04-03-2017 05:46 PM - edited 03-10-2019 12:48 AM
regards,
I have read about DHCP SNOOPING, it serves to protect the network from fake DHCP servers, but in my case I have DHCP locally on the switch, as I configure that only the same switch can send DHCP.
Thanks in advance.
Solved! Go to Solution.
04-04-2017 05:05 AM
Sure, you could enable it with the local DHCP on the switch. By default all ports would be untrusted and only the switch will be able to offer DHCP addresses.
Switch#show runn int vlan 10
Building configuration...
Current configuration : 63 bytes
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
end
Switch#show run | i dhcp snoop
ip dhcp snooping vlan 10
ip dhcp snooping
Switch#
Switch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
AA:BB:CC:00:30:00 192.168.10.12 86203 dhcp-snooping 10 Ethernet0/0
Total number of bindings: 1
Switch#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State Interface
Hardware address/
User name
192.168.10.12 0063.6973.636f.2d61. Apr 05 2017 01:56 PM Automatic Active Vlan10
Switch#
######Added a "rogue" dhcp on another port:
Switch#show ip dhcp snooping statistics
Packets Forwarded = 2
Packets Dropped = 15
Packets Dropped From untrusted ports = 15
Switch#
04-04-2017 03:03 AM
There was no actual question on your post, but:
Configuring the DHCP server locally on your switch does not prevent a DHCP server to be connected on a switch port (on VLAN 10 for example) and also providing IP addresses for hosts connected on that VLAN.
DHCP snooping allows you to define trusted/untrusted ports from where a DHCP server might send offers. Also, the DHCP snooping database (IP/MAC table) is used by other security features (As Dynamic ARP inspection).
04-04-2017 04:40 AM
Regards,
My question is if DHCP Snooping can also be configured if DHCP is locally on the switch, the examples I see are only displayed with a DHCP server (either on a server or a router), but I do not get an example when DHCP Is configured locally on the switch.
04-04-2017 05:05 AM
Sure, you could enable it with the local DHCP on the switch. By default all ports would be untrusted and only the switch will be able to offer DHCP addresses.
Switch#show runn int vlan 10
Building configuration...
Current configuration : 63 bytes
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
end
Switch#show run | i dhcp snoop
ip dhcp snooping vlan 10
ip dhcp snooping
Switch#
Switch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
AA:BB:CC:00:30:00 192.168.10.12 86203 dhcp-snooping 10 Ethernet0/0
Total number of bindings: 1
Switch#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State Interface
Hardware address/
User name
192.168.10.12 0063.6973.636f.2d61. Apr 05 2017 01:56 PM Automatic Active Vlan10
Switch#
######Added a "rogue" dhcp on another port:
Switch#show ip dhcp snooping statistics
Packets Forwarded = 2
Packets Dropped = 15
Packets Dropped From untrusted ports = 15
Switch#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide