DHCP Snooping Question

arrayservices · ‎03-12-2013

Hello-

I am planning to implement DHCP Snooping on our Catalyst 4510's and would like to clarify a couple questions. I have attached a net diagram of the gear involved, cat4510's etherchanneled to a pair of ASA5585's, then upstream to a vpc pair of Nexus 7k's. The DHCP servers live on the 7010's, dhcp clients of course on the 4k's.

My quesitons are:

1.) Do I need to enable the trusting of the port-channel interface AS WELL as the physical member interfaces of each port-channel on the 4k's?

2.) How about the ASA and Nexus 7k's, do I need to trust the interfaces in transit between the 4k - ASA - 7k?

Thanks in advance for any info-

Brian

Gabriel Hill · ‎03-12-2013

Hello Array,

1. I know on 3750's that once you trust the port-channel interface it will apply the setting to the member ports, which is desirable. In my experience, applying the trust to the port-channel on the 4500 series will not apply it to the member ports. From what I remember you will need to apply the trust to every member of the port-channel and the port-channel interface. You should be able to set the interfaces as "trusted" before enabled dhcp snooping, which would eliminate any issues.

2. No, if you're just using DHCP snooping for the hosts behind the 4k, then trusting the link between the 4k and the ASA will suffice.

Please rate if helpful.

-Gabriel

arrayservices · ‎03-12-2013

Thanks for the reply Gabriel, I will enable on both member ports and the port channel interface itself. Also, good call on configuring the trust state prior to enabling snooping, I will change up my order of implementation.

Brian