? on DHCP Snooping and DAI Configuration and Setup

c-wyman · ‎10-13-2010

Hello,

We have run into an ARP problem with our private vlan and need to implement dhcp snooping and DAI for that specific vlan and I need some help with the configuration guidelines as it's a little vague in some areas. Once I get the DHCP snooping configuration setup, I think I can handle the DAI, but I'm definitely having some problems with this first part.

Here's the scenario:

2 CORE Redundant Switches have private vlan 6XX (Parent VLAN 6XX)

The hosts connected to this pvlan (through 3 different 3750 access switches throughout the campus) get their IP address from a DHCP pool configured on the CORE switches.

All other hosts connected to all other access vlans get their IP address from a Windows DHCP server connected to a server access switch on another subnet/vlan.

We want to implement DHCP snooping and DAI on the private vlan only and allow the Windows DHCP server to continue to provide ip addresses to all other host vlans. (As a first step then roll the security measures out to other non-PVLAN’s at a later date)

Plan so far:

Enable dhcp snooping globally on the CORE switches (Do I need to do this on the host switches where the pvlan bridges for host connectivity?)

Enable dhcp snooping to vlan 6XX

Enable dhcp snooping trust on all uplink ports on the CORE to the host switches

Core-switch1

conf t

ip dhcp snooping

ip dhcp snooping vlan 6XX

interface gi2/4 (host-switch1)

ip dhcp snooping trust

interface gi1/6 (host-switch2)

ip dhcp snooping trust

interface gi2/7 (host-switch3)

ip dhcp snooping trust

end

Core-switch2

conf t

ip dhcp snooping

ip dhcp snooping vlan 6XX

interface gi1/13 (host-switch1)

ip dhcp snooping trust

interface gi1/16 (host-switch2)

ip dhcp snooping trust

interface gi2/7 (host-switch3)

ip dhcp snooping trust

end

host-switch1

conf t

interface range fastethernet 1/0/1 - 12

no ip dhcp snooping trust

ip dhcp snooping rate limit 10

end

host-switch2

conf t

interface range fastethernet 1/0/1 - 12

no ip dhcp snooping trust

ip dhcp snooping rate limit 10

end

host-switch2

conf t

interface range fastethernet 1/0/1 - 12

no ip dhcp snooping trust

ip dhcp snooping rate limit 10

end

Questions I still have

1. Setting up the dhcp snooping database. I think we will eventually move this to a tftp server, however, is there a way to set this to a file on the CORE (I.E. Local Switch Flash)? Anyone have any examples of pointing it to the local flash on the Switch instead of tftp server or some other alternative?

2. Do I need to configure dhcp snooping globally on these switches and/or setup ip dhcp snooping trust on the host uplinks ports back to the CORE as well? For example:

host-switch1

conf t

ip dhcp snooping - do I need to do this here?

interface gi1/0/1

ip dhcp snooping trust - do I need to do this here?

interface gi2/0/1

ip dhcp snooping trust - do I need to do this here?

end

3. Are there any special concerns regarding ports that I configure as “trusted” that might have additional vlans trunked? Are there any other configurations that I need to include to make sure I don't disrupt those vlans obtaining their IP addresses through the Windows DHCP server?

4. There is a reference doc I'm looking at that used no ip dhcp snooping information option in their #1 scenario. http://www.ciscosystemsnetwork.net/en/US/prod/collateral/switches/ps5718/ps708/white_Paper_C11_603833.html I'm really confused about this command. Do I need it or don't I? For the vlan(s) we are going to be DHCP snooping, the CORE switch IS the DHCP server so I'm thinking no, but how will that affect all other vlans that are not being "snooped" that get their IP from a Windows DHCP server on a server switch across the network (I.E. IP-Helper commands are used)?

At the moment, this is all I have in my head to ask. After I figure these few items out....maybe I'll have more or perhaps it will all "click" and I can breathe a sigh of relief

TIA

rahurao · ‎10-13-2010

Questions I still have

1. Setting up the dhcp snooping database. I think we will eventually move this to a tftp server, however, is there a way to set this to a file on the CORE (I.E. Local Switch Flash)? Anyone have any examples of pointing it to the local flash on the Switch instead of tftp server or some other alternative?

The command which You are looking for is:

ip dhcp snooping database {ftp:// | tftp:// | rcp:// | flash: | http://} So you can configure the local database or the Tftp if needed but it is recommeneded to have the DHCP snooping database on a TFTP server as there can be many entries populatin the local flash.

2. Do I need to configure dhcp snooping globally on these switches and/or setup ip dhcp snooping trust on the host uplinks ports back to the CORE as well? For example:

host-switch1

conf t

ip dhcp snooping - do I need to do this here?

interface gi1/0/1

ip dhcp snooping trust - do I need to do this here?

interface gi2/0/1

ip dhcp snooping trust - do I need to do this here?

end

Yes you would have to enable DHCP snooping on the switch glbally and then try configuring the interface which are uplinks towards the DHCP server to be trusted.

3. Are there any special concerns regarding ports that I configure as “trusted” that might have additional vlans trunked? Are there any other configurations that I need to include to make sure I don't disrupt those vlans obtaining their IP addresses through the Windows DHCP server?

The other vlans would not have any issues on the interfaces as you would be specifying which vlan you need the DHCP snooping to be enabled.

