We help IT Professionals succeed at work.

DHCP Snooping

Currently i have a network with 6 switches (4) 2950 and (2) 3508 switches.

We are expanding the switched network with 2 more switches 2960.

Currently DHCP snooping is not enabled on any switch, i would like to enable DHCP snooping on the new switches. So far i have only connected one of the new switches and enabled DHCP snooping globally on that switch and for only VLAN 10 (VLAN 10 is where my dhcp server is on one of the older switches).

When i connected a pc on the new switch (where dhcp snooping is enabled) it did not manage to get an ip and on the console i got a message.

1) Do i have to enable DHCP snooping on all other switches? I would like to avoid this.

2) If i simply set one port on the new switch to be trusted by DHCP snooping and connect the dhcp server directly to it  and leave the other swithces untouched would clients connected to the old switches where DHCP Snooping is not enabled still get ips?

Comment
Watch Question

Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
lhcsdDirector of Technology

Commented:
First make sure you're getting an IP without any DHCP snooping enabled to make certain your issue isn't something else. The port could have been shutdown to a DHCP snooping violation while you were messing with the config.

You do not have to enable snooping on all the other switches, however those switches will then allow DHCP responses so that may not be good from a security perspective.

If your DHCP server resides in VLAN 10, then it's probably cool for DHCP responses to come from there. Enable snooping on an access VLAN where a threat would be more likely to come from.

Commented:
basically DHCP snooping configuration involves the following;

Enabling DHCP snooping globally on the switch
> ip dhcp snooping

Enabling DHCP Snooping on each VLAN
> ip dhcp snooping vlan #

Configuring the DHCP Server interfaces as trusted
> ip dhcp snooping trust

Configuring uplink ports as trusted
> ip dhcp snooping trust

Configuring user ports (and other devices) as non-trusted
> no ip dhcp snooping trust (DEFAULT)

Optional

Rate-limit the number of DHCP packets per second an interface can recieve - Trusted or Untrusted
> ip dhcp snooping limit rate <rate>


Verification

show ip dhcp snooping

show ip dhcp snooping binding

I'd recommend leaving the Optional configuration out for now.
lhcsdDirector of Technology

Commented:
nazsky's right about the uplink port, I always forget that.

Author

Commented:
NASKY and IHCSD

Do you mean trust the trunk links between the switches too?

Dont forget im enabling DHCP snooping only on vlan 10 ...do you mean i have to also trust the trunk links?
Commented:
Yes, thats right. Inter-switch links need to be trusted.

Basically every link that the DHCP packet will traverse should be trusted or untrusted. Untrusted is the default, which means it will drop DHCP resposes by default. So should be set to trusted.

Author

Commented:
Ok will try it tomorrow.

One last thing... i will set the dhcp server port to trusted...i will follow the dhcp reply and trust the trunks towards the client..but i will not set the client port to trusted am i correct? because if i do the client can start its own dhcp server.

thanks again..

Commented:
Yes, you would set client ports to untrusted.

You can look at it from the DHCP Server perspective not the client.

Author

Commented:
Solved