1. Home
  2. Cisco Systems
  3. Help with DHCP Snooping...

Help with DHCP Snooping...

Hi,

I am about to make the following setup:

Internet | |

---------- Firebox

---------- |

---------- |- |HP ProCurve 2650 | Cisco 3750|-----| Vlan 2 | |- |HP ProCurve 2650 |

---------- | | | | | | -------------- ---- Cisco 2924

------------ ---------| Cisco 3750 | ---- Cisco 2950 Cisco 3750 |--| Vlan 1 |

--------------| -------------- | ---------| Cisco 2970 |

------------- Cisco PIX 515

------------- | | Internet

I am connecting two networks, that will be using their own internet connection, and the two 3750's will work as Default gateways.

Each 3750 (The first i vlan 1, and the one i vlan 2) has its own DHCP server connected to a trusted port, with DHCP Snooping enabled. IP DHCP SNOOPING INFORMATION OPTION disabled.

It works, but if i connect a PC to a port on one of the 3750's, and afterwords moves this PC to another port for example in the Cisco 2924, i am unable to make a IPCONFIG /renew in Windows.

It seems like the 3750's are fine, but not the other switches?

What could be wrong?

I have no helper adresses (I do not quite understand them?)...

Any help would be apriciated :-)

Best regards

Thomas Hartmann

Reply to
Thomas Hartmann
Loading thread data ...

Post your configs.

Reply to
Matt nickerson

Hi,

Here is the current configuration for the "Core" 3750 Switch on Vlan-1, connected directly to the PIX:

3750_EDB_RUM#show configuration Using 9134 out of 524288 bytes ! ! Last configuration change at 14:39:41 CET Wed Apr 11 2007 ! NVRAM config last updated at 15:25:57 CET Wed Apr 11 2007 by administrator ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname 3750_EDB_RUM ! enable secret ! no aaa new-model clock timezone CET 1 clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00 switch 1 provision ws-c3750g-24ts-1u ip subnet-zero ip routing ip domain-name local ip name-server 172.16.1.20 ip name-server 172.16.1.22 ! ip dhcp snooping vlan 1-2 no ip dhcp snooping information option ip dhcp snooping ! mls qos map cos-dscp 0 8 16 26 32 46 48 56 mls qos srr-queue input bandwidth 90 10 mls qos srr-queue input threshold 1 8 16 mls qos srr-queue input threshold 2 34 66 mls qos srr-queue input buffers 67 33 mls qos srr-queue input cos-map queue 1 threshold 2 1 mls qos srr-queue input cos-map queue 1 threshold 3 0 mls qos srr-queue input cos-map queue 2 threshold 1 2 mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7 mls qos srr-queue input cos-map queue 2 threshold 3 3 5 mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15 mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7 mls qos srr-queue input dscp-map queue 1 threshold 3 32 mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23 mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48 mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56 mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63 mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31 mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47 mls qos srr-queue output cos-map queue 1 threshold mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7 mls qos srr-queue output cos-map queue 3 threshold 3 2 4 mls qos srr-queue output cos-map queue 4 threshold 2 1 mls qos srr-queue output cos-map queue 4 threshold 3 0 mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47 mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31 mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55 mls qos srr-queue output dscp-map queue 2 thresho mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23 mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39 mls qos srr-queue output dscp-map queue 4 threshold 1 8 mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15 mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7 mls qos queue-set output 1 threshold 1 138 138 92 138 mls qos queue-set output 1 threshold 2 138 138 92 400 mls qos queue-set output 1 threshold 3 36 77 10 mls qos queue-set output 1 threshold 4 20 50 67 400 mls qos queue-set output 2 threshold 1 149 149 100 149 mls qos queue-set output 2 threshold 2 118 118 100 235 mls qos queue-set output 2 threshold 3 41 68 100 272 mls qos queue-set output 2 threshold 4 42 72 100 242 mls qos queue-set output 1 buffers 10 10 26 54 mls qos queue-set output 2 buffers 16 6 17 61 mls qos ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface GigabitEthernet1 description SAN Switch ! interface GigabitEthernet1/0/2 description SAN Switch ! interface GigabitEthernet1/0/3 description EXCH1 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping trust ! interface GigabitEthernet1/0/4 description - ! interface GigabitEthernet1/0/5 description FS switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping trust ! interface GigabitEthernet1/0/6 description SW switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface GigabitEthernet1/0/7 description SAN Diske ! interface GigabitEthernet1/0/8 description SAN Diske ! interface GigabitEthernet1/0/9 description PC switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface GigabitEthernet1/0/10 description - ! interface GigabitEthernet1/0/11 description G. Tek Server switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface GigabitEthernet1/0/12 description DIV switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface GigabitEthernet1/0/13 description Cisco Giga Switch switchport trunk encapsulation dot1q switchport mode trunk srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 queue-set 2 mls qos trust cos macro description cisco-switch auto qos voip trust spanning-tree link-type point-to-point ! interface GigabitEthernet1/0/14 description Ekstra kabel ! interface GigabitEthernet1/0/15 description Ekstra kabel ! interface GigabitEthernet1/0/16 description Ekstra kabel ! interface GigabitEthernet1/0/17 description Cisco 2950-5 switchport trunk encapsulation dot1q switchport mode trunk srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 queue-set 2 mls qos trust cos macro description cisco-switch auto qos voip tru spanning-tree link-type point-to-point ! interface GigabitEthernet1/0/18 description VIRTUEL switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface GigabitEthernet1/0/19 description - ! interface GigabitEthernet1/0/20 description Quantum Streamer ! interface GigabitEthernet1/0/21 description Cisco 2950-2 switchport trunk encapsulation dot1q switchport mode trunk srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 queue-set 2 mls qos trust cos macro description cisco-switch auto qos voip trust spanning-tree link-type point-to-point ! interface GigabitEthernet1/0/22 description ARKIV switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type in macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface GigabitEthernet1/0/23 description TEK switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface GigabitEthernet1/0/24 description Cisco PIX ! interface GigabitEthernet1/0/25 description Uplink krydsfelt 2 switchport trunk encapsulation dot1q switchport mode trunk srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 queue-set 2 mls qos trust cos macro description cisco-switch auto qos voip trust spanning-tree link-type point-to-point ! interface GigabitEthernet1/0/26 description Uplink t ! interface GigabitEthernet1/0/27 description Uplink to Vlan 2 switchport trunk encapsulation dot1q switchport trunk native vlan 2 switchport mode trunk ! interface GigabitEthernet1/0/28 description - ! interface Vlan1 ip address 172.16.2.8 255.255.0.0 ! interface Vlan2 ip address 132.147.160.2 255.255.0.0 ! router rip network 132.147.0.0 ! ip default-gateway 172.16.2.1 ip classless ip route 0.0.0.0 0.0.0.0 172.16.2.1 ip route 132.147.0.0 255.255.0.0 Vlan2 ip http server ! ! control-plane ! ! line con 0 line vty 0 4 password xxx login length 0 line vty 5 15 password xxx login ! ntp server 172.16.1.20 key 0 prefer end