4. There is a reference doc I'm looking at that used no ip dhcp snooping information option in their #1 scenario. http://www.ciscosystemsnetwork.net/en/US/prod/collateral/switches/ps5718/ps708/white_Paper_C11_603833.html I'm really confused about this command. Do I need it or don't I? For the vlan(s) we are going to be DHCP snooping, the CORE switch IS the DHCP server so I'm thinking no, but how will that affect all other vlans that are not being "snooped" that get their IP from a Windows DHCP server on a server switch across the network (I.E. IP-Helper commands are used)?

By default switches try to insert their own Option 82 information when DHCP Snooping is enabled. Depending on your network, there may be why you may want Option 82 information. Sometimes though, you do need to stop the switch from adding this additional information.

If your DHCP server does not understand Option 82
-Some DHCP servers do not understand Option 82, and instead of ignoring those options, it drops them.

If you have multiple switches running DHCP Snooping in the path from DHCP Client to DHCP server.

We configure the ip dhcp snooping information option allow-untrusted on the distribution switches so they should not drop the packets coming in with option 82 already in the packets.

c-wyman · ‎10-26-2010

Hello,

It's me again. This is going to be a bit lengthy, but hopefully informative.

I must be doing something wrong so I'm coming back here for a little troubleshooting diag. I was able to do a simple implementation on a mock network (one cisco 1841 with DHCP server pool configured and a Cisco 2960 with DHCP snooping turned on. I enabled it globally and then selected a vlan. I then set my uplink port BACK to the router as a trusted port and could see binding in my dhcp snooping table which was the desired (see here)

SW1#sh ip dhcp snooping data
Agent URL : flash:/dhcpsnoopdb
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeded Time : None
Last Failed Time : None
Last Failed Reason : No failure recorded.

Total Attempts       :        0   Startup Failures :        0
Successful Transfers :        0   Failed Transfers :        0
Successful Reads     :        0   Failed Reads     :        0
Successful Writes    :        0   Failed Writes    :        0
Media Failures       :        0

SW1#sh ip dhcp snooping stat
Packets Forwarded                                     = 24
Packets Dropped                                       = 0
Packets Dropped From untrusted ports                  = 0

SW1#sh ip dhcp snooping stat
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
111
DHCP snooping is operational on following VLANs:
111
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 0025.b4b7.7200 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
GigabitEthernet0/1         yes        yes             unlimited
Custom circuit-ids:

SW1#sh ip dhcp snooping bind
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:24:E8:9E:07:37 10.XX.XX.1 2529225 dhcp-snooping 111 FastEthernet0/3
Total number of bindings: 1

So I know that it actually does work in the above mentioned scenario. The scenario I WANT to implement is slightly different and it doesn't appear to be working.

I've attached a *.jpg of the setup we have.

We have private vlan setup on both CORE switches and they are configured to use (HSRP) in case on of the CORE switches goes down. The DHCP Server for this private vlan actually lives as a DHCP pool of addresses on CORE#1 (see diagram). As you can see I've implemented DHCP snooping globally on all switches in the diagram. On the CORE switches I pointed the DHCP snooping to vlan 333 (the private vlan) I have set the uplinks on the CORE switches as trusted ports as well as the uplinks on the user switches that connect back up to the CORE switches. On the user ports, I have configured those user ports that are assigned to vlan 333 to be untrusted with a rate limit of 10.

The problem I have is that I'm not seeing anything in my dhcp snooping binding table. Below is what I get on either CORE switch (depending on which on is active).

CORE1##sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
333
DHCP snooping is operational on following VLANs:
333-334
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
GigabitEthernet1/6           yes         unlimited
GigabitEthernet2/4           yes         unlimited
GigabitEthernet2/7           yes         unlimited

CORE1#sh ip dhcp snoop bind
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0

CORE1#sh ip dhcp snoop data
Agent URL : disk0://testdhcpsnoopdb
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeded Time : 21:35:48 CDT Wed Oct 20 2010
Last Failed Time : None
Last Failed Reason : No failure recorded.

Total Attempts       :        1   Startup Failures :        0
Successful Transfers :        1   Failed Transfers :        0
Successful Reads     :        0   Failed Reads     :        0
Successful Writes    :        1   Failed Writes    :        0
Media Failures       :        0

CORE1#sh ip dhcp snoop stat
Packets Processed by DHCP Snooping                    = 16498
Packets Dropped Because
   IDB not known                                       = 0
   Queue full                                          = 0
   Interface is in errdisabled                         = 0
   Rate limit exceeded                                 = 0
   Received on untrusted ports                         = 0
   Nonzero giaddr                                      = 0
   Source mac not equal to chaddr                      = 0
   No binding entry                                    = 0
   Insertion of opt82 fail                             = 0
   Unknown packet                                      = 0
   Interface Down                                      = 0
   Unknown output interface                            = 0

From the stats I can see that is IS processing DHCP snooping packets, but I think I have trust setup on one more uplinks that I shouldn't, but I don't know which ones are the right ones. Also.....should the dhcp snooping db live on the CORE switch that is also acting as the DHCP server for the vlan I'm snooping or should the db live on the user switches? I know we will eventually move them to a tftp server, but right now, I'm just trying to get it to work right before I move the db to a tftp server.

Any help is appreciated.

Thanks!

c-wyman · ‎10-26-2010

I just realized you can't see the config in my jpg so I am also posting a jpg of my configuration.

aysar3000 · ‎06-04-2019

Dear

not sure of this resolved or not

but in case not

i saw your picture and realize in your switch access you missing the command

ip dhcp snooping vlan 333

or the humber of vlan you want