Skip navigation
Login   |   Register
Cisco Learning Home > CCIE Security Study Group > Discussions
633 Views 4 Replies Latest reply: Apr 29, 2012 11:27 AM by Aakil RSS

Currently Being Moderated

DHCP snooping when catalyst is acting as DHCP server

Apr 4, 2012 11:47 PM

Cisco Jedi 40 posts since
Aug 1, 2009

I googled for this and am not getting a definitive answer. What is the interaction between DHCP snooping [and more importantly DAI & IP Source Guard which are dependent upon the DHCP snooping mac/IP database] and DHCP Server services running on the catalyst

 

Can this work? Can I have my catalyst 3750 stack acting as my DHCP server and still utilize DAI, IP source guard, etc?

 

Thanks guys

  • Yevgeniy 63 posts since
    Mar 22, 2011

    DHCP binding DB is different from DHCP Snooping ninding DB, that is to be formed once DHCPOFFER is ACKed by DHCP Client.

     

    They may co-exist, here is a process:

    1 - client send DHCPDISCOVER

    2 - DHCP SNOOPING intercepts and checkes it against its DHCP SNOOPING DB

    3 - IF NO match found it is goign to flood this frame withing the VLAN it was heard

    4 - SVI will recive Broadcast and does the OFFER

    5 - DHCP Client revieves an offer and ACK it

    6 - DHCP SNOOPING DB is added with new Binding

     

    Try enabling DHCP snooping along with DHCP Server, prior ARP inspection;

    IP Source Guard would have to be applied opnce DHCP Binding table is completely populated;

     

    Thanks,

    Yevgeniy

    Join this discussion now: Login / Register
  • Elvin Arias 2,504 posts since
    Mar 12, 2010

    The switch needs to have the binding table via the DHCP snooping feature, but remember that you can use those extra features without the need of the DHCP snooping binding table, so you could do it statically, eventhough this implies a lot of administration configuration on the switches. The position of the DHCP server on a DHCP snooping configuration does matters. You can have the Catalyst switch acting as the DHCP server inside the same subnet or doing it through a relay. It's your personal option.

     

    Elvin

    Join this discussion now: Login / Register
  • Aakil 69 posts since
    Apr 29, 2012

    DHCP snooping, DAI, IPsource guard requires the DHCP binding datbase in order to work.

     

    Regards,

     

    Aakil

    Join this discussion now: Login / Register

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)