01-20-2017 05:19 AM - edited 03-05-2019 07:53 AM
please help me to understand below commands
no
Regards & Thanks
Maulik
Solved! Go to Solution.
02-06-2017 04:48 AM
Hi
If you want to configure dhcp snooping properly follow these steps:
Step 1:
ip dhcp snooping = it will enable dhcp snooping globally on your device but it will not take any effect without the step 2.
Step 2:
ip dhcp snooping vlan X1,X2,X3...Xn = DHCP snooping will not work if you dont associate the vlans that you want to protect. (just ip dhcp snooping will not do nothing until the vlans are associated to it)
Step 3:
no ip dhcp snooping information option: The option 82 is added to the request to the DHCP server before to be forwarded. It could generated some inconsistency with relay information. You can see that executing a debug: debug ip dhcp server packet. Adding the no, it will disabled this option. Most of the case it is disabled.
Step 4
ip dhcp snooping limit rate: This is optional but recommended, to limit the packets per second. try to configure no more that 100. This is configured on the access port only, not under the trunk interfaces.
Step 5
ip dhcp snooping trust: This command line is configured under the trusted interfaces, in few words under the trunk interface where the broadcast will search the DHCP servers on the company network infrastructure.
This link can be useful: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_35_se/configuration/guide/scg/swdhcp82.html#wp1070843
Hope it is useful :-)
01-21-2017 03:17 PM
Hi
IP DHCP SNOOPING:
it will act like a FW between your hosts (untrusted) and your DHCP Servers (Trusted).
SNOOPING INFORMATION OPTION:
It is related to DHCP OPTION-82:
DHCP option 82 provides additional security when DHCP is used to allocate network addresses. It enables the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources.
SNOOPING VLAN:
Activate snooping security feature for particular vlans as per default all vlans are not activated with snooping capabilities.
Hope this more clear.
Thanks.
PS: Please don't forget to rate and mark as correct answer if this answered your question
02-06-2017 03:39 AM
Hello,
I'm not getting
CORE
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
!
!
!
!
interface Vlan10
mac-address 0060.5c40.e301
ip address 192.168.10.1 255.255.255.0
!
!
interface GigabitEthernet0/1
ip dhcp snooping trust
switchport trunk allowed vlan 10,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
ip dhcp snooping trust
switchport trunk allowed vlan 10,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan20
mac-address 0060.5c40.e302
ip address 192.168.20.1 255.255.255.0
!
interface Vlan100
mac-address 0060.5c40.e303
ip address 192.168.100.100 255.255.255.0
!
Sw2
ip dhcp snooping
!
interface FastEthernet0/1
switchport mode access
!
interface FastEthernet0/11
switchport mode access
!
interface GigabitEthernet0/2
!
interface Vlan100
mac-address 0002.4a81.5201
Sw1
!
interface FastEthernet0/1
switchport mode access
!
interface FastEthernet0/10
!
interface GigabitEthernet0/1
!
interface Vlan100
mac-address 0001.42c3.e901
02-06-2017 04:26 AM
May this show command help us to resolve problem
CORE#show
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
none
none
none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format:
remote-id: 0060.5C40.E369 (MAC)
Option 82 on untrusted port is not allowed
Verification of
Verification of
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (
----------------------- ------- ------------ ----------------
GigabitEthernet0/1 yes yes unlimited
Custom circuit-ids:
GigabitEthernet0/2 yes yes unlimited
Custom circuit-ids:
CORE#
Sw2#
Sw2#show
Sw2#show
Sw2#show
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
Verification of
Interface Trusted Rate limit (
----------------------- ------- ----------------
GigabitEthernet0/2 yes unlimited
Sw1#
Sw1#show
Sw1#show
Sw1#show
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
Verification of
Interface Trusted Rate limit (
----------------------- ------- ----------------
GigabitEthernet0/1 yes unlimited
Sw1#
02-06-2017 04:48 AM
Hi
If you want to configure dhcp snooping properly follow these steps:
Step 1:
ip dhcp snooping = it will enable dhcp snooping globally on your device but it will not take any effect without the step 2.
Step 2:
ip dhcp snooping vlan X1,X2,X3...Xn = DHCP snooping will not work if you dont associate the vlans that you want to protect. (just ip dhcp snooping will not do nothing until the vlans are associated to it)
Step 3:
no ip dhcp snooping information option: The option 82 is added to the request to the DHCP server before to be forwarded. It could generated some inconsistency with relay information. You can see that executing a debug: debug ip dhcp server packet. Adding the no, it will disabled this option. Most of the case it is disabled.
Step 4
ip dhcp snooping limit rate: This is optional but recommended, to limit the packets per second. try to configure no more that 100. This is configured on the access port only, not under the trunk interfaces.
Step 5
ip dhcp snooping trust: This command line is configured under the trusted interfaces, in few words under the trunk interface where the broadcast will search the DHCP servers on the company network infrastructure.
This link can be useful: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_35_se/configuration/guide/scg/swdhcp82.html#wp1070843
Hope it is useful :-)
02-06-2017 05:12 AM
no
Still not get
when
no
then i get the
02-06-2017 05:16 AM
Hi
Please let me check the config below, also the ip dhcp snooping is usually configured on the access switches only.
02-06-2017 05:19 AM
Hi
Try to remove the DHCP snooping config on the Core device and leave it on the access switches only.
02-06-2017 06:07 AM
Still not working...
02-06-2017 06:08 AM
Ok, could you please provide me your configurations on txt file.
thank you in advance.
02-06-2017 07:11 AM
02-06-2017 07:16 AM
You are welcome,
Please let me take a look.
02-06-2017 07:22 AM
Hi
This command is configured under the access ports only not under the trunks:
ip dhcp snooping limit rate 3
please remove it from the interface trunk:
interface GigabitEthernet0/1
switchport trunk allowed vlan 10,20
ip dhcp snooping trust
no ip dhcp snooping limit rate 3
switchport mode trunk
And configure it under the access ports, for example:
int fa0/15
ip dhcp snooping limit rate 50 (also try to increase the limit)
02-06-2017 08:00 AM
Hi..
still not working, may be packet tracer bugs.
I have to know
Same configuration. actually one of my
Thanks a lot
Regards Maulik
02-06-2017 08:12 AM
Hi
no worries :-)
Yes you can add your management vlan to the trunk without inconveniences. To be honest I have not execute ip dhcp snooping on packet tracert. How I remember packet tracer has some command limitations but I dont know the recent versions hehehe.
Also you can use these commands to see the behavior, (in a real enviroment these commands should be applied after business hours:
switch# debug ip dhcp snooping event
switch# debug ip dhcp snooping packet
Also try to configure your trunks like this for testing purposes:
example:
interface GigabitEthernet0/1
switchport
no switchport trunk allowed vlan 10,20
ip dhcp snooping trust
switchport trunk encapsulation dot1q
switchport mode trunk
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: