Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
0
Helpful
6
Replies

Why is DHCP Snooping Applied on a VLAN Basis?

Go to solution
TariqMK
Level 1
Level 1

‎01-11-2017 08:55 AM - edited ‎03-08-2019 08:52 AM

Just a basic question I have, I am familiar with the basics of DHCP Snooping. I understand that it marks ports as untrusted by default and disregards DHCP replied from them in order to prevent MITM attacks.

What I don't understand however, is why this is applied on a per VLAN basis.

From the official CCNP Study Guide, listing a specific VLAN for enabling DHCP Snooping seems to be obligatory.

However as per my understanding, shouldn't such a feature be enabled globally on a Switch, and then trusted ports allowed manually?

What is the benefit/reason to allowing it on a per VLAN basis?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to TariqMK

‎01-11-2017 09:54 AM

I have also had issues on 4510's where there is not enough TCAM to physically enable DHCP snooping on every port on every VLAN.  Each port has a phone (on one VLAN) and a workstation (on a different VLAN).

I can reduce the TCAM usage a lot by turning it off for the VoIP VLAN.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-11-2017 09:14 AM

Consider a trunk port with say three vlans, and you only want to do snooping on one of those vlans.

0 Helpful

Go to solution
TariqMK
Level 1
Level 1
In response to Philip D'Ath

‎01-11-2017 09:45 AM

But what reason would there be to enable snooping only on one VLAN? If we did so, wouldn't the other VLANs be unprotected and therefore vulnerable to MITM attacks from a rogue server?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to TariqMK

‎01-11-2017 09:52 AM

I typically don't use DHCP snooping on server VLANs.  The danger of something going wrong and taking out a whole server is too great.

I typically only use it on workstation vlans.

0 Helpful

Go to solution
TariqMK
Level 1
Level 1
In response to Philip D'Ath

‎01-11-2017 09:57 AM

OK, I think I might understand the logic behind this now.

So DHCP Snooping is applied on the Access Layer on the VLANs used by workstations.

This is because the most likely scenario of a rogue DHCP server being added would be from Users.

Therefore to save resources (as you mentioned) we only apply it on Switches and VLANs closest and in use by these End Users.

Would this be correct?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to TariqMK

‎01-11-2017 10:09 AM

In this case, yes.  Typically I only apply it where I think there is reasonable risk, which is usually where humans can connect.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to TariqMK

‎01-11-2017 09:54 AM

I have also had issues on 4510's where there is not enough TCAM to physically enable DHCP snooping on every port on every VLAN.  Each port has a phone (on one VLAN) and a workstation (on a different VLAN).

I can reduce the TCAM usage a lot by turning it off for the VoIP VLAN.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card