cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1307
Views
10
Helpful
9
Replies

IP DHCP Snooping Feature

ney25
Level 2
Level 2

Hi NetPro,

just to confirme with the DHCP configuration is that correct.

thanks.

Core-Switch

-----------

interface Vlan312

description Vlan

ip address x.x.x.x 255.255.255.0

ip helper-address x.x.x.x

no ip igmp snooping explicit-tracking

ip ospf message-digest-key 5 md5 7 xxx

no ipv6 mld snooping explicit-tracking

no ipv6 mld snooping

standby 112 ip x.x.x.x

standby 112 timers 2 4

standby 112 preempt delay minimum 15

ip dhcp snooping vlan 312

no ip dhcp snooping information option

ip dhcp snooping

Access Switch:

--------------

interface FastEthernet6/41

description user

switchport access vlan 312

switchport mode access

spanning-tree portfast

ip dhcp snooping trust

your reply will be highly appreciated.

thanks

Regards,

jack

2 Accepted Solutions

Accepted Solutions

Hi Jack,

In the "ip dhcp snooping" command the option vlan is actually a vlan-list.

You should select the vlans where you want to enable dhcp snooping.

Example:

ip dhcp snooping

ip dhcp snooping vlan 1,2-5,20

This will enable dhcp snooping on vlans 1, 2 to 5 and 20.

Cheers:

Istvan

View solution in original post

Hi, apologies for not replying to your earlier message regarding option 82 insertion - I had gone to bed... However it looks like your query was answered anyway.

With DHCP snooping it is also recommended to rate limit the DHCP requests on the access ports using the command:

interface FastEthernet0/1

ip dhcp snooping limit rate 100

In the campus design presentation from Networkers 100-pps is recommended, however it may be worth tuning this down even further. On the DHCP server port or Layer-2 uplinks you can also enable rate limiting of DHCP requests however these are aggregation points so the rates will probably need to be higher.

Be aware though that if the limit is exceeded the port is err-disabled, the idea being this is a DoS attack mitigation technique. This can be automatically recovered with the global command:

errdisable recovery dhcp-rate-limit

HTH

Andy

View solution in original post

9 Replies 9

Istvan_Rabai
Level 7
Level 7

Hi Jack,

ip dhcp snooping information option is enabled by default. Is there any reason why you disabled it?

Otherwise, your config is alright if the DHCP server is located on FastFthernet 6/41.

Cheers:

Istvan

Not all DHCP servers support Option 82 insertion and leaving it enabled prevents DHCP from working. Windows 2000 & 2003 don't support it and as most of the world uses these as DHCP servers it generally gets disabled....

HTH

Andy

Hi Andy,

thanks for your infomrations, it's really help me a lot.

which means i put no ip dhcp snooping information option is correct ?

and 1 more thing i need to confirm.

interface FastEthernet6/41 --> to DHCP server or to DHCP client

switchport access vlan 312

switchport mode access

spanning-tree portfast

ip dhcp snooping trust

so, below 3 lines command configure at Access Switch or Core-switch ?

ip dhcp snooping vlan 312

no ip dhcp snooping information option

ip dhcp snooping

your reply will be very appreciated.

thanks a lot.

regards,

Jack

Hi Jack,

The interface where you configure "ip dhcp snooping trust" should not be a DHCP client port.

Cliient ports should remain untrusted, otherwise dhcp snooping will lose its function.

The

ip dhcp snooping vlan 312

no ip dhcp snooping information option

ip dhcp snooping

lines should be entered on all access layer switches.

interface FastEthernet6/41 is the interface where your dhcp server is located, or the path where the dhcp replies arrive back from the dhcp server located somewhere else.

Cheers:

Istvan

Hi Istvan

your reply really help me alot.

but, i am curious about the " ip dhcp snooping VLAN-ID " . this VLAN-ID means DHCP server VLAN ? coz, as you know DHCP Server pool many VLANS for Client. so, which means i dont have to pool for all individual vlans ? says VLAN 312 (Server Farm), VLAN 3(Admin Office user) , VLAN 4(Printer). so, when i put " ip dhcp snooping vlan 312 " will consist all ?

thanks man :)

your reply will be higly appreciated.

Regards,

Jack

Hi Jack,

In the "ip dhcp snooping" command the option vlan is actually a vlan-list.

You should select the vlans where you want to enable dhcp snooping.

Example:

ip dhcp snooping

ip dhcp snooping vlan 1,2-5,20

This will enable dhcp snooping on vlans 1, 2 to 5 and 20.

Cheers:

Istvan

Hi Istvan,

Thanks for your answer.

you've answered my doubt.

thanks a lot.

have a nice day :)

Regards,

Jack

You're always welcome Jack!

Thank you very much for the ratings.

Istvan

Hi, apologies for not replying to your earlier message regarding option 82 insertion - I had gone to bed... However it looks like your query was answered anyway.

With DHCP snooping it is also recommended to rate limit the DHCP requests on the access ports using the command:

interface FastEthernet0/1

ip dhcp snooping limit rate 100

In the campus design presentation from Networkers 100-pps is recommended, however it may be worth tuning this down even further. On the DHCP server port or Layer-2 uplinks you can also enable rate limiting of DHCP requests however these are aggregation points so the rates will probably need to be higher.

Be aware though that if the limit is exceeded the port is err-disabled, the idea being this is a DoS attack mitigation technique. This can be automatically recovered with the global command:

errdisable recovery dhcp-rate-limit

HTH

Andy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: