Options
DHCP Snooping question
Hi
I'm learning about DHCP Snooping and I have a question about it. Hope someone can help.
If I have a network of 3 switches, with CAT1 being the root bridge and having the valid client and the rogue DHCP connected to it. On CAT2 I have the legitimate DHCP server. I enable ip dhcp snooping on all switches which makes all ports untrusted but then on CAT2 I make the port connected to the DHCP trusted. Do I also need to ensure that the trunk ports which are in forwarding mode on CAT1 and CAT3 are also made TRUSTED? my thinking is that they would need to be made trusted if they are to accept DHCP Offer frames from a valid DHCP server.
Unfortunately I don't own my own equipment so have been renting and have got some inconsistent results. I have noticed that it does appear as if I need to ensure all other switches have their trunk ports as trusted but then when I removed the ip dhcp snooping trust command on those ports the client was still able to get an IP address without any issue. Or maybe i've just confused myself?
Pic attached to aid visualization
Free Cloud Storage - MediaFire
I'm learning about DHCP Snooping and I have a question about it. Hope someone can help.
If I have a network of 3 switches, with CAT1 being the root bridge and having the valid client and the rogue DHCP connected to it. On CAT2 I have the legitimate DHCP server. I enable ip dhcp snooping on all switches which makes all ports untrusted but then on CAT2 I make the port connected to the DHCP trusted. Do I also need to ensure that the trunk ports which are in forwarding mode on CAT1 and CAT3 are also made TRUSTED? my thinking is that they would need to be made trusted if they are to accept DHCP Offer frames from a valid DHCP server.
Unfortunately I don't own my own equipment so have been renting and have got some inconsistent results. I have noticed that it does appear as if I need to ensure all other switches have their trunk ports as trusted but then when I removed the ip dhcp snooping trust command on those ports the client was still able to get an IP address without any issue. Or maybe i've just confused myself?
Pic attached to aid visualization
Free Cloud Storage - MediaFire
I'm an Xpert at nothing apart from remembering useless information that nobody else cares about.
Comments
-
Options
Zartanasaurus
Member Posts: 2,008 ■■■■■■■■■□
You need to trust all links where valid DHCP replies come from. So that could include trunk links, yes.Currently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8%