Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to set-up DHCP-snooping? 1

Status
Not open for further replies.

mlgmartin

Vendor
Jul 6, 2010
108
0
0
PH
Kindly check if the procedure is correct.

5400(config)# dhcp-snooping authorized-server 192.168.10.1
5400(config)# dhcp-snooping trust A1
5400(config)# dhcp-snooping vlan 1
5400(config)# dhcp-snooping

Questions:
1) Do I need to turn off dhcp-snooping option 82?
5400(config)# no dhcp-snooping option 82
2) Under trusted interfaces (step 2), should I include both the uplink and downlink ports?

"It is an equal failing to trust everybody, and to trust nobody.
 
1. If you have Microsoft DHCP servers, then yes you will need to turn off dhcp-snooping option 82 as Microsoft isn't evidently standards compliant on their DHCP and without that option, it will drop all DHCP traffic.

2. Yes. All DHCP server connected ports and all ports that other switches connect on (like you said, all uplink ports)

I provided the link to HP's article about DHCP snooping, but I did not see it mention about the option 82 parameter. Hope that helps.

 
1)
"no dhcp-snooping option 82" is what I have on mine.

2)
yes, both, as it snoops both the request AND the offer.
 
SWITCH1# sh dhcp-snooping stat


Packet type Action Reason Count
----------- ------- ---------------------------- ---------
server forward from trusted port 28
client forward to trusted port 3862
server drop received on untrusted port 0
server drop unauthorized server 0
client drop destination on untrusted port 0
client drop untrusted option 82 field 0
client drop bad DHCP release request 0
client drop failed verify MAC check 0


If you don't disable option 82 snooping, you get this:

SWITCH2# sh dhcp-snooping stat


Packet type Action Reason Count
----------- ------- ---------------------------- ---------
server forward from trusted port 371
client forward to trusted port 3898
server drop received on untrusted port 0
server drop unauthorized server 118
client drop destination on untrusted port 0
client drop untrusted option 82 field 119
client drop bad DHCP release request 0
client drop failed verify MAC check 0
 
My understanding is that "Option 82" is the information added to a client's DHCP request by the "IP Helper" on the router.

I haven't tested it yet, but I'm guessing you could re-enable Option 82 snooping if you first add the router interface as an "authorized-server".
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top