Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5621
Views
0
Helpful
7
Replies

DHCP Snooping

Go to solution
Ashish Shah
Level 1
Level 1

‎07-07-2011 04:41 AM - edited ‎03-04-2019 12:54 PM

Hi,

Since past few days I'm facing issue of rouge DHCP broadcast in my company network so I planned to deploy DHCP Snooping on my LAN environment. For this I implemented DHCP snooping on one switch on test basis to see the result. Below are the commands that i configured on my switch.

Global Configuration:

ip dhcp snooping

ip dhcp snooping vlan 1 4094 ••> I have intentionally allowed all the vlan’s as after eSNA we will be allowing all the vlans on trunk interface.

ip dhcp snooping information option

ip dhcp snooping verify mac-address

Interface Configuration:

(config-if)# ip dhcp snooping trust ••> Only on the interface which is uplink port or where DHCP server is connected. Rest all interfaces remains as untrust by default.

I also kept trunk port, channel-ports as trusted ports.

But unfortunately as soon as i deployed this configuration users were not able to receive ip from DHCP server and when i removed this configuration it was back to normal.

I repeat I have deployed this switch only on one access switch.

Can anyone help me understand what went wrong in my configuration and what should i take care to avoid failure. Thanks in advance. I'm waiting for reply and help.

Thanks!

Ashish Shah

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni

‎07-07-2011 05:26 AM

Hi,

The configuration looks ok but can you remove "ip dhcp snooping verify mac-address" command and see.

See the below configration what i have.

ciscoswitch(config)# ip dhcp snooping
ciscoswitch(config)# ip dhcp snooping vlan number 100
ciscoswitch(config)# ip dhcp snooping vlan number 10-15 100 110
ciscoswitch(config)# ip dhcp snooping information option


ciscoswitch(config)# interface fa0/0
ciscoswitch(config-if)# ip dhcp snooping trust
ciscoswitch(config-if)# ip dhcp snooping limit rate 202

ciscoswitch# show ip dhcp snooping
DHCP Snooping is configured on the following VLANs:
    10-15 100 110
Insertion of option 82 information is enabled.
Interface           Trusted        Rate limit (pps)
———           ——-        —————-
FastEthernet2/1     yes            10
FastEthernet2/2     yes            none
FastEthernet3/1     no             20


ciscoswitch# show ip dhcp snooping binding
MacAddress      IP Address      Lease (seconds)      Type        VLAN      Interface
———–     ———–     —————-     —–       —–     ————
0000.0100.0201  10.0.0.1        1600                 dynamic     100       FastEthernet2/1

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to Ashish Shah

‎07-13-2011 05:55 AM

Hi Ashish,

Where "202" indicates that the interface can receive "202" messages per second

Configures the number of DHCP packets per second (pps) that an interface can receive.

Note: You may not want to configure untrusted rate limiting to more than 100 pps.

Normally, the rate limit applies to untrusted interfaces. If you want to set up rate limiting for trusted interfaces, keep in mind that trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit to a higher value.


HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni

‎07-07-2011 05:26 AM

Hi,

The configuration looks ok but can you remove "ip dhcp snooping verify mac-address" command and see.

See the below configration what i have.

ciscoswitch(config)# ip dhcp snooping
ciscoswitch(config)# ip dhcp snooping vlan number 100
ciscoswitch(config)# ip dhcp snooping vlan number 10-15 100 110
ciscoswitch(config)# ip dhcp snooping information option


ciscoswitch(config)# interface fa0/0
ciscoswitch(config-if)# ip dhcp snooping trust
ciscoswitch(config-if)# ip dhcp snooping limit rate 202

ciscoswitch# show ip dhcp snooping
DHCP Snooping is configured on the following VLANs:
    10-15 100 110
Insertion of option 82 information is enabled.
Interface           Trusted        Rate limit (pps)
———           ——-        —————-
FastEthernet2/1     yes            10
FastEthernet2/2     yes            none
FastEthernet3/1     no             20


ciscoswitch# show ip dhcp snooping binding
MacAddress      IP Address      Lease (seconds)      Type        VLAN      Interface
———–     ———–     —————-     —–       —–     ————
0000.0100.0201  10.0.0.1        1600                 dynamic     100       FastEthernet2/1

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

0 Helpful

Go to solution
Ashish Shah
Level 1
Level 1
In response to Latchum Naidu

‎07-11-2011 01:21 AM

Hi,

Thanks for your input.

I'm trying to use and configure below command and do proof of concept before final roll-out. I will revert back if any help required for the same.

Thanks!

Ashish

0 Helpful

Go to solution
Parwiz khankhil
Level 1
Level 1
In response to Latchum Naidu

‎11-28-2021 11:06 PM

Thank you sir solve my broblem

 

0 Helpful

Go to solution
paul driver
VIP
VIP

‎07-07-2011 02:28 PM

See as you have enabled dhcp snooping, you can also use its binding table to enable DAI to prevent arp spoofing also

ip arp inspection vlan xx

int faxx
ip arp inpsection trust

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to paul driver

‎07-11-2011 02:42 AM

Hi Ashish,

Is that helped you.

Please click on the correct answer if this answered your question.

Regards,

Naidu.

0 Helpful

Go to solution
Ashish Shah
Level 1
Level 1
In response to Latchum Naidu

‎07-13-2011 05:16 AM

Hi,

Thanks it is working for me.

I will be deploying this in one of Production switch and observe.

I have one more query as in what command statement " ip dhcp snooping limit rate 202 "  stands for?

Thanks

Ashish

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to Ashish Shah

‎07-13-2011 05:55 AM

Hi Ashish,

Where "202" indicates that the interface can receive "202" messages per second

Configures the number of DHCP packets per second (pps) that an interface can receive.

Note: You may not want to configure untrusted rate limiting to more than 100 pps.

Normally, the rate limit applies to untrusted interfaces. If you want to set up rate limiting for trusted interfaces, keep in mind that trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit to a higher value.


HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

0 Helpful
Customers Also Viewed These Support Documents