Solved: Sure, you could enable it

emora6001 · ‎04-03-2017

regards,
I have read about DHCP SNOOPING, it serves to protect the network from fake DHCP servers, but in my case I have DHCP locally on the switch, as I configure that only the same switch can send DHCP.

Thanks in advance.

eduardopozo56 · ‎04-04-2017

Sure, you could enable it with the local DHCP on the switch. By default all ports would be untrusted and only the switch will be able to offer DHCP addresses.

Switch#show runn int vlan 10
Building configuration...

Current configuration : 63 bytes
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
end

Switch#show run | i dhcp snoop
ip dhcp snooping vlan 10
ip dhcp snooping
Switch#

Switch#show ip dhcp snooping binding 
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
AA:BB:CC:00:30:00 192.168.10.12 86203 dhcp-snooping 10 Ethernet0/0
Total number of bindings: 1

Switch#show ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State Interface
 Hardware address/
 User name
192.168.10.12 0063.6973.636f.2d61. Apr 05 2017 01:56 PM Automatic Active Vlan10

Switch#

######Added a "rogue" dhcp on another port:

Switch#show ip dhcp snooping statistics 
 Packets Forwarded = 2
 Packets Dropped = 15
 Packets Dropped From untrusted ports = 15
Switch#

View solution in original post

eduardopozo56 · ‎04-04-2017

There was no actual question on your post, but:

Configuring the DHCP server locally on your switch does not prevent a DHCP server to be connected on a switch port (on VLAN 10 for example) and also providing IP addresses for hosts connected on that VLAN.

DHCP snooping allows you to define trusted/untrusted ports from where a DHCP server might send offers. Also, the DHCP snooping database (IP/MAC table) is used by other security features (As Dynamic ARP inspection).

emora6001 · ‎04-04-2017

Regards,
My question is if DHCP Snooping can also be configured if DHCP is locally on the switch, the examples I see are only displayed with a DHCP server (either on a server or a router), but I do not get an example when DHCP Is configured locally on the switch.

eduardopozo56 · ‎04-04-2017

Sure, you could enable it with the local DHCP on the switch. By default all ports would be untrusted and only the switch will be able to offer DHCP addresses.

Switch#show runn int vlan 10
Building configuration...

Current configuration : 63 bytes
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
end

Switch#show run | i dhcp snoop
ip dhcp snooping vlan 10
ip dhcp snooping
Switch#

Switch#show ip dhcp snooping binding 
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
AA:BB:CC:00:30:00 192.168.10.12 86203 dhcp-snooping 10 Ethernet0/0
Total number of bindings: 1

Switch#show ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State Interface
 Hardware address/
 User name
192.168.10.12 0063.6973.636f.2d61. Apr 05 2017 01:56 PM Automatic Active Vlan10

Switch#

######Added a "rogue" dhcp on another port:

Switch#show ip dhcp snooping statistics 
 Packets Forwarded = 2
 Packets Dropped = 15
 Packets Dropped From untrusted ports = 15
Switch#

Dhcp Snooping