cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1409
Views
1
Helpful
20
Replies

DHCP Snooping

carl.townshend
Level 1
Level 1

Hi Guys

We want to enable DHCP snooping on one of our sites, we have a core switch and lots of edge plugged into this, the DHCP server is over the WAN, do we just need to set the port that the WAN router plugs into and the uplinks to the switches as trusted? we have had some issues where DHCP snooping breaks DHCP in the past so were reluctant to enable it again.

Should what I described above work OK?

Cheers

20 Replies 20

Dhcp snooping trust need to config in any link toward dhcp server. 

Here if your uplink is only path towards dhcp server you need to config it as trust 

Hi

So what about the HQ end where the actual DHCP server is located? this does not have snooping and will not have it enabled.

We only want to enable it on the remote site only.

Are you saying it would not work if not enabled at the HQ end also? if not why not and is there anything we can do to get around it?

Only enable it on remote site and config dhcp trust in uplink toward HQ.

No need to enable dhcp snooping in HQ.

Note:- disable add op82 for snooping in remote site to sure dhcp server not refuse dhcp request.

On what switches would we need to disable option 82? on all switches or just the core where the IP helper is?

also why do we need to disable it ?

 

Can you draw your network?

You only need to configure the trust ports on devices you enable DHCP Snooping on. DHCP snooping should be on network devices closest to the device you're trying to "snoop". As @MHM Cisco World mentioned the trust interfaces should be enabled on links that flow traffic to the DHCP server. This includes all links so if you have redundant paths then those need it as well. Typically its configured on trunk interfaces towards the DHCP server. By default all ports are untrusted which means on Client related DHCP messages are allowed (Discover/Request). When the server sends its Offer the untrusted port will block this as an invalid packet because untrusted ports should not have DHCP server messages (Offer, ACK) coming from it. Trusted ports allow all DHCP messages without filtering.

The reason you disable Option 82 is because when you turn on DHCP snooping it also enables Option 82 on the switch. This adds some extra information but more importantly it sets the "GIADDR" field of the packet to 0.0.0.0. as it relays the DHCP packets from the client to the server. The router is configured by default to reject packets with GIADDR field set to 0.0.0.0. You can change this 2 ways. On the switch by disabling option 82: no ip dhcp snooping information option. Or on the router with the helper address (or is the DHCP server) you can configure it to trust packets with the GIADDR field set to 0.0.0.0 with the command: ip dhcp relay information trusted.

DavidRuess_0-1695827343452.png

Hope this helps

-David

Hi David,

when you say router, do you mean the router/switch with dhcp snooping enabled or would it drop even with snooping not enabled? in our case the core switch just has ip helper enabled.

Whichever device the traffic will hit first weather it be a router interface or a VLAN interface on a switch. Whatever the routed interface the DHCP requested will hit first will drop the traffic if the GIADDR field is 0.0.0 unless configured to accept such frames in the command I listed above.

Hi David

So in our scenario where the DHCP server is over the WAN, are we best just enabling dhcp snooping on the edge switches where the clients plug in only? or should we enable it on the core also?

should be enable the command no ip dhcp snooping information option on all edge switches too by default?

cheers

Just the edge devices where the clients plug in. Wherever you enable DHCP snooping is where you need to also turn off Option 82.

 

-David

carl.townshend
Level 1
Level 1

Hi

It will be  REMOTE SWITCH>>>>REMOTE CORE>>>>REMOTE WAN RTR>>>>WAN>>>>>HQ WAN ROUTER>>>>HQ CORE>>>HQ SERVER SWITCH>>>DHCP SERVER

Host connect to remote SW?

If yes then enable dhcp snooping on remote SW and link from remote SW to Core SW must config with dhcp trust.

And disable op82 in remote SW.

That what you need.

Why op82 must disable? Other l3 device when see op82 is add it must trust it or not' trust it need to enable dhcp in Core (with ip helper) and it not needed' instead you can only not add this op.

Hi, yes clients plug into remote switch.

So are you saying the core switch in remote site with dhcp snooping enabled would drop it? even if uplink was trusted?

what about switches in HQ end, would these do anything or just pass it as normal as dhcp snooping not enabled?

Why you want to enable dhcp snooping in Core SW (remote site)?

Not remote site SW drop dhcp the SW with ip helper and not run dhcp snooping will drop dhcp request.

Review Cisco Networking for a $25 gift card