Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2534
Views
0
Helpful
13
Replies

DHCP Snooping

Go to solution
ejdrijin1
Level 1
Level 1

‎04-11-2018 11:35 PM - edited ‎03-08-2019 02:37 PM

Hi,

 

I am trying to understand the DHCP snooping feature. I understood that this feature is to prevent rogue DHCP Servers. 

 

From what I can understand, if I have a network on VLAN 10 and I have 50 users, I need to enable DHCP Snooping on all 50 access ports and tell them to be in a trust state. If the switch port is still untrusted it will never receive an IP.

 

My questions are:

1. How will they know which DHCP Server they should trust if there is more then 1?

2. Does the DHCP Server need to be a Cisco DHCP Server?

 

Thanks in Advance :)

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to ejdrijin1

‎04-12-2018 12:11 AM

Hi, 

Yes, you got it. You can set the DHCP limit on the client connected interfaces. So If any client will try to get more IP (especially Hacker or face DHCP client software) then that port will be suspended. 

 

Note: If your DHCP server is connected to another switch and both switch is connected through trunk link. Then trunk also makes trust port. otherwise, you will fail to get IP from DHCP server which is connected to another switch. 

 

Regards,

Deepak Kumar

 

 

 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎04-11-2018 11:56 PM

Hi, 

Q1: How will they know which DHCP Server they should trust if there is more then 1?

 

Ans: You must make trust port where DHCP servers connected. for an example:

DHCP Server 1 is connected to GIG1/0/1 and DHCP Server 2 is connected to Gig1/0/2

 

inter gig1/0/1

ip dhcp snooping trust

!

inter gig1/0/2

ip dhcp snooping trust

 

 

Now which DHCP server will reply to this packet is depend on your IP helper address (If multiple VLANs). If both DHCP servers are in the same VLAN and users trying to get an from the same VLAN then it depends on which server will reply to "Discovery" packet first. 

 

 

Q 2. Does the DHCP Server need to be a Cisco DHCP Server?

Ans: Not required. any standard DHCP server will work as Windows / Linux server, Cisco Router/Switch etc.

 

Regards,

Deepak Kumar

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
ejdrijin1
Level 1
Level 1
In response to Deepak Kumar

‎04-12-2018 12:05 AM

Hi Deepak,

 

Thanks for your reply.

 

So the trust is to be made on the switchport that the DHCP Server is connected and not were the users are connected.

 

Did I understand correctly?

 

Thanks.

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to ejdrijin1

‎04-12-2018 12:11 AM

Hi, 

Yes, you got it. You can set the DHCP limit on the client connected interfaces. So If any client will try to get more IP (especially Hacker or face DHCP client software) then that port will be suspended. 

 

Note: If your DHCP server is connected to another switch and both switch is connected through trunk link. Then trunk also makes trust port. otherwise, you will fail to get IP from DHCP server which is connected to another switch. 

 

Regards,

Deepak Kumar

 

 

 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
mrmadgig
Level 1
Level 1
In response to Deepak Kumar

‎08-16-2018 12:06 PM

Hello Deepak
I came across this post becasue the question is the same as the problem I am having. However I am not clear on the clients that connect to the switch. For example. I do understand that you need to ad the ip dhcp snooping trust on the ports that the DHCP server connects. However if I use just VLAN 1 and I do not add the same command under each port that a client is connecting to I get no address. Can you elaborate on this for me please.

I do get an IP if I add the ip dhcp snooping trust under each client port however this is strange to do.

Thank you
Joseph
0 Helpful

Go to solution
ejdrijin1
Level 1
Level 1
In response to Deepak Kumar

‎04-12-2018 12:33 AM

Thanks a lot :)

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎04-12-2018 04:23 AM

As Deepak has already noted, you "trust" DHCP server host ports.

However, if you have multiple switches, interconnected at L2, also be aware that an upstream switch, with DHCP snooping enabled, will, by default, block a downstream's L3 DHCP relay packet.
0 Helpful

Go to solution
ejdrijin1
Level 1
Level 1
In response to Joseph W. Doherty

‎04-12-2018 10:24 PM

Hi Joseph,

 

Thanks for your reply.

 

Sorry but I did not understand.

 

What is an upstream switch?

 

Thanks

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to ejdrijin1

‎04-12-2018 10:28 PM - edited ‎04-12-2018 10:36 PM

Hi, 

Upstream mean: Your system connected Switch is receiving the packet from another switch as the core switch. for an example:

You have three Devices in your network as Router--->Core Switch---->Access switch1

 

Now, for the access switch 1, your core switch is an upstream switch. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
ejdrijin1
Level 1
Level 1
In response to Deepak Kumar

‎04-12-2018 10:37 PM

Thanks for your explanation. 

 

So to solve this you need to trust the trunk between the 2 switches, right?

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to ejdrijin1

‎04-12-2018 10:38 PM

Hi, 

Yes, you are right. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
ejdrijin1
Level 1
Level 1
In response to Deepak Kumar

‎04-12-2018 10:39 PM

Thanks :)
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to ejdrijin1

‎04-13-2018 03:54 AM

No, if you have a trunk, the relayed DHCP packets may be blocked, as unless the downstream L3 switch also has DHCP snooping enabled. What the upstream switch is looking for is DHCP relay packets with option 82.
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Deepak Kumar

‎04-13-2018 03:52 AM

Ditto.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card