Yes I was studying this configuration guide, So there is no problem because the dhcp server is not configurate as a trusted port ?

thans my friend foy your response

best regards

Actually, the port connecting the two switches are dhcp snooping trust enabled, so yes. The DCHP Server is on the switch running IOS, yes? Then all is well, it should work.

Hi, I have another question, If you see the picture what happend with devices connected directed on 6513 (Farm server),Because all the switches conected to 6513 and servers are on vlan 1, So there isn´t problem with PC user´s because they are on a diferent vlan but on switch 6513, the actual IOS release doesn´´t support feature dhcp snopping. So what you can reccomend me to protect the vlan 1 in case a dhcp rogue ?

Thanks

DHCP Snooping is supported in Native IOS from 12.2(18)SXE and later.

Release Notes:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm

Yes I Know that I need it a new release on switch 6513, but now the client will not buy new hardware, so that I was reading a cisco security presentation where explain about dhcp-snooping and said "If there are switches in the network that will not support DHCP snooping, you can configure VLAN ACL´s to block UPD port, it will not prevent the CHADDR DHCP starvation attack ", Vlan ACL is on CATOS, Dou you have some idea about to make an extended access list on the switch 6513 that doesn´t support the feature

thanks.

VACL is also on native:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/secure.htm#wp1043908

or

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/vacl.htm

Hi again, now I have tested dhcp snooping on switch 3560 IOS c3560-ipbase-mz.122-25.SEB4 in the same topology that mentionet above, I enable this configuration on switch

ip dhcp snooping vlan 227

ip dhcp snooping database flash://pruebas

ip dhcp snooping

and on the Giga interfaces

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

no cdp enable

channel-group 9 mode on

ip dhcp snooping trust

and on vlan 227 on switch 6513 i enable the follow line

interface Vlan227

ip address 10.2.7.129 255.255.255.128

ip helper-address 10.2.1.99

ip dhcp relay information trusted

but when i type the command sh ip dhcp snooping binding, i dont see any value it´s empty, so It possible that this configuration on IOs it´s wrong, I follow the instructions from this weg page

http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00802b7be3.html#wp1078853

Can you gime some idea ???

Thanks

Ok, I can resolve the problem on switch 3560, its misisng the command ip dhcp trust on interface port-channel, only one question, it´s necesary to enable DHCP Snooping Binding Database Agent ?

thanks fou your support

Without the database agent the switch will loose all binding info upon reload and connectivity will be broken for the DHCP clients.

Please rate all helpful posts.

Brad