Hope you have some input for me :-)

Thanks!

Best regards Thomas

Reply to
Thomas Hartmann

Thomas,

Do you have ports on 3750 to "other switches" configured with "trust" (ip dhcp snoop trust)? If not, then your 3750 just cuts DHCP packets out of these ports. Basically you should configure all your "uplinks" and "downlinks" with "dhcp snooping trust".

The "ip helper" command required if you have separate Layer3 segments. If your network is all flat, then it's not required.

Good luck,

Mike CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc. CCIE R&S (in progress), CCIE Voice (in progress)

------ Headset Adapters for Cisco IP Phones

formatting link
formatting link

Reply to
headsetadapter.com

Thomas,

As I told, you don't "trust" ports, where other switches are connected. So,

3750 treats these ports as "PC ports" and limits DHCP requests as if there is the only one PC connected behind.

Question. haven't you just recently visited Cisco seminar on Security? Your config is exactly what they recommended...

Good luck,

Mike CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc. CCIE R&S (in progress), CCIE Voice (in progress)

------ Headset Adapters for Cisco IP Phones

formatting link
formatting link

Reply to
headsetadapter.com

You only need to trust those ports that will have DHCP replies incoming on them. DHCP snooping only restricts DHCP reply messages, and if the reply is input on an interface that is not "trusted" the packet will be dropped.

You need an "ip helper address" if the DHCP server is not on the same subnet/VLAN as the PC. On the VLAN's that don't have a DHCP server, enter the command "ip helper-address "

You could have any number of things that could be the problem. Did everything work before you enabled DHCP snooping? If you put a static IP address on the PC on one of the 2924's does it communicate on the network? If you disable dhcp snooping, does the PC get an IP address?

Scott

Reply to
Thrill5

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.