1. Home
  2. Cisco Systems
  3. DHCP snooping

DHCP snooping

Hey all,

From my limited understanding, dhcp snooping merely blocks dhcp

responses from interfaces you configure to be untrusted. Does this (or should this) feature be enabled on all the switches? The way we have ours set up, our dhcp server is connected to a series of 6500 switches (our backbone) which are connected to our 3550s and 3548s on the floor. Since the security risk is with the on floor switches with people who may plug in rogue dhcp servers, its simply okay to just enable dhcp snooping on those on floor switches?

Thanks.

Reply to
psychogenic
Loading thread data ...

That doesn't agree with my understanding. DHCP snooping is usually the active forwarding of DHCP requests to a server that otherwise would not see them (because it's in a different broadcast domain). Some options add in information about exactly which port of which device was installed, so that a DHCP server can potentially make position-dependant assignments even "at a distance".

On the 3550's you might want to set up an ACL that blocks DHCP broadcasts except to trusted ports. You probably can't do that on 3548's unless they are Cat3548G-L3's.

Reply to
Walter Roberson

Hi Walter,

It sounds like you are thinking of DHCP Relay, or the forwarding of DHCP Requests from a LAN segment to another LAN segment that hosts the target DHCP Server. DHCP Snooping is the term Cisco use to describe the blocking of DHCP Server responses being sourced from an "untrusted" port (and its a very welcome addition too).

Cheers.................pk.

Reply to
Peter

And the DHCP info gleaned during DHCP snooping is the information base used by the IP source guard feature

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.