Solved: Re: IP DHCP SNOOPING and etherchannel ?

Mike Mott · ‎09-27-2011

Hellow everyone.

I am trying to configure dhcp snooping for a network of 9 switches that are connected to the core via an etherchannel.

The last document that I could find related to dhcp snooping and etherchannel was back in 2008. Looking for some updated information.

Switch names have been changed to protect the innocent

My setup is as follows.

Core-0 :globally = Nothing

Core-0(config)# int vlan 80
Core-0(config)# ip dhcp relay information trusted

Distribution-0(config)# ip dhcp snooping vlan 80
Distribution-0(config)# ip dhcp snooping information option allow-untrusted
Distribution-0(config)# ip dhcp snooping

Distribution-0(config-if)# int g0/51 (UPLINK<-> Core-0-B)
Distribution-0(config-if)# ip dhcp snooping trust

Distribution-0(config-if)# int g0/52 (UPLINK<-> CS-UTS-0-A)
Distribution-0(config-if)# ip dhcp snooping trust

Access-0(config)# ip dhcp snooping vlan 80
Access-0(config)# ip dhcp snooping

Access-0(config-if)# int g1/0/52
Access-0(config-if)# ip dhcp snooping trust

Access-1(config)# ip dhcp snooping vlan 80
Access-1(config)# ip dhcp snooping

Access-1(config-if)# int g1/0/52
Access-1(config-if)# ip dhcp snooping trust

Access-2(config)# ip dhcp snooping vlan 80
Access-2(config)# ip dhcp snooping

Access-2(config-if)# int g1/0/52
Access-2(config-if)# ip dhcp snooping trust

Access-3(config)# ip dhcp snooping vlan 80
Access-3(config)# ip dhcp snooping

Access-3(config-if)# int g1/0/52
Access-3(config-if)# ip dhcp snooping trust

Access-4(config)# ip dhcp snooping vlan 80
Access-4(config)# ip dhcp snooping

Access-4(config-if)# int g1/0/52
Access-4(config-if)# ip dhcp snooping trust

Access-5(config)# ip dhcp snooping vlan 80
Access-5(config)# ip dhcp snooping

Access-5(config-if)# int g1/0/52
Access-5(config-if)# ip dhcp snooping trust

Access-6(config)# ip dhcp snooping vlan 80
Access-6(config)# ip dhcp snooping

Access-6(config-if)# int g1/0/52
Access-6(config-if)# ip dhcp snooping trust

Access-7(config)# ip dhcp snooping vlan 80
Access-7(config)# ip dhcp snoooping

Access-7(config-if)# int g1/0/52
Access-7(config-if)# ip dhcp snooping trust

Access-8(config)# ip dhcp snooping vlan 80
Access-8(config)# ip dhcp snooping

Access-8(config-if)# int g1/0/28
Access-8(config-if)# ip dhcp snooping trust

Once all of the config changes were made I connected to Access-0 put my port in vlan 80, and was not able to get an address.

Peter Paluch · ‎09-27-2011

Hello Mike,

If I understood what you said erarlier My configs were all correct except. you would add the command ip dhcp snooping trust on the interface Port-channel1 at the Distribution-0 as well as interfaces g0/51 and g0/52

Precisely. After you create EtherChannels, keep in mind that to most protocols and protection mechanisms, the physical ports disappear. Instead, the Port-channel interface comes in, and all protocol operations are performed against the Port-channel interface. Therefore, you must configure the ip dhcp snooping trust command primarily on Port-channel interfaces - do not care about the physical interfaces, they will inherit the necessary configuration from the Port-channel interface automatically. In your case, as the DHCP Snooping is run on the Distribution and Access switches, the ip dhcp snooping trust command should be put on all Port-channel interfaces on the Distribution and Access switch (assuming that the ports under the Port-channel interfaces should indeed be trusted).

You do not need to configure anything special on the Core. The ip dhcp relay information trusted is perfectly fine and is placed right where it belongs: on the SVI for VLAN 80.

Best regards,

Peter

View solution in original post

Mike Mott · ‎09-27-2011

Thank You in advance.

Peter Paluch · ‎09-27-2011

Mike,

Where are the EtherChannels you've spoken about in the thread title? In any case, if you are doing EtherChannels between your Access/Distro and Distro/Core switches then be sure to configure the ip dhcp snooping trust command on the Port-channel interfaces, not just on the physical ports.

