cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10985
Views
15
Helpful
3
Replies
Highlighted
Beginner

DHCP Snooping & Option 82

Hi All,

If I have a distributed LAN environment whereby I have DHCP servers on one VLAN and Clients on another and the Client VLAN is spread out over a number of access switches, how can I implement DHCP snooping without trusting the uplinks on the L2 switches?

My concern is that if their is a rogue DHCP server connected to one Access Switch in the Client VLAN and then if another Access Switch is trusting its trunk up to the Distribution Layer it would affectively allow DHCP responses in via that trunk/uplink from the rogue DHCP server within the same VLAN connected elsewhere in the network!

Also, with regard to DHCP Option 82, I have read that when DHCP snooping is implemented it marks the “giaddr” value within Option 82 to zero (0). Would this then prevent the DHCP relay via the IP Helper addresses from working?

Thanks in advance

David

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Hello

Trusting the interconnects between switches will be okay as if you have dhcp cleints on the other switches then dhcp snooping will be required on those switches also, and by default all ports are set to be untrusted so you should be protected.

As for the option 82 this is enabled by default when dhcp oopping for 3550.3650's is configured   - but again you can use the commands below for this:

ip dhcp relay information trust all (Global)

ip dhcp relay information trusted (interface)

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

3 REPLIES 3
Highlighted
VIP Mentor

Hello

Trusting the interconnects between switches will be okay as if you have dhcp cleints on the other switches then dhcp snooping will be required on those switches also, and by default all ports are set to be untrusted so you should be protected.

As for the option 82 this is enabled by default when dhcp oopping for 3550.3650's is configured   - but again you can use the commands below for this:

ip dhcp relay information trust all (Global)

ip dhcp relay information trusted (interface)

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

Highlighted

Thanks Paul, this makes sense (I forgot that all switchports would be Untrusted for DHCP by default!)

With regard to Option 82 and how it works. I understand as mentioned briefly earlier, that when using IP Helper Addresses on VLAN SVIs, Option 82 is used to identify the Host and ensure they get to the correct scope within the centralised DHCP server.  If when we enable DHCP snooping the Option 82 giaddr value is set to Zero, the DHCP Relay doesn't see the Host markings and therefore doesn't know which of the multiple scopes to direct the DHCP request to for a response!

Do these commands stop the giaddr value being marked as 0 by default? And is the interface command intended for the SVI (VLAN Interface)?

ip dhcp relay information trust all (Global)

ip dhcp relay information trusted (interface)

Many thanks

David

Highlighted

Hello David

Option 82- By default dhcp requests will be dropped  The ios is set to drop any dhcp packets with giaddr of zero

These commands will bypass this  and the ios will accept dhcp packets with zero “giaddr  to ensure that these packets do not get dropped

ip dhcp relay information trust all (Global) on the whole switch like 3350 /3560  between  the clients and the relay agent - allows all interfaces to accept relay messages.

ip dhcp relay information trusted (interface) on the interconnects between switches that may insert option 82.

- allows just that interface to acceopt relay messages.

Restrictions

If an ip dhcp relay information command is configured in global configuration mode but not configured in interface configuration mode, the global configuration is applied to all interfaces.

If an ip dhcp relay information command is configured in both global configuration mode and interface configuration mode, the interface configuration command takes precedence over the global configuration command. However, the global configuration is applied to interfaces without the interface configuration.

If an ip dhcp relay information command is not configured in global configuration mode but is configured in interface configuration mode, only the interface with the configuration option applied is affected. All other interfaces are not impacted by the configuration.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Content for Community-Ad