Hi Rolf,

Exactly what I needed. If I only enable it on one vlan then I assume the other vlans will be unaffected and dhcp will work fine on those without any configuration?

Hello,

If you only activate DHCP snooping on one VLAN, DHCP traffic will be inspected only on that VLAN. DHCP will work normally on other VLANs, but no mechanism to protect DHCP function will take place on those VLANs.

Masoud

Hello

Just like to add:

Dhcp snooping wouldnt really do anything unless you use it inline with IPSG or DAI, so apart from specifying specific trusted interfaces (not to be snooped,)this snooping D/B does really nothing else, It will just listen on the the untrsuted ports and snoops the ip & macs address of that vlan.


Note: Also the snooping database WILL NOT be populated with exisitng clients, it will populate next time the dhcp client renews- So if you are going to enable either IPSG or DAI I would recommend enabling snooping a good 24 hrs prior so theD/B get populated

Lastly, if snooping applied to a switch with switch interconnects, then the uplink switch will require snooping enabled also and it trunk links trusted, That is ONLY if the dhcp server is originating from the uplink switch.

res
Paul

Hello Paul,

I will use ip source guard on my access ports and I plan on using an agent as well to store the database.

My dhcp server orginates on possibly multiple port channels and the upstream switch is virtual (vmware). So I will trust the port channels that go to each of my three esxi servers.

Thanks

Hello Phil

Thats sounds good -

IPSG can perform  -
1) verify ip source ip
2) verify ip source and mac address


Verify source ip - if this is enabled it will as stated ONLY verify the ip source within the snooping D/B so if the mac address is changed say in a specific interface which will be different than the snooping DB entry connection is still valid.

Verify source ip and mac address - if this is enabled it will as stated verify the ip source and mac within the snooping D/B so if the mac address or ip address is changed say in a specific interface which will be different than the snooping DB entry connection will be negated.

Please review some IPSG testing I previously documented when learning these features

Hope this is of some assistance

res
Paul

Dhcp snooping wouldnt really do anything unless you use it inline with IPSG or DAI, so apart from specifying specific trusted interfaces (not to be snooped,)this snooping D/B does really nothing else, It will just listen on the the untrsuted ports and snoops the ip & macs address of that vlan.

I disagree. DHCP snooping without IP source guard or DAI will still prevent any (rogue) DHCP servers from working (by blocking DHCPOFFER packets) that are not on a trusted port.

Hello Peter 

The assumption was the OP knew by default the primary reason for dhcp snooping hence why I specified how to make sure to trust any interconnects on any switch pertaining to where the dhcp server was residing

What I was referring to and maybe I wasn't all that clear was the main usages of the dhcp snooping DB which was IPSG and DAI 

res

Paul

I have started testing this in my lab and cannot seem to get this to work. I have attached an image of my setup for reference. I have enabled dhcp snooping on my ASW1 switch and have not setup any trusted interfaces. I can still get a DHCP address on PC3 off of this switch that I have snooping turned on. All of the DHCP servers are coming off of trunk ports attached to the access switch. Here is the config on ASW1:

ASW1#sho run
Building configuration...

Current configuration : 2341 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ASW1
!
!
aaa new-model
aaa authentication dot1x default group radius
!
aaa session-id common
system mtu routing 1500
ip subnet-zero
!
ip dhcp snooping vlan 10,20,30
ip dhcp snooping database write-delay 60
ip dhcp snooping
!
!
!
!
!
dot1x system-auth-control
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface Port-channel1
switchport trunk native vlan 99
switchport trunk allowed vlan 10,30
switchport mode trunk
!
interface Port-channel2
switchport trunk native vlan 99
switchport mode trunk
shutdown
!
interface Port-channel3
switchport trunk native vlan 99
!
interface FastEthernet0/1
switchport access vlan 10
switchport trunk allowed vlan 10,30
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 10
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
switchport trunk native vlan 99
switchport trunk allowed vlan 10,30
switchport mode trunk
channel-group 1 mode passive
!
interface FastEthernet0/7
switchport trunk native vlan 99
switchport trunk allowed vlan 10,30
switchport mode trunk
channel-group 1 mode passive
!
interface FastEthernet0/8
switchport trunk native vlan 99
switchport mode trunk
shutdown
channel-group 2 mode desirable
!
interface FastEthernet0/9
switchport trunk native vlan 99
switchport mode trunk
shutdown
channel-group 2 mode desirable
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
no ip route-cache
!
ip http server
ip http secure-server
radius-server host 172.120.39.46 auth-port 1645 acct-port 1646 key rad123
radius-server source-ports 1645-1646
!
control-plane
!
!
line con 0
line vty 5 15
!
end

ASW1#

Hello

Thats unusual - it shouldnt happen -

What are these dhcp servers - ( ios based switch/routers or hardware wintel/unix boxes etc..)

Can you post
sh ip dhcp snooping
sh ip dhcp snooping binding
sh ip dhcp snooping statistics

res
Paul

Paul,

The issue resolved itself. I ended up moving my test to just one switch and everything worked as expected. After this I moved the DHCP server back to the downstream switch and everything works as expected. Strange. The only thing that happened was the interfaces going down and back up from the move.

What is the recommended practice for the snooping database from a location perspective? Is flash. tftp, etc preferred?

Thanks,

Phil

Hello Phil

Good to hear -

Regards the snooping DB Although I have never done this I would say aTFTP directory

res
Paul

Dears,

How can we configure IP DHCP Snooping without make the port in trust mode any idea please