Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1285
Views
0
Helpful
2
Replies

DHCP snooping with Voip phones with switch - Seeking help/advice

OrthoMB
Level 1
Level 1

‎09-07-2018 06:59 AM - edited ‎03-08-2019 04:06 PM

Good morning, 

We are implementing DHCP snooping, DAI and all the great port security options offered.  However, I think I realized something will put a damper on our efforts.

We need to trust any port between switches so dhcp packets can flow from end to end (if I understand this correctly.)  So we would trust the dhcp server's port and then each port that connects a switch to a switch.  

The kink that I realized is we have shortel phones that have a 2 port switch built in.  We sometimes use this 2 port switch when we do not have an extra data drop.   So a PC would be connected to a phone which is then connected to one of our switches. 

 

If I understand this correctly, we would need to trust any port that has another switch connected to it.  So each port that has PC connected to a phone would need to be trusted.  

Sadly, doesn't that negate dhcp snooping?   Any help/suggestions here are greatly appreciated.

Thank you

Mike

1 person had this problem
Labels:
0 Helpful
2 Replies 2

omz
VIP Alumni
VIP Alumni

‎09-07-2018 07:21 AM

From a network design perspective, DHCP snooping is an access layer security feature. Therefore, DHCP snooping’s most likely positioning is that of wiring closet switches or IDFs, but any switch containing access ports in a VLAN serviced by DHCP is a potential candidate.

When deploying DHCP snooping, you need to set up the trusted ports (the ports through which legitimate DHCP server messages will flow) before enabling DHCP snooping on the VLAN you wish to protect. This is most often the uplink from the access layer switch to the next layer up, probably your core or aggregation layer if you’re still using the traditional layered design the vast majority of purposefully engineered campus networks have in place today.

Note that if you are using layer 3 uplinks to your access layer as opposed to layer 2 802.1q trunks, the layer 3 uplinks will relay DHCP server messages without being defined as trusted.

0 Helpful

OrthoMB
Level 1
Level 1
In response to omz

‎09-07-2018 10:31 AM

Thank you.

I should have explained our network setup a little.

We have layer 3 switches as primary switches at each site with layer 2 switches connected as needed.  I know we need to have the uplink ports trusted.  I'm also afraid that I need to trust the ports that have our ShoreTel phones connected that also connect to a PC (PC to phone to layer2 switch.)

 

If that is the case, then wouldn't that defeat the purpose of using DHCP snooping?

Thank you

m

0 Helpful
Customers Also Viewed These Support Documents