Skip navigation
Cisco Learning Home > CCIE Security Study Group > Discussions
574 Views 4 Replies Latest reply: Apr 29, 2012 11:27 AM by Aakil RSS

Currently Being Moderated

DHCP snooping when catalyst is acting as DHCP server

Apr 4, 2012 11:47 PM

Cisco Jedi 39 posts since
Aug 1, 2009

I googled for this and am not getting a definitive answer. What is the interaction between DHCP snooping [and more importantly DAI & IP Source Guard which are dependent upon the DHCP snooping mac/IP database] and DHCP Server services running on the catalyst

 

Can this work? Can I have my catalyst 3750 stack acting as my DHCP server and still utilize DAI, IP source guard, etc?

 

Thanks guys

  • Yevgeniy 63 posts since
    Mar 22, 2011

    DHCP binding DB is different from DHCP Snooping ninding DB, that is to be formed once DHCPOFFER is ACKed by DHCP Client.

     

    They may co-exist, here is a process:

    1 - client send DHCPDISCOVER

    2 - DHCP SNOOPING intercepts and checkes it against its DHCP SNOOPING DB

    3 - IF NO match found it is goign to flood this frame withing the VLAN it was heard

    4 - SVI will recive Broadcast and does the OFFER

    5 - DHCP Client revieves an offer and ACK it

    6 - DHCP SNOOPING DB is added with new Binding

     

    Try enabling DHCP snooping along with DHCP Server, prior ARP inspection;

    IP Source Guard would have to be applied opnce DHCP Binding table is completely populated;

     

    Thanks,

    Yevgeniy

  • Elvin Arias 1,837 posts since
    Mar 12, 2010

    The switch needs to have the binding table via the DHCP snooping feature, but remember that you can use those extra features without the need of the DHCP snooping binding table, so you could do it statically, eventhough this implies a lot of administration configuration on the switches. The position of the DHCP server on a DHCP snooping configuration does matters. You can have the Catalyst switch acting as the DHCP server inside the same subnet or doing it through a relay. It's your personal option.

     

    Elvin

  • Aakil 69 posts since
    Apr 29, 2012

    DHCP snooping, DAI, IPsource guard requires the DHCP binding datbase in order to work.

     

    Regards,

     

    Aakil

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)