cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3436
Views
13
Helpful
15
Replies

DHCH snooping

maulikp
Level 1
Level 1

please help me to understand below commands

ip dhcp snooping vlan 32,36,40,44

no ip dhcp snooping information option
ip dhcp snooping

Regards & Thanks

Maulik 

1 Accepted Solution

Accepted Solutions

Hi

If you want to configure dhcp snooping properly follow these steps:

Step 1:

ip dhcp snooping = it will enable dhcp snooping globally on your device but it will not take any effect without the step 2. 

Step 2:

ip dhcp snooping vlan X1,X2,X3...Xn = DHCP snooping will not work if you dont associate the vlans that you want to protect. (just ip dhcp snooping will not do nothing until the vlans are associated to it)

Step 3:

no ip dhcp snooping information option: The option 82 is added to the request to the DHCP server before to be forwarded. It could generated some inconsistency with relay information. You can see that executing a debug: debug ip dhcp server packet. Adding the no, it will disabled this option. Most of the case it is disabled.

Step 4

ip dhcp snooping limit rate: This is optional but recommended, to limit the packets per second. try to configure no more that 100. This is configured on the access port only, not under the trunk interfaces.

Step 5

ip dhcp snooping trust: This command line is configured under the trusted interfaces, in few words under the trunk interface where the broadcast will search the DHCP servers on the company network infrastructure.

This link can be useful: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_35_se/configuration/guide/scg/swdhcp82.html#wp1070843

Hope it is useful  :-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

15 Replies 15

Francesco Molino
VIP Alumni
VIP Alumni

Hi

IP DHCP SNOOPING:

it will act like a FW between your hosts (untrusted) and your DHCP Servers (Trusted).

SNOOPING INFORMATION OPTION:

It is related to DHCP OPTION-82:

DHCP option 82 provides additional security when DHCP is used to allocate network addresses. It enables the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources.

SNOOPING VLAN:

Activate snooping security feature for particular vlans as per default all vlans are not activated with snooping capabilities.

Hope this more clear.

Thanks.

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello,

I'm not getting ip through dhcp at any laptop. Please help out, If u need any other configuration please let me know

CORE

ip dhcp pool TEN

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 8.8.8.8

ip dhcp pool TWENTY

network 192.168.20.0 255.255.255.0

default-router 192.168.20.1

dns-server 8.8.8.8

!

!

ip routing

!

ip dhcp snooping vlan 10

ip dhcp snooping

!

interface Vlan10

mac-address 0060.5c40.e301

ip address 192.168.10.1 255.255.255.0

!

!

interface GigabitEthernet0/1

ip dhcp snooping trust

switchport trunk allowed vlan 10,20

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/2

ip dhcp snooping trust

switchport trunk allowed vlan 10,20

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Vlan20

mac-address 0060.5c40.e302

ip address 192.168.20.1 255.255.255.0

!

interface Vlan100

mac-address 0060.5c40.e303

ip address 192.168.100.100 255.255.255.0

!

Sw2

ip dhcp snooping vlan 10

ip dhcp snooping

!

interface FastEthernet0/1

switchport access vlan 10

switchport mode access

!

interface FastEthernet0/11

switchport access vlan 20

switchport mode access

!

interface GigabitEthernet0/2

switchport trunk allowed vlan 10,20

ip dhcp snooping trust

switchport mode trunk

!

interface Vlan100

mac-address 0002.4a81.5201

ip address 192.168.100.20 255.255.255.0

Sw1

ip dhcp snooping vlan 10

ip dhcp snooping

!

interface FastEthernet0/1

switchport access vlan 10

switchport mode access

!

interface FastEthernet0/10

switchport access vlan 20

switchport mode access

!

interface GigabitEthernet0/1

switchport trunk allowed vlan 10,20

ip dhcp snooping trust

switchport mode trunk

!

interface Vlan100

mac-address 0001.42c3.e901

ip address 192.168.100.10 255.255.255.0

May this show command help us to resolve problem

CORE#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

10

DHCP snooping is operational on following VLANs:

none

Smartlog is configured on following VLANs:

none

Smartlog is operational on following VLANs:

none

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port

remote-id: 0060.5C40.E369 (MAC)

