cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1838
Views
0
Helpful
5
Replies

DHCP Snooping - Are these settings OK?

Jacob Berger
Level 2
Level 2

ip dhcp snooping database flash:dhcpb.txt
ip dhcp snooping

interface GigabitEthernet1/0/27
channel-group 1 mode active
ip dhcp snooping trust
!
interface GigabitEthernet1/0/28
channel-group 1 mode active
ip dhcp snooping trust
!

interface Port-channel1
description ### XXXXXXX
ip dhcp snooping trust

5 Replies 5

Mark Malone
VIP Alumni
VIP Alumni

I would enable too for the specific vlans you want

ip dhcp snooping vlan x,x,x,x

I would also rate limit your user ports as best practice to mitigate attacks on the server

ip dhcp snooping rate limit 8

is your dhcp server cisco ios or an actual dhcp server like MS ?

is "ip dhcp snooping vlan x,x,x" a must?

dhcp server is MS

was working ok with "ip dhcp snooping vlan x,x,x"

but after FW outage (FWSM) and configuring interfaces and IP helper  on Cisco 6509 , clients couldn't reach DHCP server.

after removing "ip dhcp snooping vlan x,x,x" DHCP access returned.

Thanks

you sure it was working as its off by default until you specify the vlans

Looking through my own cores in each region we have also specificed the vlans and enabled it globally too


ip dhcp snooping vlan 1,32-36,38,54,59-60,110,126,151,154-160,164-166,169,196
ip dhcp snooping vlan 200-202,221-222,323-324,328-331
no ip dhcp snooping information option
ip dhcp snooping

Heres an easy guide to follow for it

http://packetpushers.net/ccnp-studies-configuring-dhcp-snooping/

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Enabling DHCP Snooping on VLANs

By default, the DHCP snooping feature is inactive on all VLANs. You may enable the feature on a single VLAN or a range of VLANs.

When enabled on a VLAN, the DHCP snooping feature creates four entries in the VACL table in the MFC3. These entries cause the PFC3 to intercept all DHCP messages on this VLAN and send them to the RP. The DHCP snooping feature is implemented in software on the RP.

To enable DHCP snooping on VLANs, perform this task:

 
Command
Purpose

Step 1 

Router(config)# ip dhcp snooping vlan {{vlan_ID [vlan_ID]} | {vlan_range}

Enables DHCP snooping on a VLAN or VLAN range.

Step 2 

Router(config)# do show ip dhcp snooping

Verifies the configuration

Well... This is what happened.

1. dhcp snooping was set to specific vlans ("ip dhcp snooping vlan x,x,x")

2. FWSM failed

3. 6509 took control of routing (event manager applet reverted SVIs  to "no shutdown" and set ip helper address )

4 routing OK but clients not getting DHCP (ones that had working leases were ok)

5. removed "ip dhcp snooping vlan x,x,x" from access switch running config and DHCP returned.

if i understand correctly , the fact that i removed "ip dhcp snooping vlan x,x,x" in effect disabled DHCP snooping?.

Thanks

Hi Jacob,

I agree with Jacob. 

As suggestion the ip dhcp snooping should be configured on the access switches only. Also the command line: ip dhcp snooping trust  should be configured on the interfaces going to the distribution switch or toward the company DHCP servers, it should not be configured on the end users ports.

In few words it should be configured on the trunk interfaces. 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Review Cisco Networking for a $25 gift card