Why dhcp snooping requires vlan?

Michał M · ‎04-04-2023

Hi,

correct me please if I am wrong.

In theory, if you only want to block DHCP frames offered on untrusted ports, globally enabling the DHCP Snooping mechanism and specifying interfaces that are trusted and untrusted should be enough. In this case, specifying which VLANs are to be covered by the DHCP Snooping mechanism is not necessary.

From the DHCP Snooping Configuration Guidelines:

You must globally enable DHCP snooping on the switch.
DHCP snooping is not active until DHCP snooping is enabled on a VLAN.

My question is, why does the system unconditionally require me to specify a vlan? What would happen if I specify a different vlan than the one for the trusted or untrusted interface (which, by the way, I am about to try myself)?

paul driver · ‎04-04-2023

Hello
Enabling DHCP snooping on specific vlans is a away to be deterministic in what vlans you wish to apply it, However I would apply it to any access vlan that has a potential to receive rouge dhcp,

Regards trusted ports again you can manually append this to whatever port you wish to trust but as dhcp snooping is a L2 access feature the trusted port is mainly the uplink ( trunk) towards the distribution/core switch's, but if you want to trust any access port then that access-point would be associated with a vlan that snooping is enabled on otherwise it will be irrelevant.to trust it in the first place.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Michał M · ‎04-04-2023

Hi, thanks, but that's my question, if every port is associated with a vlan, why is simply marking this or that port as trusted still not enough for dhcp snoop to work globally? Even if dhcp snoop reads dhcopoffer first as a vlan frame it should already know what port it is associated with. So why do I have to determine the vlan for dhcp snooping by hand?

MHM Cisco World · ‎04-04-2023

I need to check these point but
VLAN config as relay can not config with DHCP snooping
this lead us to second point
trunk with mutli vlan and one of them use as VLAN DHCP relay, here the trunk must be trust or not ?
as you know the trust is config under trunk and this make traffic from all VLAN trust or not, this with VLAN DHCP relay I think not work
so we need to config manually which VLAN allow DHCP snooping

TotallyTodd · ‎04-04-2023

There may be an instance where you might not want it on every vlan totally and some may use static configurations totally.

paul driver · ‎04-05-2023

Hello
By default ALL ports associated to a dhcp snooping enabled vlan are UNTRUSTED as by default you are not expecting DHCP servers to be originating off every access-port, plus it security against someone maliciously attaching a rogue dhcp server to the access ports

Now for snooping to work, then the service first needs to be activated globally (ip dhcp snooping), then its needs to be applied individually to the vlans you wish to be protect against rouge DHCP (ip dhcp-snooping vlan x)

DHCP snooping is used at access-layer and majority of the time these switches will be trunk upstream towards the core/L3 routing device as such you need to DHCP snooping trusted on those uplinks for DORAs to be allowed through

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul