Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1760
Views
8
Helpful
5
Replies

Relation between DHCP snooping and DHCP trust

Go to solution
satishmothukri
Level 1
Level 1

‎02-19-2013 09:01 AM - edited ‎03-07-2019 11:48 AM

HI All ,

Could you please expain how DHCP works in below scenario's.What commands needs to be enabled

1)  DHCP Client - Cisco 3750 Switch  -- DHCP server (DHCP server is present locally)

  2) DHCP client -- Cisco 3750 Switch - EIGRP--- Cisco 3845 router --- MPLS cloud --- DHCP server.(DHCP server is located remotely)

If DHCP server is located remotely , then is it necessary  to eable below comands.

Ip dhcp snooping - Globally

Ip dhcp snooping vlan <vlan number>

Ip DHCP snooping trust -- 3750 switch L3 interface which is connecting to 3845 router.

What is the relation between ip dhcp snooping and trust..

If dont configure above three commands on 3750 Switch , Will dhcp client gets ip address from remote DHCP server or not.

Thanks ,
M S K       

Thanks , M S K
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kyle McKay
Level 1
Level 1
In response to satishmothukri

‎02-19-2013 10:48 AM

I am a bit confused by your question, but I will answer it as best I can.

The command "ip dhcp snooping" turns on the DHCP snooping process on the local switch - without it, there will be no snooping at all. The command "ip dhcp snooping vlan x" turns on the DHCP Snooping process on the specified VLAN, this command does nothing unless the command "ip dhcp snooping" is also configured globally. Finally, the command "ip dhcp snooping trust" command specifies an interface in which DHCP server packets can be accepted. This will include Offers and Acknowledgements and any other messages in which typically originate from the DHCP server.

In response to your most recent question, the answer is Yes, your clients would still receive DHCP-assigned IP addresses. This is because, you have enabled the DHCP Snooping service on the switch but it is not yet assigned to any VLAN. If you were to assign it to the client VLAN without the Snooping trust command however, your clients would no longer receive the DHCP packets.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
satishmothukri
Level 1
Level 1

‎02-19-2013 10:31 AM

Suppose if I enable dhcp on the 3750 switch (scenario 2) using Ip dhcp snooping ( Globally) without configuring below commands , will DHCP client gets an ip address from remote DHCP server ?


Ip dhcp snooping vlan

Ip DHCP snooping trust --- 3750 switch L3 interface which is connecting to 3845 router.

Thanks ,
M S K

Thanks , M S K
0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to satishmothukri

‎02-19-2013 10:43 AM

Hi,

the DHCP snooping feature is used to mitigate rogue DHCP servers and MiTM attacks leveraging these servers not to enable clients on one subnet from getting DHCP addresses from a DHCP server located on a different subnet.

For this you need a DHCP relay-agent which will transform the DHCP broadcasts from the client into unicast so it can get to the server.This is implemented on Cisco IOS with the ip helper-address command.

Enabling DHCP snooping globally but without specifying the vlans will not work if i remember well but if it was working then by default all ports would be considered untrusted( will drop DHCP messages from servers) and your client wouldn't get any

response from the server so you would have to make your ports going to the legitimate server as trusted.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
Kyle McKay
Level 1
Level 1
In response to satishmothukri

‎02-19-2013 10:48 AM

I am a bit confused by your question, but I will answer it as best I can.

The command "ip dhcp snooping" turns on the DHCP snooping process on the local switch - without it, there will be no snooping at all. The command "ip dhcp snooping vlan x" turns on the DHCP Snooping process on the specified VLAN, this command does nothing unless the command "ip dhcp snooping" is also configured globally. Finally, the command "ip dhcp snooping trust" command specifies an interface in which DHCP server packets can be accepted. This will include Offers and Acknowledgements and any other messages in which typically originate from the DHCP server.

In response to your most recent question, the answer is Yes, your clients would still receive DHCP-assigned IP addresses. This is because, you have enabled the DHCP Snooping service on the switch but it is not yet assigned to any VLAN. If you were to assign it to the client VLAN without the Snooping trust command however, your clients would no longer receive the DHCP packets.

0 Helpful

Go to solution
satishmothukri
Level 1
Level 1
In response to Kyle McKay

‎02-19-2013 11:36 AM

Hi Kyle / Alian  ,

Thanks for the reply and valuable info.

Alian :

Enabling DHCP snooping globally but without specifying the vlans will not work if i remember well .

From the above statement i could say that we need to have dhcp snooping enabled globally along with dhcp snooping vlan and dhcp snooping trust to get an ip address for trusted servers .

Correct me if i am worng

I have one more doubt..

===================

Below commands are not configured on the switch and i have ip helper address configured on vlan interface.

Ip dhcp snooping - Globally

Ip dhcp snooping vlan

Ip DHCP snooping trust

In the above scenario , machines connected to 3750 switch will get ip address from remote DHCP or not ?

Thanks ,
M S K

Thanks , M S K
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to satishmothukri

‎02-19-2013 11:51 AM

Hello,

Here are some results from a previous testing of DHCP Snooping:

Dhcp snooping to be active and for the binding D/B to be populated requires:


ip dhcp snooping & Ip dhcp snooping vlan xx

1)  DHCP Client - Cisco 3750 Switch  -- DHCP server (DHCP server is present locally)

if dhcp server is attached to the same switch and all clients are on this switch - then just trust

the interface where the server is situated

2) DHCP client -- Cisco 3750 Switch - EIGRP--- Cisco 3845 router --- MPLS cloud --- DHCP server.(DHCP server is located remotely

if applied to one switch with the dhcp "dora's" on the uplink, then that uplink towards the dhcp server will require to be trusted

If you have multiple dhcp clients over multiple switches then all these switches require snooping enabled with their interconnect links and  the link to the dhcp server trusted

As long as interfaces are trusted the snooping database does nothing else.

It listens on the the untrusted ports and snoops on the ip & macs relation of clients

If dhcp is pre existing, then dhcp snooping is enabled, the snooping database WILL NOT be populated with the existing clients leases,

it will populate when the client renews.

Hope it helps

res

Paul

Please don't forget to rate this post if it has been helpful.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents