Re: DHCP Snooping on VLAN interface, am I doing it wrong?

lonelyadmin · ‎09-24-2018

I have 3 2960L switches running c2960l-universalk9-mz.152-5c.E.bin. These are primarily meant for a management network. All I want to do is have one vlan with one dhcp server. That server only needs to handout addresses from a single range (100-199). I also need to be able to not allow any rogue dhcp servers on any of the ports. Looking at the snooping commands it seems to me that you have to define a port or interface you trust....but if your DHCP server is served from a VLAN how do you define that?
There doesn't seem to be an "ip dhcp snooping trust" command for vlan interfaces. I'm probably missing something simple here.

All switches are connected over a simple trunk between the switches.

On "primary" switch1:

ip routing
!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp ping packets 3
ip dhcp ping timeout 1000
!
ip dhcp pool mgmt
network 192.168.1.0 255.255.255.0
lease 0 0 5
class mgmt-dhcp-class
address range 192.168.1.100 192.168.1.199
!
!
!
ip dhcp class mgmt-dhcp-class
!
ip dhcp snooping vlan 1
ip dhcp snooping
interface GigabitEthernet0/1
switchport mode trunk
interface Vlan1
description Management
ip address 192.168.1.2 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 preempt
!

Switch2:
interface Vlan1
ip address 192.168.1.3 255.255.255.0
ip helper-address 192.168.1.2
standby 1 ip 192.168.1.1
standby 1 priority 95
!

Switch3:
interface Vlan1
ip address 192.168.1.4 255.255.255.0
ip helper-address 192.168.1.2
standby 1 ip 192.168.1.1
standby 1 priority 90
!

johnd2310 · ‎09-24-2018

Hi,

The "trusted port" is the uplink to the switch running the dhcp server. If switch1 is running the dhcp server, then you configure the uplink port on switch2 and switch3 as the "dhcp trusted port"

hope this helps

Thanks

John

**Please rate posts you find helpful**