Solved: Implementing DHCP Snooping

david.ageitu · ‎03-29-2017

Hi

I am looking to implement dhcp snooping on the company's access switches but I can not figure out why it does not seem to work. We have two Cisco 2960 on a stack which is acting as access layer and a 3560 and 3650 respectively acting as the L3 switches which is used for inter vlan routing.

The DHCP server vlan is different from the client's vlan and Ip helper address is used on the L3 switch to relay dhcp information to the DHCP server from each vlan. I have enable dhcp snooping globally by using IP DHCP snooping and I have also enable DHCP snooping on the vlan that will be verify on the access switches. I have trust the trunk interfaces going to the L3 swtiches from the access switches as well as the DHCP server.

After implementing this, I lost connectivity. All client could not get a valid IP from the DHCP server. The IP dhcp snooping statistic on the access switches shows that no DHCP packets are been forwarded. All the packets are dropped. I have followed several instructions online but could not solve the issue.

Also i noticed that if I configure one of the host untrusted interface as a trusted interface, all host on that vlan will start receiving IP addresses.

Can someone help me please.

Julio E. Moisa · ‎04-03-2017

Hi

The trust line should be configured on the outbound way. Is possible to know your configuration on the access switch? and if you have a basic topology.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎04-03-2017

Hi

Dhcp snooping is configured on access switches only, the following config is an example, have you disable option 82?

ip dhcp snooping
ip dhcp snooping vlan X1,X2,X3,Xn
no ip dhcp snooping information option

interface g1/0/1
description USER
ip dhcp snooping limit rate 25

interface g1/1/1
description TRUNK
ip dhcp snooping trust <-- enable it under the interface or over the path going to the dhcp server

Please rate the comment if it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

david.ageitu · ‎04-03-2017

Hi Julio,

Thanks for the quick response. I only configure IP dhcp snooping on the access switches. I trutsed the port channel link from the access link to the L3 switches (Both ways). On the access switche, I have also trusted the interface going to the DHCP server. I have also disable dhcp option 82 on the access and the layer 3 switch.

Still I do not have any success. The access switches keep blocking the dhcp packet.

Julio E. Moisa · ‎04-03-2017

Hi

The trust line should be configured on the outbound way. Is possible to know your configuration on the access switch? and if you have a basic topology.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

david.ageitu · ‎04-04-2017

Thanks Julio,

I have figure out what the issue was. The Port channels from the access switches to the L3 switches need to be trusted even though i have already trust the individual interfaces on the port channel.

Thanks for your help.

Regards

David Ageitu.

Julio E. Moisa · ‎04-04-2017

Thank you David for the update, have a good day!

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<