cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1349
Views
0
Helpful
5
Replies

DHCP SNOOPING ON TRUNK

lynneshri
Level 1
Level 1

Dear All,

I am planning to implement DHCP Snooping on my network to prevent Man-in-the-Middle Attacks.

I have three switches on each floor, all of which are connected to an uplink (Trunk) port that leads to the core switch in my MDF room.

My network includes a Windows Server 2016, which hosts AD, DNS, and the DHCP role. This server is hosted in a VMware environment. I am a bit confused about defining DHCP Snooping. Please refer to the attached network diagram and DHCP Snooping Configuration for more details.

I would like to know if I am on the right track.

Thank you in advance for your help and co-operation.

DHCP-SNOOP.jpgNDiagram.jpg

Thanks

Lynneshri.

 

 

 

 

 

5 Replies 5

Hello,

As far as configuration syntax this looks to be accurate. As far as implementation I would adjust a couple of things:

You have configured rate limiting on what I assume is the trunk port. I would advise against this as if you have lot of hosts behind this trying to request DHCP leases all at once (such as a device reload) then some of your end hosts my not get leases in a timely manner and will be blocked. I would configure the rate limiting on the user access ports instead as they will be the ones sending the messages to the access ports.

Keep the trunk ports as trusted so your DHCP server messages will be allowed through.

 

One final note:

When you enable DHCP snooping the switch acts as a relay and sets what's called the "GIADDR" field to 0.0.0.0. Cisco routers don't accept this so they will discard the packet. Your 2 options are to allow it on the router port or disable that function on the switch you have enabled for DHCP snooping.

 

Option 1 (on router interface towards LAN): ip dhcp relay information trust-all

Option 2 (on switch enabled for DHCP snooping): no ip dhcp snooping information option

 

Hope this helps

-David

 

 

Thanks for your reply. All host are receiving IP address from my DHCP server which is hosted on Windows server 2016 in VMWare environment. I have given (IP dhcp snooping rate limit 40) command on Truck Port on each switch. 

Each floor we have 70+ host wired and wi-fy. 

C9200-Switch(Config)#ip dhcp snooping
C9200-Switch(Config)#ip dhcp snooping vlan 2,20,11,70,80,156
C9200-Switch(Config)#interface Twentyfivegige 1/0/1
C9200-Switch(Config-ip)#ip dhcp snooping trust
C9200-Switch(Config-ip)#no ip dhcp snooping information option.

and following command instead on trunk port it should be on each interface?
C9200-Switch(Config-ip)#ip dhcp snooping limit rate 40

Thanks for your help.

 

If you are successfully getting a DHCP lease then you don't need the no ip dhcp snooping information option. As @paul driver mentioned and what I failed to is you only need that configured if you are going to or through a Cisco IOS device. This is not the case in your scenario. Also it is disabled globally (not per interface I believe).

As far as the rate limit set on trunk. You CAN do that but I wouldn't recommend it because as I said if a switch reboots and the clients all try to ask for an address at the same time when its back online it could cause issues. Depending on the amount of messages sent from the devices. Its best to enabled the rate limiting on the host ports as thats directly where the messages will come from.

 

Hope that helps

-David

I send you message check it

Hello
Your enablement of DHCP looks okay, You are trusting certain interfaces also, although its not clear what those interfaces are.
The trusting dhcp snooping interfaces will allow dhcp messages and allocation to pass through those ports so the interfaces that only need to be trusted would be trunks interconnects and dhcp server port(s).

My understanding Option 82 insertion can cause issues only if your dhcp is relayed to a dhcp server running of a IOS router, otherwise you should have no reason to trust or disable that relay information (ip dhcp relay information trust-all/no ip dhcp snooping information option) just leave everything as standard and see if your clients receive the ip address allocation


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card