Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Enterprise : DHCP Snooping

Hi Guys,

I am planning to implement DHCP snooping in my enterprise network . So would like to take your advice before start with .

here is my network setup

user pc----Access switch - dist switch- core-switch - Serverfarm core switch - server farm - windows dhcp sever

Some users get the DHCP ip address from windows DHCP server and (ex : vlan 100)

Some users get the DHCP ip address from the dist sever configured on distrubution switch say vlan 200

DHCP snppoing should be implemented accross end to end .

Question 1

1.Do ip dhcp snopping command to be applied on all switch (Access switch - dist switch- core-switch - Serverfarm core switch - server farm )

2.which are ports to be configured as dhcp trust ports

3. FYI dhcp relay is used in distribuion say for vlan 100

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Enterprise : DHCP Snooping

If you're going to enable it, I would enable it across all of your switches as I stated in my previous posts. You should enable it on the same vlans across all switches since you'll need to pass that information across all of your switches.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
12 REPLIES

Enterprise : DHCP Snooping

You would configure snooping on all of your access switches. Trust the switch uplinks and the port that the dhcp servers connect to.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Enterprise : DHCP Snooping

Thanks Jhon

1. You mean configure ip dhcp snooping command only on access switch but not on dist/core/server core / and server farm switch ?

2,and only trust the port connecting from servrfarm switch to serverfarm core ?

In that my whole config will be

Access switch

ip dhcp snooping

ip dhcp snooping vlan 100,200

server farm switch

Trust the dhcp server connected port

Trust the up link port

Did I missing some thing more

Enterprise : DHCP Snooping

Personally, I would enable it everywhere, but you're generally only worried about the access switches because a user can bring a wireless router from home to give themselves extra switchports or wireless where they may not have it, and they'll keep the dhcp server enabled. Once they connect it to the network, it can start handing out addresses. Of course, there are other malicious things users can do with dhcp, but the previous example is more common, at least in my environment.

The only ports that you should trust are all of the interswitch links (uplink ports) and the port that your dhcp server connects to.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Enterprise : DHCP Snooping

You are right its required only on the access swtich ,

Now my next query is for the command on the interface ip dhcp snooping trust  to be effective do I need to apply the command ip dhcp snooping global on the switch for example dist switch .

would require more clarity on the interswitch links (uplink ports)--

That mean all the trunks starting from the user side to dhcp server side ?

example trust both the ports on distribure one towards user side and other toward dhcp server side ?

Thanks again 

Enterprise : DHCP Snooping

Suppose you have the following:

PC --- (f0/1) Access SWA (f0/2) ----- (f0/2) Access SWB (f0/3) ----- (f0/3) Distribution (f0/4) ---- (f0/4) Core (f0/5) ----- Server

PC connects to fa0/1

Access SWA fa0/2 connects to SWB on fa0/2

Access SWB fa0/3 connects to Distribution on fa0/3

Distribution fa0/4 connects to Core on fa0/4

Server connects to Core on fa0/5

Run "ip dhcp snooping" on all of the switches.

On SWA, trust fa0/2

SWB trust fa0/2 and fa0/3

Distribution trust fa0/3 and fa0/4

Core trust fa0/4 and fa0/5

To trust, go under the interface:

int fa0/5

ip dhcp snooping trust

You need to have ip dhcp snooping global to enable snooping.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Enterprise : DHCP Snooping

Thanks again..I will try to implement accordingly. Any think specific if I have dhcp relay in dist switch...

Enterprise : DHCP Snooping

DHCP relays shouldn't be affected as long as you have the appropriate ports trusted. Just remember that it needs to be trusted if it leads to a dhcp server.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Enterprise : DHCP Snooping

Alrigth , Any way I am going to try this implementation next week.

have another query do I need to apply ip dhcp snooping vlan 100 , 200 in all switches  access for sure how about on

dist, core and server access switch ?

Thanks in advance

Enterprise : DHCP Snooping

If you're going to enable it, I would enable it across all of your switches as I stated in my previous posts. You should enable it on the same vlans across all switches since you'll need to pass that information across all of your switches.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Re: Enterprise : DHCP Snooping

DHCP snooping only needs to be trusted on ports that will receive a DHCP offer inbound on the interface.

Sent from Cisco Technical Support iPhone App

Community Member

Enterprise : DHCP Snooping

There are many discussion I could found on this topic . Thanks a lot Jhonfor sharing your knowledge .

Elton . Does that mean I need care about only the uplink port of the access switch and nothing to be done with core and dist switch ports

I could also fine much details on some of previous disucssion

May help other as well

https://supportforums.cisco.com/thread/2097580

Re: Enterprise : DHCP Snooping

I would say it depends on where your DHCP server sits on your network. We are doing DHCP snooping on all of the downstream paths from
The core where the DHCP server sits.

Sent from Cisco Technical Support iPhone App

425
Views
0
Helpful
12
Replies
CreatePlease to create content