10-22-2023 02:28 PM - last edited on 10-22-2023 06:33 PM by shule
Dear All,
I am planning to implement DHCP Snooping on my network to prevent Man-in-the-Middle Attacks.
I have three switches on each floor, all of which are connected to an uplink (Trunk) port that leads to the core switch in my MDF room.
My network includes a Windows Server 2016, which hosts AD, DNS, and the DHCP role. This server is hosted in a VMware environment. I am a bit confused about defining DHCP Snooping. Please refer to the attached network diagram and DHCP Snooping Configuration for more details.
I would like to know if I am on the right track.
Thank you in advance for your help and co-operation.
Thanks
Lynneshri.
10-22-2023 06:46 PM - edited 10-22-2023 07:36 PM
Hello,
As far as configuration syntax this looks to be accurate. As far as implementation I would adjust a couple of things:
You have configured rate limiting on what I assume is the trunk port. I would advise against this as if you have lot of hosts behind this trying to request DHCP leases all at once (such as a device reload) then some of your end hosts my not get leases in a timely manner and will be blocked. I would configure the rate limiting on the user access ports instead as they will be the ones sending the messages to the access ports.
Keep the trunk ports as trusted so your DHCP server messages will be allowed through.
One final note:
When you enable DHCP snooping the switch acts as a relay and sets what's called the "GIADDR" field to 0.0.0.0. Cisco routers don't accept this so they will discard the packet. Your 2 options are to allow it on the router port or disable that function on the switch you have enabled for DHCP snooping.
Option 1 (on router interface towards LAN): ip dhcp relay information trust-all
Option 2 (on switch enabled for DHCP snooping): no ip dhcp snooping information option
Hope this helps
-David
10-23-2023 09:25 AM
Thanks for your reply. All host are receiving IP address from my DHCP server which is hosted on Windows server 2016 in VMWare environment. I have given (IP dhcp snooping rate limit 40) command on Truck Port on each switch.
Each floor we have 70+ host wired and wi-fy.
C9200-Switch(Config)#ip dhcp snooping
C9200-Switch(Config)#ip dhcp snooping vlan 2,20,11,70,80,156
C9200-Switch(Config)#interface Twentyfivegige 1/0/1
C9200-Switch(Config-ip)#ip dhcp snooping trust
C9200-Switch(Config-ip)#no ip dhcp snooping information option.
and following command instead on trunk port it should be on each interface?
C9200-Switch(Config-ip)#ip dhcp snooping limit rate 40
Thanks for your help.
10-23-2023 10:23 AM
If you are successfully getting a DHCP lease then you don't need the no ip dhcp snooping information option. As @paul driver mentioned and what I failed to is you only need that configured if you are going to or through a Cisco IOS device. This is not the case in your scenario. Also it is disabled globally (not per interface I believe).
As far as the rate limit set on trunk. You CAN do that but I wouldn't recommend it because as I said if a switch reboots and the clients all try to ask for an address at the same time when its back online it could cause issues. Depending on the amount of messages sent from the devices. Its best to enabled the rate limiting on the host ports as thats directly where the messages will come from.
Hope that helps
-David
10-22-2023 11:01 PM
I send you message check it
10-23-2023 02:00 AM
Hello
Your enablement of DHCP looks okay, You are trusting certain interfaces also, although its not clear what those interfaces are.
The trusting dhcp snooping interfaces will allow dhcp messages and allocation to pass through those ports so the interfaces that only need to be trusted would be trunks interconnects and dhcp server port(s).
My understanding Option 82 insertion can cause issues only if your dhcp is relayed to a dhcp server running of a IOS router, otherwise you should have no reason to trust or disable that relay information (ip dhcp relay information trust-all/no ip dhcp snooping information option) just leave everything as standard and see if your clients receive the ip address allocation
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide