Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1603
Views
0
Helpful
1
Replies

dhcp trust to prevent rogue dhcp device on Access switches

tlebouef
Level 1
Level 1

‎03-22-2016 06:53 PM - edited ‎03-08-2019 05:04 AM

I am trying to prevent rogue dhcp request from bringing down my network. 

My dhcp servers are not local to the network 

But helpers/proxy over the firewalls and local core to a real dhcp servers at our data center. 

Core is layer three ... dhcp servers are over the wan ... interconnect to the core is lacp channel groups over fiber. 

So 3750x layer 2 access switches to 4507 core layer three switches wan routers are asr1002's   

Has anyone done this and can give me a real life example of the entire configuration ? 

Thanks 

Labels:
0 Helpful
1 Reply 1

Ich Nafi
Level 1
Level 1

‎03-23-2016 04:00 AM

This is how we did it:

On the access switches:

Enable ip dhcp snooping on the VLAN you want to snoop

Example:

ip dhcp snooping vlan 1-4094
no ip dhcp snooping information option
ip dhcp snooping

On switchport:

ip dhcp snooping limit rate 100

(values lower than 100 can make your switchport go to errdisable. Windows can go pretty crazy on DHCP requests)

On uplink port do Distri/Core (if Layer 2 Trunk-Port):

ip dhcp snooping trust

If you do ip arp inspection you also want to tell the switch to save the snooping database on flash (in other case you'll lock out everyone after a switch reboot)

ip dhcp snooping database flash:dhcp

I think that's it. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card