DHCP snooping without vlan association

jabouaf · ‎05-07-2010

Hello,

Check a DHCP snooping on a switch, i found the following configuration:

sh run | inc dhcp
no ip dhcp snooping information option
ip dhcp snooping
ip dhcp snooping trust

..........

the following link

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/53SG/configuration/dhcp.html#wp1073354

is usefull, but in the section:

"When you enable DHCP snooping on a switch, the interface acts as a Layer 2 bridge, intercepting and safeguarding DHCP messages going to a Layer 2 VLAN. When you enable DHCP snooping on a VLAN, the switch acts as a Layer 2 bridge within a VLAN domain. "

I do not understand : the interface acts as a Layer 2 bridge, intercepting and safeguarding DHCP messages going to a Layer 2 VLAN

Is it to say that DHCP packets are blocked for all vlans by default, and that when you list the vlans that the inspection (regarding trusted and untrusted interface) is done only for those vlans.

For any other vlans not listed, then all DHCp request are blocked ?

Maybe I miss understand. Can someone give me some more information/explaination ?

regards,

Peter Paluch · ‎05-10-2010

Hello,

The link you have included in your post has slightly confused me as well

Nevertheless, this is how I understand it: If you want to deploy the DHCP Snooping, you have first to activate the support on the global level using the ip dhcp snooping command, and subsequently, activate the DHCP Snooping for the selected VLAN using the command ip dhcp snooping vlan N. All other VLANs for which the DHCP Snooping is not activated explicitly are not influenced by the DHCP Snooping and there is no limiting nor protection on the DHCP communication. Only the explicitly specified VLANs will be affected by the DHCP Snooping feature.

Best regards,

Peter