Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15602
Views
15
Helpful
3
Replies

DHCP Snooping & Option 82

Go to solution
david.mitchell
Beginner
Beginner

‎04-04-2013 01:56 AM - edited ‎03-07-2019 12:38 PM

Hi All,

If I have a distributed LAN environment whereby I have DHCP servers on one VLAN and Clients on another and the Client VLAN is spread out over a number of access switches, how can I implement DHCP snooping without trusting the uplinks on the L2 switches?

My concern is that if their is a rogue DHCP server connected to one Access Switch in the Client VLAN and then if another Access Switch is trusting its trunk up to the Distribution Layer it would affectively allow DHCP responses in via that trunk/uplink from the rogue DHCP server within the same VLAN connected elsewhere in the network!

Also, with regard to DHCP Option 82, I have read that when DHCP snooping is implemented it marks the “giaddr” value within Option 82 to zero (0). Would this then prevent the DHCP relay via the IP Helper addresses from working?

Thanks in advance

David

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP Expert VIP Expert
VIP Expert

‎04-04-2013 02:05 AM

Hello

Trusting the interconnects between switches will be okay as if you have dhcp cleints on the other switches then dhcp snooping will be required on those switches also, and by default all ports are set to be untrusted so you should be protected.

As for the option 82 this is enabled by default when dhcp oopping for 3550.3650's is configured   - but again you can use the commands below for this:

ip dhcp relay information trust all (Global)

ip dhcp relay information trusted (interface)

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

3 Replies 3

Go to solution
paul driver
VIP Expert VIP Expert
VIP Expert

‎04-04-2013 02:05 AM

Hello

Trusting the interconnects between switches will be okay as if you have dhcp cleints on the other switches then dhcp snooping will be required on those switches also, and by default all ports are set to be untrusted so you should be protected.

As for the option 82 this is enabled by default when dhcp oopping for 3550.3650's is configured   - but again you can use the commands below for this:

ip dhcp relay information trust all (Global)

ip dhcp relay information trusted (interface)

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
david.mitchell
Beginner
Beginner
In response to paul driver

‎04-04-2013 03:24 AM

Thanks Paul, this makes sense (I forgot that all switchports would be Untrusted for DHCP by default!)

With regard to Option 82 and how it works. I understand as mentioned briefly earlier, that when using IP Helper Addresses on VLAN SVIs, Option 82 is used to identify the Host and ensure they get to the correct scope within the centralised DHCP server.  If when we enable DHCP snooping the Option 82 giaddr value is set to Zero, the DHCP Relay doesn't see the Host markings and therefore doesn't know which of the multiple scopes to direct the DHCP request to for a response!

Do these commands stop the giaddr value being marked as 0 by default? And is the interface command intended for the SVI (VLAN Interface)?

ip dhcp relay information trust all (Global)

ip dhcp relay information trusted (interface)

Many thanks

David

0 Helpful

Go to solution
paul driver
VIP Expert VIP Expert
VIP Expert
In response to david.mitchell

‎04-04-2013 03:50 AM

Hello David

Option 82- By default dhcp requests will be dropped  The ios is set to drop any dhcp packets with giaddr of zero

These commands will bypass this  and the ios will accept dhcp packets with zero “giaddr  to ensure that these packets do not get dropped

ip dhcp relay information trust all (Global) on the whole switch like 3350 /3560  between  the clients and the relay agent - allows all interfaces to accept relay messages.

ip dhcp relay information trusted (interface) on the interconnects between switches that may insert option 82.

- allows just that interface to acceopt relay messages.

Restrictions

If an ip dhcp relay information command is configured in global configuration mode but not configured in interface configuration mode, the global configuration is applied to all interfaces.

If an ip dhcp relay information command is configured in both global configuration mode and interface configuration mode, the interface configuration command takes precedence over the global configuration command. However, the global configuration is applied to interfaces without the interface configuration.

If an ip dhcp relay information command is not configured in global configuration mode but is configured in interface configuration mode, only the interface with the configuration option applied is affected. All other interfaces are not impacted by the configuration.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents