https://community.cisco.com/t5/network-access-control/how-to-configure-ip-dhcp-snooping-and-trusted-ports-on-a-cisco/m-p/3004245#M23693 <P>Hi Matt</P> <P>Yes, disable the dhcp information option if you are not using it. When dhcp snooping is enabled, the default trust setting for interfaces is untrusted so you should apply <STRONG>ip dhcp snooping</STRONG> <STRONG>trust</STRONG> on interfaces leading to where your dhcp server is located. Following link explains it better:</P> <P></P> <P>http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1114389</P> <P></P> <P>hth</P> <P>Andy</P> Sat, 04 Mar 2017 09:41:15 GMT andrewswanson 2017-03-04T09:41:15Z https://community.cisco.com/t5/network-access-control/how-to-configure-ip-dhcp-snooping-and-trusted-ports-on-a-cisco/m-p/3004242#M23690 <P>Hello All,<BR /><BR />So we have recently configured our main/core switch <EM>(*4510R+E)</EM> to begin authenticating devices using Cisco ISE, which is now configured and seems to be working as expected. Now, I'm trying to configure a 3560 switch that we have located in our IT work area. The 3560 is connected directly to the 4510 via a trunk port.<BR /><BR />I have gotten the 3560 completely configured to authenticate endpoints through our ISE server, which it does. The problem I'm running into is when I enable DHCP Snooping on the 3560 <EM>(*snooping is NOT configured on the 4510 as of yet)</EM> no connected endpoints can get a DHCP address. If I disable dhcp snooping then DHCP begins working again.<BR /><BR />The guide I used for configuring the Network Access Devices <EM>(*i.e. Routers and Switches)</EM> was the <EM>Cisco Identity Services Engine Administrator Guide, Release 2.0</EM>. Chapter 33 of this guide is where you'll find the commands required to enable ISE on the switches. Now, in this chapter they say you can optionally enable dhcp snooping. But, the only commands they give you are:</P> <PRE class="prettyprint">ip dhcp snooping <SPAN style="color: #0000ff;"><EM>!--&gt; enables dhcp snooping</EM></SPAN><BR />ip dhcp snooping vlan x-y <SPAN style="color: #0000ff;"><EM>!--&gt; Enable Snooping on specific Vlans Only</EM></SPAN></PRE> <P>Now, enabling just these 2 commands prevents devices on the 3560 from getting a DHCP address, because if I remove those commands they can immediately get a DHCP address without issue. So searching around a bit online I found the <A href="http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_10_universal_switch_config.pdf" target="_blank">Cisco TrustSec HowTo: Global Switch Configuration Guide </A>. In this guide they also describe how to enable dhcp snooping, except they include another command, which is <SPAN style="font-family: courier new,courier,monospace; font-size: 10pt;"><STRONG><EM>"ip dhcp snooping trust"</EM></STRONG></SPAN> and according to this guide it states the following:</P> <P style="padding-left: 30px;"><SPAN style="font-family: courier new,courier,monospace; font-size: 10pt;"><EM>"Before configuring DHCP snooping, be sure to note the location of your trusted DHCP servers. When you configure DHCP snooping, the switch will deny DHCP server replies from any port not configured as “trusted.” <SPAN style="color: #ff0000;">Enter interface configuration mode for the uplink interface and configure it as a trusted port.</SPAN>"</EM></SPAN></P> <P>Since the DHCP server for the Vlan/Subnet being <EM>"</EM><EM>snooped"</EM> is located on a Linux box connected to the 4510 Core Switch, wouldn't the <STRONG><EM>Uplink</EM></STRONG><EM></EM> interface be the Trunk port on the 3560 connecting it to the 4510..?<BR /><BR />If I add the <SPAN style="font-family: courier new,courier,monospace; font-size: 10pt;"><EM>"</EM><EM>ip dhcp snooping trust"</EM></SPAN> command to the Trunk port on the 3560, no devices connected to this switch can get a DHCP Address. However, if I add the <EM>trust</EM> command to the Switchports where the PC/devices are connected to on the 3560, they can then get a DHCP address no problem.<BR /><BR />So my question is why isn't this working with the trust command configured on the Trunk port only, and why does it only work if the trust command is added to each individual switchport where a PC/Device/Phone is connected. According to the guide, it doesn't sound like this is how it's supposed to work. See screenshot below:</P> <HR /> <P><IMG src="https://community.cisco.com/legacyfs/online/media/cisco_trustsec_switch_config_guide-dhcp_snooping.png" class="migrated-markup-image" /></P> <HR /> <P><BR />If anyone has any thoughts or suggestions please feel free to reply.<BR /><BR />Thanks in Advance,<BR />Matt</P> Mon, 11 Mar 2019 07:30:50 GMT https://community.cisco.com/t5/network-access-control/how-to-configure-ip-dhcp-snooping-and-trusted-ports-on-a-cisco/m-p/3004242#M23690 Matthew Martin 2019-03-11T07:30:50Z https://community.cisco.com/t5/network-access-control/how-to-configure-ip-dhcp-snooping-and-trusted-ports-on-a-cisco/m-p/3004243#M23691 <P>Hi</P> <P>Add the following command to your 3560:</P> <P><EM><STRONG>no ip dhcp snooping information option</STRONG></EM></P> <P>See the following post for details:</P> <P>http://blog.ine.com/2009/07/22/understanding-dhcp-option-82/</P> <P>hth<BR />Andy</P> Fri, 03 Mar 2017 19:57:27 GMT https://community.cisco.com/t5/network-access-control/how-to-configure-ip-dhcp-snooping-and-trusted-ports-on-a-cisco/m-p/3004243#M23691 andrewswanson 2017-03-03T19:57:27Z https://community.cisco.com/t5/network-access-control/how-to-configure-ip-dhcp-snooping-and-trusted-ports-on-a-cisco/m-p/3004244#M23692 <P>Hey Andy, thanks for the reply!<BR /><BR />Perfect, that seemed to fix it, Thank you!<BR /><BR />From your link, it sounds like when DHCP Snooping is enabled on a Cisco Catalyst device it automatically inserts a <EM><STRONG>giaddr</STRONG></EM> of 0.0.0.0, and by default Cisco IOS devices reject packets that have a ZERO address for <EM>giaddr</EM>...<BR /><BR />So, does that mean whenever you enable DHCP Snooping on a Catalyst Router/Switch, you should also disable the adding of <STRONG>option 82</STRONG> to the DHCP packets sent to the DHCP Server?<BR /><BR />Does that sound correct?<BR /><BR /><STRONG>EDIT:</STRONG> Also, am I supposed to keep the <EM><STRONG>"ip dhcp snooping trust"</STRONG></EM><EM><STRONG> </STRONG></EM>command on the uplink trunk port that goes to the 4510..? This is the interface/port that connects the 3560 to the 4510 <EM>(*the 4510 is where the DHCP server is connected)</EM>.<BR /><BR />Thanks again for your reply, very much appreciated!<BR /><BR />Thanks,<BR />Matt</P> Fri, 03 Mar 2017 23:03:10 GMT https://community.cisco.com/t5/network-access-control/how-to-configure-ip-dhcp-snooping-and-trusted-ports-on-a-cisco/m-p/3004244#M23692 Matthew Martin 2017-03-03T23:03:10Z https://community.cisco.com/t5/network-access-control/how-to-configure-ip-dhcp-snooping-and-trusted-ports-on-a-cisco/m-p/3004245#M23693 <P>Hi Matt</P> <P>Yes, disable the dhcp information option if you are not using it. When dhcp snooping is enabled, the default trust setting for interfaces is untrusted so you should apply <STRONG>ip dhcp snooping</STRONG> <STRONG>trust</STRONG> on interfaces leading to where your dhcp server is located. Following link explains it better:</P> <P></P> <P>http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1114389</P> <P></P> <P>hth</P> <P>Andy</P> Sat, 04 Mar 2017 09:41:15 GMT https://community.cisco.com/t5/network-access-control/how-to-configure-ip-dhcp-snooping-and-trusted-ports-on-a-cisco/m-p/3004245#M23693 andrewswanson 2017-03-04T09:41:15Z