Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12934
Views
5
Helpful
4
Replies

DHCP snooping in 2960 switch

acbenny
Level 1
Level 1

‎04-20-2009 11:02 PM - edited ‎03-04-2019 04:26 AM

Hi all,

If I have a new 2 x 2960 (Sw1, Sw2) switch connected with G0/1 together. If the real dhcp

server is connected to Sw1 port 1 and an unauthorized dhcp server is connected in Sw2 port 1.

What command I need to use to turn on dhcp snooping to reject unauthorized dhcp server (Sw2, port1) to allocate ip address to other dhcp client.

Also, How can dhcp client can get ip address from authorized dhcp server (Sw1 port1).

Thanks for your help

Labels:
0 Helpful
4 Replies 4

Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎04-21-2009 12:11 AM

Hi Jack IP, Are you IPv4 or IPv6? (grin)

Let's assume you are using VLAN_1 for servers and clients.

Switch1:

Switch(config)# ip dhcp snooping

Switch(config)# ip dhcp snooping vlan 1

Switch(config)# ip dhcp snooping information option

--FOR THE DHCP SERVER--

Switch(config)#int f0/1

Switch(config-if)#ip dhcp snooping trust

--FOR THE UPLINK(TRUNK) PORT--

Switch(config)#int g0/1

Switch(config-if)#ip dhcp snooping trust

Switch2:

Switch(config)# ip dhcp snooping

Switch(config)# ip dhcp snooping vlan 1

Switch(config)# ip dhcp snooping information option

--FOR THE UPLINK(TRUNK) PORT--

Switch(config)#int g0/1

Switch(config-if)#ip dhcp snooping trust

Let's check this link for more information.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swdhcp82.html

HTH,

Toshi

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to Thotsaphon Lueangwattanaphong

‎04-21-2009 01:22 AM

Not many DHCP servers support the insertion of Option 82 information so you will probably want to disable this feature:

no ip dhcp snooping information option

Certainly if the servers are Windows 2003 or earlier then they definitely won't work if this is enabled. Other than that Toshi's reply is sound - trusting needs to be on the layer-2 uplinks and the port where the actual server is connected.

Andy

Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to andrew.butterworth

‎04-21-2009 02:02 AM

Andrew,

I thought that option would be used for DHCP relay agent packets. In this case it's not. I'm not sure that why cisco puts this on by default.

However Thanks for letting this issue.

5P! Andy

Toshi

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to Thotsaphon Lueangwattanaphong

‎04-21-2009 03:49 AM

Option 82 insertion is where the switch inserts the physical interface information into the DhCP request along with the source MAc address. I think it is more useful in a cable/broadband network where you want to know more information regarding your subscribers.

Reasonable explanation here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/dhcp.html#wp1128786

I am not sure about what Cisco DHCP servers understand it but as for MS only Server 2008 supports it, however I have never configured it.

Andy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card