Solved: dhcp snooping

suthomas1 · ‎05-29-2012

On our network , an edge switch which is in a stacked mode has been configured with below on two ports,

interface fa0/5

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 11,21,5

switchport mode trunk

storm-control broadcast level 15.00

storm-control multicast level 15.00

storm-control action shutdown

ip dhcp snooping trust

interface fa0/6

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 11,21,5

switchport mode trunk

storm-control broadcast level 15.00

storm-control multicast level 15.00

storm-control action shutdown

ip dhcp snooping trust

We want to now both these ports to be part of an port channel interface. But, currently both these have ip dhcp snooping trust configured on the interfaces.

I have read that one cannot remove this dhcp snooping command from individual ports , doing so with a no command causes the entire dhcp on that switch to be disrupted. Is it so?

in that case, how should we proceed to remove this command from the interface.

Thanks.

Kyle McKay · ‎05-29-2012

The configuration of DHCP snooping trust indiciates that this interface is deemed safe and should be receiving DHCP server-originated messages such as an offer or acknowledge.

You only want this configuration on ports where a DHCP server is connected to (or uplink ports), as these are the only interfaces in which DHCP offers or acknowledgements should be coming from. (You do not want DHCP offers originating from a user's laptop in most cases, this is an easy man in the middle attack)

First of all.. where is the DHCP server on your network? Does your DHCP server connect to either of these two ports? Are either of these two ports your uplink? If the answer is no to both of these questions, you can remove the configuration for dhcp snooping trust. If the answer is yes to either of these questions, you need to leave the configuration as it is.

There is also nothing stopping you from configuring a port-channel with DHCP snooping trust - you could simply leave everything as it is, and apply the command to the port channel interface.

Kyle

View solution in original post

Kyle McKay · ‎05-29-2012

The configuration of DHCP snooping trust indiciates that this interface is deemed safe and should be receiving DHCP server-originated messages such as an offer or acknowledge.

You only want this configuration on ports where a DHCP server is connected to (or uplink ports), as these are the only interfaces in which DHCP offers or acknowledgements should be coming from. (You do not want DHCP offers originating from a user's laptop in most cases, this is an easy man in the middle attack)

First of all.. where is the DHCP server on your network? Does your DHCP server connect to either of these two ports? Are either of these two ports your uplink? If the answer is no to both of these questions, you can remove the configuration for dhcp snooping trust. If the answer is yes to either of these questions, you need to leave the configuration as it is.

There is also nothing stopping you from configuring a port-channel with DHCP snooping trust - you could simply leave everything as it is, and apply the command to the port channel interface.

Kyle