Solved: DHCP snooping only at client side

CSCO12099251 · ‎09-05-2017

Hi All,

I have a below few queries regarding DHCP snooping. Please help to clear it. Thanks.

Lets say my setup is lke this. I have PCs connected to access switch A (L2) with L3 uplinks to switch B (L3).

From switch B I have routed path all along to my DC (lets say I have routers C, D, E) and from router it is going to switch F (L2) where my DHCP server is connected.

Queries:

1) Is it mandatory to enable DHCP snopping on my PC gateway L3 switch B? If not I can only configure access switch A uplink port to "trust" and leaving switch B link which connects to A with no DHCP snooping config. Am I right?

2) What if I enabled DHCP snooping on my access switch A and no DCHP snooping on my DHCP server switch F? Will it work. If it works, what will be the risk on doing this.

3) Will DHCP snooping drop the DHCP discover message from DHCP trusted port. Example if I enable DHCP snooping on my PC gateway L3 switch B port which connects to switch A as a trust port, will switch B affect my DHCP packet?

Thanks.

Seb Rupik · ‎09-05-2017

Correct. If DHCP snooping is not congfigured then the packets will pass by untouched.

If DHCP snooping in enabled, then they will be checked by the switch; being dropped if rate-limiting or validation checks fail.

DHCP snooping can modify the packet if Option82 insertion is configured, but this is not required in most setups.

cheers,

Seb.

View solution in original post

Seb Rupik · ‎09-05-2017

Hi there,

Both you assumptions are correct.

Typically you would enable DHCP on your access layer, for the purpose of auditing/ troubleshooting connected devices and for port-security configuration. As such you only need to configure it on the access layer and trust the uplink.

cheers,

Seb.

CSCO12099251 · ‎09-05-2017

Hi Seb,

Thanks for your quick response. I kind of got it right now. DHCP snooping only perform some actions against DHCP packets and it will not change the original DHCP packet. So it is not mandatory to configure end to end. DHCP snooping configured devices will perform some checks and proccess it and the other devices will process as normal DHCP packets.

Am I right?

Seb Rupik · ‎09-05-2017

Correct. If DHCP snooping is not congfigured then the packets will pass by untouched.

If DHCP snooping in enabled, then they will be checked by the switch; being dropped if rate-limiting or validation checks fail.

DHCP snooping can modify the packet if Option82 insertion is configured, but this is not required in most setups.

cheers,

Seb.

CSCO12099251 · ‎10-30-2017

Hi Seb,

I have got a situation reg DHCP snooping. Lets say below is my topology.

Router A (L3 with DHCP pool configured. DHCP snooping disabled)

|

Switch B (L2 switch (trunk links)-DHCP snooping enabled: trust Router A link and untrust switch C link)

|

Switch C (L2 switch(trunk links)-DHCP snooping enabled: trust switchB link and untrust Access point link)

|

Cisco AP

When I had above topology, AP client were not getting IP address. While I disabled DHCP snooping from that particular VLAN, AP clients were getting IP.

> Can please advise, what could be the cause, as I understand DHCP snooping validate DHCP packets only from untrusted ports and act. In my topology DHCP offer comes in only from trusted ports.

Regards,

Godwin. S

Seb Rupik · ‎10-31-2017

Hi there,

From your topology and description DHCP snooping should work.

What is the output of:

sh ip dhcp snooping binding

sh ip dhcp snooping stats

...on both switch B and C, when a client is connected to the AP? What happens if you connected the AP to switch B?

cheers,

Seb.

Joseph W. Doherty · ‎10-31-2017

Could you clarify your setup for switches A and B?

You note switch A is L2 but it has a L3 uplink to switch B? You also note your gateway is on switch B. So how are the interconnected ports on switches A and B configured?