I don't understand your last post. You asked which ports to trust and i told you.

What do you mean by you cannot experiment as i am not asking you to experiment.

The trusted ports would be the DHCP servers and any devices with static IPs such as routers/firewall/servers etc.

See this link for full details -

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html#wp1114389

Edit - DAI would be used for end devices with static IPs but switches/routers/firewalls etc. should be trusted ports.

Jon

Jon ,

Sorry for the missunderstanding , as I specified in the initial post there are no DHCP servers , the switch itself is acting as the DHCP server.

Jon,

He doesn't necessary have a DHCP server off of another switch port, his 6509 is acting as both core/access layers, and is providing DHCP from itself. So if he were to trust every single port, it would kinda nigate the purpose of DHCP Snooping, unless you want to use the database for other reasons other than DHCP Snooping.

Adrian

Apologies, that will teach me to read the question more carefully as John obviously did

I would have thought that all ports would be untrusted except for trusted devices such as routers/firewalls etc because the actual DHCP server is not tied to any physical port.

Jon

Jon,

I'm going to do some more research after coffee This question is actually rather interesting. But I'm guess you would have all ports untrusted, which from my understanding, if you have a DHCP Discover hit an untrusted port, it will only be forwarded out of trusted ports. So you could have all prots untrusted, except your SVIs which would be trusted???? But that's just a guess.

Thank you for your quick answers , I`ve also done some research but I have not reached a conclusion yet. We have to admit , this is not a very unlikely scenario , having 6500 or 4500 as Cores and also providing DHCP services. Enjoy you cofee.

Adrian I am right now.

So, I was thinking Adrian... You can enable dhcp snooping for a specific vlan as well. So waht you could do is enable dhcp snooping and then enable it for a test vlan. Get a laptop, or computer if you know where it's connected to on the 6509 and test that out. This shouldn't have any downtime involved. Most people will already have their DHCP IP addresses anyway.

John

Would be interested to hear what you find out but i can't see how applying trust to the SVI is going to do anything. The SVI only comes into it for L3 switched traffic and the DHCP broadcast would be within the actual vlan. Add to that the SVI is not a physical port and i can't see why it would be needed.

Still i may well be wrong, wouldn't be the first time

Jon

Jon,

To be completely honestly with you, I don't think doing it on the SVI will work either to an extent... Obviously an SVI is L3, I think everyone agrees on that.

I've just never heard of anyone wanting to run DHCP Snooping on a swich that is also providing DHCP, so I'm trying to cover all angles...

Adrian,

I would just enable dhcp snooping on a test vlan, and start by doing the following.

1. Configure 'ip dhcp snooping trust' on that port and see if you can get a DHCP IP address from a test pool.

2. You may have to configure 'ip dhcp snooping information option' to prevent adding Option 82.

3. Try configure the port as untrusted, and see if you can get a DHCP IP

4. Try configurign the port as untrusted, and configure 'ip dhcp snooping trust' on the SVI if you can.

Hello

Just like to add some information  regards my understanding of dhcp snooping.

1) requires to be active via ip dhcp snooping command and also  the given vlan you wish to snoop

ip dhcp snooping

ip dhcp snooping vlan xx

2) if applied to just to one switch with uplinks switches, then the uplink switch will require snooping enabled also and it trunk links trusted  ONLY if the dhcp server is originating from the uplink switch.

3) if dhcp server is attached to the same switch as the snooping database then just trust

the interface where the server is situated

4) if the dhcp server is originating on the switch then no need to apply the trusted command.

5) dhcp snooping will do nothing on all trusted ports, It just listens on all the untrusted ports and snoops  ip & macs relating to them ports via dhcp dora's

6) Snooping database WILL NOT be populated with existing clients,it will only be populated the next time dhcp clients renew releases

and lastly on its own this snooping DB does nothing without enabling DAI or ip source guard

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.