Solved: Cisco Switches – Trunk & DHCP Spoofing

OLE DREWS JENSEN · ‎05-26-2016

I have to start by apologizing if these are a couple of stupid questions, as I’m just getting back into the Cisco stuff.

Got CCNP certified 15 years ago, but not used it much in my daily routine, so getting back on CCENT studies as a first step to refreshing my knowledge, and getting familiar with the changes.

I have an older 3548 Fast Ethernet switch connected to a newer 2960 Giga switch.

The 3548 has a Gigabit module in one of its two modular slots, which is what connects it to the 2960 switch.

Question #1:

I only have the standard VLAN on each switch, so should I create a TRUNK on the connection between the switches, or leave it as is?

Question #2:

Not sure if the 3548 IOS allows for it, but if I setup DHCP SPOOFING on both, in addition to the port where the DHCP Server is connected on 2960, will I have to trust the port on the 3548 connected to 2960 in order for the trusted DHCP traffic to reach clients on the 3548 switch?

Thanks in advance for any input on this.

Carlos Villagran · ‎05-26-2016

Hi!

1) It can work in both ways, however, for academy purposes you should configure it as a trunk and read a little about 802.1q protocol so traffic from other VLANs can traverse over this link.

2) It depends, where is your DHCP server?. As far as I know, routers do not support DHCP Snooping, only switches do.

The trusted ports have to pointing to the DHCP server path. In case you have a trunk in the path, the egress port from switch 1 have to configured as trust for example.

Here is some documentation for DHCP snooping in case you are looking for more details:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Hope it helps, best regards!

JC

View solution in original post

Carlos Villagran · ‎05-26-2016

Hi!

1) It can work in both ways, however, for academy purposes you should configure it as a trunk and read a little about 802.1q protocol so traffic from other VLANs can traverse over this link.

2) It depends, where is your DHCP server?. As far as I know, routers do not support DHCP Snooping, only switches do.

The trusted ports have to pointing to the DHCP server path. In case you have a trunk in the path, the egress port from switch 1 have to configured as trust for example.

Here is some documentation for DHCP snooping in case you are looking for more details:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Hope it helps, best regards!

JC

OLE DREWS JENSEN · ‎05-26-2016

Hi Carlos,

Thanks for your reply.

1) I have read up on the 802.1q protocol already, but since there's only one VLAN and since a trunk adds tags to each frame, couldn't that cause a slowdown on a busy link between two switches?

2) DHCP server is on one of the 2 switches as shown in the previous drawing, and there are no routers involved. However, I believe you answered the question by adding trust to the trunk port.

Thanks for your answers and the link included.

Ole

Carlos Villagran · ‎05-26-2016

Well, it is not a noticeable delay or slowdown and if that is the case, remember that traffic passing over the NATIVE vlan does not get tagged.

So I would say there is no problem in making it trunk.

You are right, in the diagram the trust ports have to ports Gi 0/1 of course.

Hope it helps, best regards!

JC

OLE DREWS JENSEN · ‎05-26-2016

Okay, didn't know that about the native vlan.

Thanks again for your help. :-)