If this does not help then if possible please do the debug ip dhcp snooping event and debug ip dhcp snooping packet on your Access-0 switch - let's see what is going wrong. The debug will be quite sizeable - it would be best to turn on a logging function in your terminal emulator software.

Thank you!

Best regards,

Peter

Mike Mott · ‎09-27-2011

Peter

I did not add the ether channel configs because I didn't apply any commands to the ether channel,

only to the associated interfaces that are part of the ether channel.- Thus ends my excuse phase.

The Ether channel is between the Core switch and the Distrubution switch. the config for the ether channel looks like:

Core-0#

interface Port-channel80
description Distribution-0
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
mls qos trust cos
no mls qos channel-consistency

interface GigabitEthernet3/4
description UPLINK<->Distribution-0-B
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
udld port
mls qos trust cos
channel-group 80 mode desirable

interface GigabitEthernet5/10
description UPLINK<->Distribution-0-A
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
udld port
mls qos trust cos
channel-group 80 mode desirable

Distribution-0

interface Port-channel1

description Core-0-UPLINK

switchport trunk encapsulation dot1q

switchport mode trunk

interface GigabitEthernet0/51

description UPLINK<-> Core-0-B

switchport trunk encapsulation dot1q

switchport mode trunk

udld port

channel-group 1 mode desirable

!

interface GigabitEthernet0/52

description UPLINK<-> Core-0-A

switchport trunk encapsulation dot1q

switchport mode trunk

udld port

channel-group 1 mode desirable

If I understood what you said erarlier My configs were all correct except. you would add the command

ip dhcp snooping trust on the interface Port-channel1 at the Distribution-0 as well as interfaces g0/51 and g0/52 ????? But nothing on the port-channel on the Core ?

Peter Paluch · ‎09-27-2011

Hello Mike,

If I understood what you said erarlier My configs were all correct except. you would add the command ip dhcp snooping trust on the interface Port-channel1 at the Distribution-0 as well as interfaces g0/51 and g0/52

Precisely. After you create EtherChannels, keep in mind that to most protocols and protection mechanisms, the physical ports disappear. Instead, the Port-channel interface comes in, and all protocol operations are performed against the Port-channel interface. Therefore, you must configure the ip dhcp snooping trust command primarily on Port-channel interfaces - do not care about the physical interfaces, they will inherit the necessary configuration from the Port-channel interface automatically. In your case, as the DHCP Snooping is run on the Distribution and Access switches, the ip dhcp snooping trust command should be put on all Port-channel interfaces on the Distribution and Access switch (assuming that the ports under the Port-channel interfaces should indeed be trusted).

You do not need to configure anything special on the Core. The ip dhcp relay information trusted is perfectly fine and is placed right where it belongs: on the SVI for VLAN 80.

Best regards,

Peter

ShivamNaik08815 · ‎05-23-2021

how do you configure ip dhcp snooping on portchannels on packet tracer i done ip dhcp snooping trusted on packet tracer 8 on g0/1 between my switch and router it then stopped my dhcp server from issuing ip addresses when i try to rectify the eerors packet tracer freezes and displays error message causing my pc to crash though it has 8 gb ram

Cdaniel.rios · ‎04-08-2022

I think it's a bit late to reply but Packet Tracer does not support the ip dhcp snooping command on port-channels.

Sudo get Nicolas · ‎02-27-2023

I understand, but anyways if I try to write ip dhcp snooping trust on the Channel-Group, the option doesn't exist.
All this on Cisco Packet Tracer 8.2.0

David Ruess · ‎02-27-2023

If the option does not exist then it’s not supported on packet tracer. Packet tracer has very limited commands as it’s an emulator. Which means it doesn’t have the functionality of real devices.

ShivamNaik08815 · ‎05-17-2021

When I insert the ip dhcp snooping trust command into my port-channels on my network consisting of 3 catalyst 2960 switches in etherchannel on packet tracer version 8 it does not execute can some one explain this issue

ShivamNaik08815 · ‎05-23-2021

i had the same issue i tried to configure on etherchannels on packet tracer 8 but it gives me errors and my network is down what could be the reason i done everything according to the book

Sudo get Nicolas · ‎02-27-2023

Hi I have the same problem, I'm trying to configure DHCP snooping on a Etherchannel group but it's impossible, do you find a way to solve it, it would be appreciated.
Thanks