04-04-2023 11:21 AM
Hi,
correct me please if I am wrong.
In theory, if you only want to block DHCP frames offered on untrusted ports, globally enabling the DHCP Snooping mechanism and specifying interfaces that are trusted and untrusted should be enough. In this case, specifying which VLANs are to be covered by the DHCP Snooping mechanism is not necessary.
From the DHCP Snooping Configuration Guidelines:
My question is, why does the system unconditionally require me to specify a vlan? What would happen if I specify a different vlan than the one for the trusted or untrusted interface (which, by the way, I am about to try myself)?
04-04-2023 12:01 PM
Hello
Enabling DHCP snooping on specific vlans is a away to be deterministic in what vlans you wish to apply it, However I would apply it to any access vlan that has a potential to receive rouge dhcp,
Regards trusted ports again you can manually append this to whatever port you wish to trust but as dhcp snooping is a L2 access feature the trusted port is mainly the uplink ( trunk) towards the distribution/core switch's, but if you want to trust any access port then that access-point would be associated with a vlan that snooping is enabled on otherwise it will be irrelevant.to trust it in the first place.
04-04-2023 01:03 PM
Hi, thanks, but that's my question, if every port is associated with a vlan, why is simply marking this or that port as trusted still not enough for dhcp snoop to work globally? Even if dhcp snoop reads dhcopoffer first as a vlan frame it should already know what port it is associated with. So why do I have to determine the vlan for dhcp snooping by hand?
04-04-2023 01:49 PM
I need to check these point but
VLAN config as relay can not config with DHCP snooping
this lead us to second point
trunk with mutli vlan and one of them use as VLAN DHCP relay, here the trunk must be trust or not ?
as you know the trust is config under trunk and this make traffic from all VLAN trust or not, this with VLAN DHCP relay I think not work
so we need to config manually which VLAN allow DHCP snooping
04-04-2023 02:48 PM
There may be an instance where you might not want it on every vlan totally and some may use static configurations totally.
04-05-2023 04:16 AM - edited 04-05-2023 04:18 AM
Hello
By default ALL ports associated to a dhcp snooping enabled vlan are UNTRUSTED as by default you are not expecting DHCP servers to be originating off every access-port, plus it security against someone maliciously attaching a rogue dhcp server to the access ports
Now for snooping to work, then the service first needs to be activated globally (ip dhcp snooping), then its needs to be applied individually to the vlans you wish to be protect against rouge DHCP (ip dhcp-snooping vlan x)
DHCP snooping is used at access-layer and majority of the time these switches will be trunk upstream towards the core/L3 routing device as such you need to DHCP snooping trusted on those uplinks for DORAs to be allowed through
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide