DHCP Snooping

Shark Attack
Shark Attack used Ask the Experts™
on
If I have DHCP configured on my switch, how do I configure DHCP snooping? I know that if you have a dhcp server on a switch port, that's where you apply the IP DHCP SNOOPING TRUST as well as on the links between switches and tot he router. If I don't have a physical DHCP server, how do I configure DHCP snooping?

Thanks,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
View Solution Only
JustInCase
Distinguished Expert 2018

Commented:
It does no matter if you have physical server or not. You mark port that is trusted - the port from which DHCP offer  will be received. DHCP offer can only came from trusted port, any other port if DHCP offer is received will be error-disabled.
Shark AttackNetwork admin

Author

Commented:
Well, if I have the below scope configured, which port do I mark as trusted? How do i know what port DHCP offer will be received from? 

ip dhcp pool Guest-Pool
   network 192.168.202.64 255.255.255.192
   default-router 192.168.202.65 
   dns-server 1.1.1.1 1.1.1.2

Open in new window

Distinguished Expert 2018
Commented:
Since DHCP server is your switch, you would need just enable dhcp snooping globally and then to enable it on for VLAN.
If there are other switches connected to this one, it is easy know which port to configure for ip dhcp snooping - most likely trunks should be trusted ports on those switches, all other ports should stay untusted. :)

(config)#ip dhcp snooping  

(config)#ip dhcp snooping vlan 20 

# sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
20
DHCP snooping is operational on following VLANs:
20
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 867e.0000.88db (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------

Open in new window


Cisco - ip dhcp snooping configuration
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Find out now!
Shark AttackNetwork admin

Author

Commented:
thanks!
Shark AttackNetwork admin

Author

Commented:
how do I set the port to be NOT trusted ?
JustInCase
Distinguished Expert 2018

Commented:
You don't, all ports are untrusted except of ports that you configured as trusted ports.
Shark AttackNetwork admin

Author

Commented:
thats what I thought. thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial