router. The PCs will broadcast asking for an IP address, this broadcast request will be delivered to the router, and the router will pass it to the DHCP server "ip helper command". now, i'm checking my switch, and the binding table is empty, i think the switch will recognize the DHCP traffic and build that binding table, right? also does this command "ip dhcp relay information trusted " required at the router sub-interface with ip helper command?

Another question, i think by default the interfaces will be untrusted, right? is it required to rate limit DHCP packets at these interfaces or not? i did the rate limit and sometimes the Cisco IP phone don't get an IP address unless i removed the rate limit command or disable the DHCP at the switch "global".

Thanks in advance

Abd Alqader

312
Views
0
Helpful
4
Replies