Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
0
Helpful
5
Replies

dhcp snooping

MZydorczyk2
Level 1
Level 1

‎05-14-2008 08:29 AM - edited ‎03-05-2019 10:58 PM

I am trying to set up dhcp snooping and was just wondering if the commands below are what I should be using for COS and IOS. Also, how would I do a test to see if the switch disables the port if it detects a DHCP server? I was thinking I could use ICS on a windows computer but I dont know if that would work.

COS

Code:

set securtity acl ip dhcpsnoop permit dhcp-snooping

set security acl ip dhcpsnoop permit ip any any

commit security acl dhcpsnoop

set acl map dhcpsnoop 1

set dhcp-snooping information host-tracking enable

set port dhcp-snooping 1/1 trust enable

Step 1

Configure the port as port based.

set port security-acl (port) port-based

Step 2

Enable IP source guard.

set port dhcp-snooping (port) source-guard enable

Step 3

Enable DHCP snooping.

set security acl ip dhcpsnoop permit dhcp-snooping

Step 4

Allow the port to forward other traffic.

set security acl ip dhcpsnoop permit ip any any

Step 5

Save the ACL configuration.

commit security acl dhcpsnoop

Step 6

Enable the ACL on the VLAN.

set security acl map dhcpsnoop 1

Step 7

Enable DHCP-snooping trust on a port.

set port dhcp-snooping (port) trust enable

IOS

Code:

conf t

ip dhcp snooping

ip dhcp snooping vlan 1

ip dhcp snooping information option

interface (mod/port)

ip dhcp snooping trust

ip verify source vlan dhcp-snooping port-security

Labels:
0 Helpful
5 Replies 5

bvsnarayana03
Level 5
Level 5

‎05-14-2008 10:56 AM

config looks ok for IOS.

try this command for output:

sh ip dhcp snooping binding

0 Helpful

MZydorczyk2
Level 1
Level 1
In response to bvsnarayana03

‎05-15-2008 06:24 AM

Are ACL's not needed for snooping to work?

0 Helpful

Istvan_Rabai
Level 7
Level 7

‎05-14-2008 08:18 PM

Hi Matthew,

You can test if dhcp snooping works by connecting another switch or router configured as DHCP server to any untrusted port and making the hosts send dhcp discover messages.

Of course, you'd better test the dhcp snooping trusted ports as well to see these ports do not block rightful dhcp packets.

Cheers:

Istvan

0 Helpful

MZydorczyk2
Level 1
Level 1
In response to Istvan_Rabai

‎05-15-2008 06:33 AM

So hook a switch to the switch with dhcp snooping and then hook a computer to that switch?

0 Helpful

Istvan_Rabai
Level 7
Level 7
In response to MZydorczyk2

‎05-16-2008 11:19 PM

Hi Matthew,

On the port that is configured as "trusted" in dhcp snooping, the switch will allow dhcp packets from a dhcp server.

On all other ports, dhcp packets will be rejected and the port will be put in errdisable state if dhcp replies are detected.

So it doesn't matter, where your dhcp server is located: it may be another switch hooked to the switch directly or it may be several hops away.

But you need to enable the port as "trusted" where the dhcp reply packets from the trusted dhcp server are expected to come in.

Cheers:

Istvan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card