01-19-2009 02:18 AM - edited 03-06-2019 03:30 AM
Hi all, after a rogue adsl router nearly bought my clients to a halt over the weekend. I am going to look into implenting dhcp snooping.
Firstly, Can anyone tell me where we do this, do we do it on all switches, or do layer 3 switches only support this ? also how does it work in a simple way, i believe you simply set the port for dhcp to trusted and the others to non trusted, is this right ?, and can it cause any issues ?
cheers
Carl
01-19-2009 06:36 AM
Carl,
You would add dhcp snooping on all of the switches that interconnect. When you enable dhcp snooping globally, I believe (others can correct me) ALL ports are untrusted, and you have to enable the trusted port (the port that you KNOW a valid DHCP server is on) manually. You can run DHCP snooping on 2950 (L2) switches, but I can't speak for, say the Cisco Express 500 series.
Here's a link for more reading:
HTH,
John
01-19-2009 08:34 AM
I have been reading some docs, it says I should have my uplink ports to other swithes as trusted, does this sound about right ?
01-19-2009 09:21 AM
Yes. If you have switches connected to multiple switches, then the connected trunk ports should be trusted. If you have an untrusted trunk port and it sees a dhcp packet come across it, it will shut the port down in an err-disabled state (I believe).
HTH,
John
01-20-2009 06:50 AM
I just wanted to add one comment, because it is a mistake I have made in the past. If you have Etherchannel trunks between your switches, you have to trust both your phycical ports that belong to the channel-group and the logical interface, i.e. "interface Port-channel1".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide