Solved: Dhcp snooping

amrashraf1 · ‎01-05-2021

If i have more than one vlan on switch can i make ip dhcp snooping on only one vlan of them and all another vlan on switch can take ip from my dhcp server or not for example :

#ip dhcp snooping

#ip dhcp snooping vlan 8

#interface f0/0

#ip dhcp snooping trust

This config make client in vlan 8 take ip from trusted port but in the same switch have vlan12 the question vlan 12 can take ip or not

MHM Cisco World · ‎01-06-2021

I am so sorry but this is bug,
see attachment
sorry but you need to allow vlan for dhcp snooping.

View solution in original post

balaji.bandi · ‎01-05-2021

only VLAN 8 will be enabled for DHCP snooping, if other VLAN need to get IP from DHCP, then you need to use DHCP helper address

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

amrashraf1 · ‎01-05-2021

Enable dhcp helper for vlan 12 only??

I make no ip dhcp snooping info option in configuration mode

amrashraf1 · ‎01-05-2021

Like this

#interface vlan 12

#ip dhcp relay information

paul driver · ‎01-05-2021

Hello
I would say if you have multiple vlans participating in dhcp then enabling snooping for all of them is recommended
If you dont enable dhcp snooping for a particular vlan it wont negate any client from obtaining a lease on that vlan, it will mean that lease wont be recorded in the dhcp snooping binding table so it can be used to secure that particular host port from rouge dhcp packets originating from it.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

amrashraf1 · ‎01-05-2021

U recommend this or mean if i apply dhcp snooping on vlan 8 for examle and on the same switch ihave vlan 12 but dosnot apply dhcp snooping client on this vlan can take ip or not

paul driver · ‎01-05-2021

Hello

As stated its recommended to enable snooping for all active dhcp vlans, However if you do not enable it for specific vlan, it wont negate any client on that vlan from being allocated a dhcp lease

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

amrashraf1 · ‎01-05-2021

Ok now ihave vlan 8 and 12

When i apply snooping for vlan 8 vlan 12 cant take ip from dhcp server but when i make snooping for vlan 8 and 12 vlan 12 can take ip what is the problem

paul driver · ‎01-05-2021

Hello

Curious - As a test on the access-port that is in vlan 12 that doesn't have snooping enabled, trust that interface and see it the host then receives a dhcp allocation

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎01-05-2021

I suspect of option 82 which is enable by default,
disable this option if you can.

amrashraf1 · ‎01-05-2021

Imake it

#no ip dhcp snooping info option

In global mode

amrashraf1 · ‎01-05-2021

Ihave 2 vlans 8 and 12

I apply snoop for vlan 8 only

#ip dhcp snoop

#ip dhcp snoop vlan 8

#interface f0/0

#ip dhcp snoop trust

#no ip dhcp info option

This for vlan 8

Vlan 12 dont apply snoop when client in vlan 12 try to take ip dosnot work client take apipa after apply snoop for vlan 12 client can take ip

MHM Cisco World · ‎01-05-2021

ok let work in other direction enable and option and also allow-untrusted
ip dhcp snooping inf option allow-untrusted

amrashraf1 · ‎01-05-2021

What this command make

MHM Cisco World · ‎01-05-2021

the issue is in DHCP server it receive two DHCP message one from that apply snooping and op 82 and other from the that you don't want,
so there server must decide to accept this or not.
what DHCP server you use ?