DHCP Snooping in a full L3 environment

Answered Question

I have a C/D/A architecture, all routed links; we want to implement DHCP snooping throughout the company, however, all the documentation I've seen relates to L2 uplinks from the Access tier.


Will DHCP snooping work if the Access tier has routed uplinks? What does the configuration look like, how can I configure individual interfaces (not vlans) as uplinks?

Correct Answer by andrew.butterworth about 8 years 10 months ago

Yes, DHCP snooping will work in the Layer-3 to the edge environment you describe. Since you have routed uplinks then you don't need the 'ip dhcp snooping trust' interface command on these links - you don't need any additional configuration at all.


I have this deployed in my 'test' environment and it works perfectly. You still need to apply 'trust' to the actual layer-2 switchports where the DHCP servers are connected to. Additionally I also apply the best-practise DHCP snooping rate limit of 100 pps:


ip dhcp snooping limit rate 100


A typical access port will look like:


interface FastEthernet0/1

switchport

switchport mode access

switchport access vlan 10

ip dhcp snooping limit rate 100


A routed uplink will look like:


interface GigabitEthernet0/1

no switchport

ip address 192.168.255.1 255.255.255.252


You would also globally enable DHCP snooping as well as for each VLAN you wish to enable it on. Also if you are using Windows 2000/2003 DHCP servers you need to disable the Option 82 insertion:


ip dhcp snooping vlan 10,100

no ip dhcp snooping information option

ip dhcp snooping



Obviously in your Distribution & Core switches there is no additional configuration needed for DHCP snooping since it is purely the job of the access switches where your DHCP clients are.


HTH


Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Marwan ALshawi Tue, 08/12/2008 - 16:47
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

if u gonna work on L3 u dont need snooping u need ip helper

so u gonna put the DHCP server IP manuly !

Correct Answer
andrew.butterworth Wed, 08/13/2008 - 00:43
User Badges:
  • Gold, 750 points or more

Yes, DHCP snooping will work in the Layer-3 to the edge environment you describe. Since you have routed uplinks then you don't need the 'ip dhcp snooping trust' interface command on these links - you don't need any additional configuration at all.


I have this deployed in my 'test' environment and it works perfectly. You still need to apply 'trust' to the actual layer-2 switchports where the DHCP servers are connected to. