Re: DHCP Snooping

remco.gussen · ‎01-18-2007

Hellow There

I'm tryig to implement DHCP Snooping in a routed LAN.

Two Cisco 4506's are the core of the network. They are the routing devices with interface vlan's. Every access switch is linked to both core switches for redundancy.

I'm trying to prevent vlan 20 (workstation vlan) for unwanted dhcp server.

The dhcp server is on the server vlan (vlan 2). On int vlan 20 there is the command "ip helper-address x.x.x.x).

On every access switch:

- ip dhcp snooping

- ip dhcp snooping vlan 20

- uplinks are trusted ports (ip dhcp snooping trusted)

On the core:

- Uplinks to access switches are trusted

- ip dhcp snooping

- ip dhcp snooping vlan 20

- DHCP snooping trusted on the port with the dhcp server

DHCP is not working anymore.

What is wrong ? Something with the helper config ?

Thanks a lot

Remco

kofflerg · ‎01-18-2007

Have you turned off option 82?

"no ip dhcp snooping information option" is required to pass dhcp traffic when not using option 82.

George

bjw · ‎01-18-2007

Give this a try as well.

no ip dhcp snooping information option

ip dhcp snooping database bootflash:dhcpsnoop.txt

ip dhcp snooping database write-delay 30

I also think NTP needs to synched as well

amit.seth · ‎01-18-2007

Hi remco,

I just wanted to know..

1.What's the DHCP server you are using?

2.Does your server support Option-82?

Regards,

Amit.

remco.gussen · ‎01-18-2007

Hellow.

Thanks for the responses. I'm using a Windows 2003 DHCP Server.

Does this matter ?

My DHCP Server is a virtual server on VMWare ESX 3.

Greetings

Remco

amit.seth · ‎01-19-2007

Hi Remco,

for the DHCP Snooping to work, the DHCP server has to support Option-82.

As per my knowledge the DHCP Server on Windows Server 2003 doesent support it.

If a server supports Option-82 it will also send out the Option-82 information in the ACK packet it sends to the DHCP client. You can run a Ethereal on the DHCP server machine and check wether the DHCP Request packets and ACK packets are carrying the Option-82 information or not?

nkiattin · ‎01-19-2007

We have DHCP server on Windows 2003 server and DHCP snooping is working fine.

Here is the config

ip dhcp snooping

no ip dhcp snooping information option

ip dhcp snooping vlan 1,2,3 (enter your vlan #)

Trust the port that the server is on

Example:

ip dhcp snooping trust

Interface Fastether3/43

Apply this command for the rest of untursted ports

Example:

interface range Gi5/1 - 48

ip dhcp snooping limit rate 100

Use this command to show the DHCP snooping config

show ip dhcp snooping

Be sure to trust your uplink ports and if they are port channeled that need to be trusted also. I'd do it to both switches.

Interface Gi1/1

ip dhcp snooping trust

!

Interface Gi1/2

ip dhcp snooping trust

!

interface Port-channel1

ip dhcp snooping trust

!

remco.gussen · ‎01-21-2007

Thank you !

Next week i'm going to try the config !

Gr.

Remco

amit.seth · ‎01-23-2007

Hi Nopporn,

I have gone through your configuration. It seems you are disabling Option 82 feature. I have gone through the Configuration guide for DHCP Snooping available at the following link http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_13/config/dhcp.htm It states we got to enable that option. If you are disabling this option, is the binding table for DHCP snoping still being created ?

I was facing a similar situation with DHCP snooping. In my case the clients were getting the IP address. However the binding table was not forming. The Windows DHCP Server was not sending back the Option-82 info to the client. We found there were other people facing similar problem with the Windows Server. We tried the Turbo DHCP Server. We saw that this server was sending the Opt-82 information back. Likewise the binding table was now being formed on my switch .

Plz let me know how it is working in your case without Opt-82?

& Plz rate if you find the info helpful.