DHCP Snooping

If I have DHCP configured on my switch, how do I configure DHCP snooping? I know that if you have a dhcp server on a switch port, that's where you apply the IP DHCP SNOOPING TRUST as well as on the links between switches and tot he router. If I don't have a physical DHCP server, how do I configure DHCP snooping?

Thanks,
LVL 3
Shark AttackNetwork adminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
It does no matter if you have physical server or not. You mark port that is trusted - the port from which DHCP offer  will be received. DHCP offer can only came from trusted port, any other port if DHCP offer is received will be error-disabled.
Shark AttackNetwork adminAuthor Commented:
Well, if I have the below scope configured, which port do I mark as trusted? How do i know what port DHCP offer will be received from? 

ip dhcp pool Guest-Pool
   network 192.168.202.64 255.255.255.192
   default-router 192.168.202.65 
   dns-server 1.1.1.1 1.1.1.2

Open in new window

JustInCaseCommented:
Since DHCP server is your switch, you would need just enable dhcp snooping globally and then to enable it on for VLAN.
If there are other switches connected to this one, it is easy know which port to configure for ip dhcp snooping - most likely trunks should be trusted ports on those switches, all other ports should stay untusted. :)

(config)#ip dhcp snooping  

(config)#ip dhcp snooping vlan 20 

# sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
20
DHCP snooping is operational on following VLANs:
20
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 867e.0000.88db (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------

Open in new window


Cisco - ip dhcp snooping configuration

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

Download eBook
Shark AttackNetwork adminAuthor Commented:
thanks!
Shark AttackNetwork adminAuthor Commented:
how do I set the port to be NOT trusted ?
JustInCaseCommented:
You don't, all ports are untrusted except of ports that you configured as trusted ports.
Shark AttackNetwork adminAuthor Commented:
thats what I thought. thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.