Re: Problem configuring DHCP snooping

limtohsoon · ‎12-30-2006

Hi Sir,

I'm trying to implement DHCP snooping feature on one particular floor in an office building switched network. Attached is the physical network topology diagram. The floor is Level 13. The DHCP server is centralized.

All users in Level 13 are on VLAN 130, which I'd like to enable DHCP snooping on. The objective is to safeguard any rogue DHCP server from connecting to any ports on the access switches and the core switches.

I also include my configurations. Please verify if I configured anything incorrectly with regards to my scenario. I need help on the DHCP snooping configuration on the core switches. Please advise.

Also, is it necessary to configure DHCP snooping database agent on all the switches?

Please help.

Thank you.

B.Rgds,

Lim TS

a.hajhamad · ‎01-01-2007

Hello my friend,

I'm in process of testing DHCP snooping and DAI at my catalyst switches, I did that at the LAB but i can't see the DHCP snooping binding table, just today i read a document about DHCP snooping, Port security, and Dynamic ARP Inspection, i think this is a good document or article. I missed one command at the trunk links "ip dhcp relay information trusted", after reading this document, i will try it after my holiday. But i think it is worth to read this document, maybe it can help you.

http://www.enterprisenetworkingplanet.com/netsecur/article.php/3462211

For the database, i think you have to create a TFTP server in case the switch reloads, for the core switches, i think you need to enable the DHCP snooping, but take care to trust all the required ports like DHCP server port and also the trunk links to other switches.

Please check with your topology and update.

Please rate if it is helpful!

Thanks

Abd Alqader

limtohsoon · ‎01-01-2007

Hi,

I found the following note on cisco.com:

--------------------------------------

When DHCP snooping is enabled, these Cisco IOS DHCP commands are not available on the switch:

? "ip dhcp relay information check" global configuration command

? "ip dhcp relay information policy" global configuration command

? "ip dhcp relay information trust-all" global configuration command

? "ip dhcp relay information option" global configuration command

? "ip dhcp relay information trusted" interface configuration command

If you enter these commands, the switch returns an error message, and the configuration is not applied.

--------------------------------------

That's why I didn't configure the "ip dhcp relay information trusted" command on trunk ports in my lab. However, I was able to see the DHCP snooping binding table using the "sh ip dhcp snooping binding" command on my access switches. Please refer to my attached configuration slides.

The network scenario I posted is such that, the DHCP server is located remotely. Local clients contact the DHCP server via "ip helper-address" configured on the local Core switches.

I'm quite sure about the DHCP snooping configurations on the access switches. However, I'm not sure about configuring DHCP snooping on the Core switches, with regards to my scenario.

Can anyone please provide some guideline?

Thank you.

B.Rgds,

Lim TS

a.hajhamad · ‎01-02-2007

Hi again,

Look, attached is my topology. I can't see the binding table at my remote site switch.

But at your topology the ip helper command is entered at your distribution & core switches and you can see the binding table.

Any advise!

Thanks

Abd Alqader

mskaelita · ‎01-08-2007

Hi,

You should configure ip dhcp snooping trust on all uplink interfaces (trunks) and interface, where is routed dhcp traffic.

Also add ip helper-address on SVI 130.

I hope this will help.

limtohsoon · ‎01-08-2007

Hi,

Thanks for your reply.

Have you checked my attached config of both core switches? What other configuration commands that I missed?

Also, is it necessary to configure DHCP snooping database agent on all the switches?

Please advise.

Thank you.

B.Rgds,

Lim TS

mskaelita · ‎01-08-2007

Sorry, I didn't see the second slide :)

It seems all ok, but I don't see your access ports or access switches.

Access switches should have too "ip dhcp snooping trust" on trunk port and

ip dhcp snooping limit rate xxx

on each access port.

Check your configuration:

sh ip dhcp snooping

I hope it will help.

limtohsoon · ‎01-08-2007

Hi,

I have the "ip dhcp snooping trust" command configured on interface Gi1/13 of both Core switches, connecting to the access switches (please see my diagram). Do I need to configure "ip dhcp snooping trust" on the portchannel interfaces between the two Core switches?

"ip dhcp snooping trust" is also configured on all the trunk ports of the access switches.

Is it necessary to configure DHCP snooping database agent on all the switches?

Thank you.

B.Rgds,

Lim TS

mskaelita · ‎01-08-2007

>Do I need to configure "ip dhcp snooping trust" on the portchannel interfaces between the two Core switches?

Yes, if dhcp paket can goes through this interface.

But if you don't need dhcp snooping on all ports, you can just disable "dhcp snooping" on all transit switches.

I.e. if you don't have access ports on c6509, c3560, only trunks/routed interfaces -- just disable dhcp snooping.