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)

----------------------- ------- ------------ ----------------

GigabitEthernet0/1 yes yes unlimited

Custom circuit-ids:

GigabitEthernet0/2 yes yes unlimited

Custom circuit-ids:

CORE#

Sw2#

Sw2#show ip dh

Sw2#show ip dhcp s

Sw2#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

10

Insertion of option 82 is enabled

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Interface Trusted Rate limit (pps)

----------------------- ------- ----------------

GigabitEthernet0/2 yes unlimited

Sw1#

Sw1#show ip dh

Sw1#show ip dhcp sn

Sw1#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

10

Insertion of option 82 is enabled

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Interface Trusted Rate limit (pps)

----------------------- ------- ----------------

GigabitEthernet0/1 yes unlimited

Sw1#

Hi

If you want to configure dhcp snooping properly follow these steps:

Step 1:

ip dhcp snooping = it will enable dhcp snooping globally on your device but it will not take any effect without the step 2. 

Step 2:

ip dhcp snooping vlan X1,X2,X3...Xn = DHCP snooping will not work if you dont associate the vlans that you want to protect. (just ip dhcp snooping will not do nothing until the vlans are associated to it)

Step 3:

no ip dhcp snooping information option: The option 82 is added to the request to the DHCP server before to be forwarded. It could generated some inconsistency with relay information. You can see that executing a debug: debug ip dhcp server packet. Adding the no, it will disabled this option. Most of the case it is disabled.

Step 4

ip dhcp snooping limit rate: This is optional but recommended, to limit the packets per second. try to configure no more that 100. This is configured on the access port only, not under the trunk interfaces.

Step 5

ip dhcp snooping trust: This command line is configured under the trusted interfaces, in few words under the trunk interface where the broadcast will search the DHCP servers on the company network infrastructure.

This link can be useful: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_35_se/configuration/guide/scg/swdhcp82.html#wp1070843

Hope it is useful  :-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

maulikp
Level 1
Level 1

no ip dhcp snooping information option

Still not get ip through dhcp

when i disable DHCP snooping using 

no dhcp snooping

then i get the ip through DHCP

Hi

Please let me check the config below, also the ip dhcp snooping is usually configured on the access switches only. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hi

Try to remove the DHCP snooping config on the Core device and leave it on the access switches only.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Still not working...

Ok, could you please provide me your configurations on txt file. 

thank you in advance. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hii

Thanks for responding and try to resolve my query .

Please find the attachment

You are welcome,

Please let me take a look. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hi

This command is configured under the access ports only not under the trunks:

 ip dhcp snooping limit rate 3

please remove it from the interface trunk:

interface GigabitEthernet0/1
switchport trunk allowed vlan 10,20
ip dhcp snooping trust
no ip dhcp snooping limit rate 3
switchport mode trunk

And configure it under the access ports, for example:

int fa0/15
 ip dhcp snooping limit rate 50   (also try to increase the limit)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hi..

still not working, may be packet tracer bugs.

I have to know if  i didn't allow vlan 100 in the trunk, i'm using this vlan as a MGMT. i configured ip routing commands on core switch. So, it is possible to ping MGMT ip.

Same configuration. actually one of my friend told me that in this situation u get the ping but u can't get data from MGMT vlan, so please help me to clear my doubt. and if possible to share some documents or your knowledge so i can understand how vlan traffic move in a network. and what is requirement to get ping and what is requirement to pass the traffic.

i  know my english is not that much good. so, please try to understand my que.

Thanks a lot

Regards Maulik

Hi

no worries :-) 
Yes you can add your management vlan to the trunk without inconveniences. To be honest I have not execute ip dhcp snooping on packet tracert. How I remember packet tracer has some command limitations but I dont know the recent versions hehehe.

Also you can use these commands to see the behavior, (in a real enviroment these commands should be applied after business hours:

switch# debug ip dhcp snooping event
switch# debug ip dhcp snooping packet

Also try to configure your trunks like this for testing purposes:

example:

interface GigabitEthernet0/1
switchport
no switchport trunk allowed vlan 10,20
ip dhcp snooping trust
switchport trunk encapsulation dot1q
switchport mode trunk




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco