11-13-2008 12:57 PM - edited 03-06-2019 02:28 AM
I would like to enable DHCP snooping on our network. We just had someone plug in an rogue DHCP server which assigned invalid IP Addresses to a bunch of client machines.
How would we go about configuring DHCP snooping?
Out network setup consists of 2 6500 core switches that have trunk ports to our 3750 stacks. One of our DHCP servers (physical server) is plugged directly into one of the 6500 switches. The other DHCP server is a VMware client. The ESX host is also plugged into the 6500 switch.
Note we also have a trunk between the 6500 switches, all 3750 switch stacks have redundant links back to each 6500 switch.
11-13-2008 01:09 PM
I'll refrain from making comments about the infrastructure - however you might want to have a read of some of the Campus Switching documents at the SRND site:
Anyway that aside, DHCP snooping is pretty easy to implement. You need to enable DHCP snooping on the access switches where your DHCP clients are for each VLAN using the global command:
ip dhcp snooping vlan 10,20,30,40
If you are using Windows 2000/2003 as the DHCP server then you need to disable Option 82 insertion as they won't understand it and DHCP will fail.
no ip dhcp snooping information option
Then enable DHCP snooping globally:
ip dhcp snooping
On your uplinks (trunks or access ports) you need to enable DHCP snooping trust:
interface GigabitEthernet1/0/1
ip dhcp snooping trust
Additionally if your DHCP servers are attached to switches with DHCP snooping enabled you need to trust these access ports as well using the same command.
Optionally (though recommended) you can rate-limit DHCP requests on client access ports to mitigate DHCP DoS attacks:
interface FastEthernet1/0/1
ip dhcp snooping limit rate 100
HTH
Andy
11-13-2008 01:34 PM
Do we need to do "ip dhcp snooping trust" on the ports at the core and access side?
11-13-2008 01:43 PM
By default, all ports are untrusted. You'll need to configure the ports that have DHCP servers connected to them as trusted ports.
--John
11-13-2008 02:41 PM
If you enable DHCP snooping on the core switch then you will need to enable trust on any layer-2 uplinks (as well as the ports where the DHCP servers are connected).
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide