Hi everybody, I make some test about feature dhcp snooping, to explaim more I add a topology about part of my network. I find some problems on switch 1 because the IOS release doesn´t support feature dhcp snooping. Only suports the comand ip dhcp relay information trusted.
So It´s possible to configurate my network using the configuration that you can see on the attchament, Dou you think is a good option ?
I hope you can help more about that ?
Thanks and best regards
That should work, in this configuration guide they have an internal MSFC but the concept is the same, the trunk port to the relay agent should be a dhcp snooping trust enabled:
Yes I was studying this configuration guide, So there is no problem because the dhcp server is not configurate as a trusted port ?
thans my friend foy your response
Actually, the port connecting the two switches are dhcp snooping trust enabled, so yes. The DCHP Server is on the switch running IOS, yes? Then all is well, it should work.
Hi, I have another question, If you see the picture what happend with devices connected directed on 6513 (Farm server),Because all the switches conected to 6513 and servers are on vlan 1, So there isn´t problem with PC user´s because they are on a diferent vlan but on switch 6513, the actual IOS release doesn´´t support feature dhcp snopping. So what you can reccomend me to protect the vlan 1 in case a dhcp rogue ?
DHCP Snooping is supported in Native IOS from 12.2(18)SXE and later.
Yes I Know that I need it a new release on switch 6513, but now the client will not buy new hardware, so that I was reading a cisco security presentation where explain about dhcp-snooping and said "If there are switches in the network that will not support DHCP snooping, you can configure VLAN ACL´s to block UPD port, it will not prevent the CHADDR DHCP starvation attack ", Vlan ACL is on CATOS, Dou you have some idea about to make an extended access list on the switch 6513 that doesn´t support the feature
Hi again, now I have tested dhcp snooping on switch 3560 IOS c3560-ipbase-mz.122-25.SEB4 in the same topology that mentionet above, I enable this configuration on switch
ip dhcp snooping vlan 227
ip dhcp snooping database flash://pruebas
ip dhcp snooping
and on the Giga interfaces
switchport trunk encapsulation dot1q
switchport mode trunk
no cdp enable
channel-group 9 mode on
ip dhcp snooping trust
and on vlan 227 on switch 6513 i enable the follow line
ip address 10.2.7.129 255.255.255.128
ip helper-address 10.2.1.99
ip dhcp relay information trusted
but when i type the command sh ip dhcp snooping binding, i dont see any value it´s empty, so It possible that this configuration on IOs it´s wrong, I follow the instructions from this weg page
Can you gime some idea ???
Ok, I can resolve the problem on switch 3560, its misisng the command ip dhcp trust on interface port-channel, only one question, it´s necesary to enable DHCP Snooping Binding Database Agent ?
thanks fou your support
Without the database agent the switch will loose all binding info upon reload and connectivity will be broken for the DHCP clients.
Please rate all helpful posts.