12-30-2006 09:32 PM - edited 03-05-2019 01:32 PM
Hi Sir,
I'm trying to implement DHCP snooping feature on one particular floor in an office building switched network. Attached is the physical network topology diagram. The floor is Level 13. The DHCP server is centralized.
All users in Level 13 are on VLAN 130, which I'd like to enable DHCP snooping on. The objective is to safeguard any rogue DHCP server from connecting to any ports on the access switches and the core switches.
I also include my configurations. Please verify if I configured anything incorrectly with regards to my scenario. I need help on the DHCP snooping configuration on the core switches. Please advise.
Also, is it necessary to configure DHCP snooping database agent on all the switches?
Please help.
Thank you.
B.Rgds,
Lim TS
01-01-2007 03:26 AM
Hello my friend,
I'm in process of testing DHCP snooping and DAI at my catalyst switches, I did that at the LAB but i can't see the DHCP snooping binding table, just today i read a document about DHCP snooping, Port security, and Dynamic ARP Inspection, i think this is a good document or article. I missed one command at the trunk links "ip dhcp relay information trusted", after reading this document, i will try it after my holiday. But i think it is worth to read this document, maybe it can help you.
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3462211
For the database, i think you have to create a TFTP server in case the switch reloads, for the core switches, i think you need to enable the DHCP snooping, but take care to trust all the required ports like DHCP server port and also the trunk links to other switches.
Please check with your topology and update.
Please rate if it is helpful!
Thanks
Abd Alqader
01-01-2007 03:06 PM
Hi,
I found the following note on cisco.com:
--------------------------------------
When DHCP snooping is enabled, these Cisco IOS DHCP commands are not available on the switch:
? "ip dhcp relay information check" global configuration command
? "ip dhcp relay information policy" global configuration command
? "ip dhcp relay information trust-all" global configuration command
? "ip dhcp relay information option" global configuration command
? "ip dhcp relay information trusted" interface configuration command
If you enter these commands, the switch returns an error message, and the configuration is not applied.
--------------------------------------
That's why I didn't configure the "ip dhcp relay information trusted" command on trunk ports in my lab. However, I was able to see the DHCP snooping binding table using the "sh ip dhcp snooping binding" command on my access switches. Please refer to my attached configuration slides.
The network scenario I posted is such that, the DHCP server is located remotely. Local clients contact the DHCP server via "ip helper-address" configured on the local Core switches.
I'm quite sure about the DHCP snooping configurations on the access switches. However, I'm not sure about configuring DHCP snooping on the Core switches, with regards to my scenario.
Can anyone please provide some guideline?
Thank you.
B.Rgds,
Lim TS
01-02-2007 12:19 AM
01-08-2007 03:25 AM
Hi,
You should configure ip dhcp snooping trust on all uplink interfaces (trunks) and interface, where is routed dhcp traffic.
Also add ip helper-address on SVI 130.
I hope this will help.
01-08-2007 06:59 AM
Hi,
Thanks for your reply.
Have you checked my attached config of both core switches? What other configuration commands that I missed?
Also, is it necessary to configure DHCP snooping database agent on all the switches?
Please advise.
Thank you.
B.Rgds,
Lim TS
01-08-2007 09:56 AM
Sorry, I didn't see the second slide :)
It seems all ok, but I don't see your access ports or access switches.
Access switches should have too "ip dhcp snooping trust" on trunk port and
ip dhcp snooping limit rate xxx
on each access port.
Check your configuration:
sh ip dhcp snooping
I hope it will help.
01-08-2007 03:46 PM
Hi,
I have the "ip dhcp snooping trust" command configured on interface Gi1/13 of both Core switches, connecting to the access switches (please see my diagram). Do I need to configure "ip dhcp snooping trust" on the portchannel interfaces between the two Core switches?
"ip dhcp snooping trust" is also configured on all the trunk ports of the access switches.
Is it necessary to configure DHCP snooping database agent on all the switches?
Thank you.
B.Rgds,
Lim TS
01-08-2007 11:59 PM
>Do I need to configure "ip dhcp snooping trust" on the portchannel interfaces between the two Core switches?
Yes, if dhcp paket can goes through this interface.
But if you don't need dhcp snooping on all ports, you can just disable "dhcp snooping" on all transit switches.
I.e. if you don't have access ports on c6509, c3560, only trunks/routed interfaces -- just disable dhcp snooping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide