Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1351
Views
0
Helpful
5
Replies

First time to configure DHCP Snooping

simonator
Level 1
Level 1

‎02-18-2014 12:00 AM - edited ‎03-07-2019 06:16 PM

Good day to everyone,

A few minutes ago as of the writing of this discussion, a colleague of mine tried to enable a dhcp server using a vmware. He is unaware that he is actually distributing IP's in our local network. So the inevitable happened, 40 computers got the wrong IP and got disconnected to our production network.

In our network we have a Cisco 4506-e acting as the dhcp server for both vlan 5 and 6 with interface vlan 5 having an ip of 172.16.5.1 and acting as default router for vlan 5 and interface vlan 6 having ip of 172.16.6.10 and acting as a default router for vlan 6.

I am thinking of enabling DHCP snooping in my network. This will be my first time to do it and I am hoping that the experienced guys will give me a good advice of where to start.

And here are my additional questions.

1. What things I need to consider?

2. Any risks?

3. Where should I apply it?

I am thanking all of you in advance for your help and I am hoping for your reply.

Labels:
0 Helpful
5 Replies 5

Martin Carr
Level 4
Level 4

‎02-18-2014 05:36 AM

So far as I understand it should be applied on all switches, so it stops all but the 'trusted' server responding to requests.

I don't think there is much to consider and I can't see what risks would be posed.

Martin

0 Helpful

simonator
Level 1
Level 1
In response to Martin Carr

‎02-18-2014 05:45 AM

How about the dhcp snooping agent? any knowledge transfer about that?

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to simonator

‎02-18-2014 06:27 AM

The dhcp snooping agent is used to compare dhcp bindings across reloads. If the switch doesn't have an agent configured, and you can run without it, and the switch reloads, traffic could be interrupted until that database local to the switch is rebuilt. Switches do not share bindings. They keep track of the address/mac address/port that a dhcp request was done on.

A binding looks like:

34:75:C7:E6:EB:96   10.10.x.x    3220671     dhcp-snooping   10    FastEthernet0/13

I have my dhcp database configured to use scp to copy the bindings to a text file. When the switch reloads, it will copy that bindings text file back to the switch and operations continue normally.

You should enable on every switch and trust your uplinks to other switches on both ends. For example, if you have two switches and the dhcp server is on switch 2:

switch 1

    |

switch 2 --- port 48 dhcp server

You trust on switch 1 the link that connects to switch 2 and trust switch 2 connection to switch 1 and port 48 where the dhcp server connects.

The only caveat that I've found is that in our environment we have mobile workstations that connect to bridges. The bridges, from what I have seen, will send the request for dhcp on behalf of the workstation and the switch sees two mac address and denies the dhcp reply. I've had to trust all of the ports that led to my APs to get around this issue.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

simonator
Level 1
Level 1
In response to John Blakley

‎02-18-2014 08:46 PM

Thank you mr John for your reply,

I just want to clarify if I can configure dhcp snooping without this dhcp agent? is it mandatory?

And for example: I have this kind of setup ( you can check partial configuration) where I have the l3 4506 switch configured with vlan 5 and 6 as posted on my original post with their own defaulrt router. I mean, can I configure the trust setting to the vlan interface?

!

ip dhcp pool Clients

network 172.16.4.0 255.255.254.0

default-router 172.16.5.1

dns-server 172.16.0.8 172.16.0.12

lease 30

!

ip dhcp pool Clients_building2

network 172.16.6.0 255.255.254.0

default-router 172.16.6.10

dns-server 172.16.0.8 172.16.0.12

lease 30

interface Vlan5

ip address 172.16.5.1 255.255.254.0

ip helper-address 172.16.5.1

ip helper-address 172.16.0.8

!

interface Vlan6

ip address 172.16.6.10 255.255.254.0

ip helper-address 172.16.6.10

ip helper-address 172.16.0.8

and with your example I need to configure the trust setting to the trunk links between switches right?

0 Helpful

Jeff Van Houten
Level 5
Level 5

‎02-18-2014 10:35 PM

You need to configure the agent if you are going to use any of the higher functions like ip source guard. If you are not going to ever use source guard the agent is optional. Since you are using a switch as the dhcp server you also need to read up on option 82 insertion if you do plan on using the agent.

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card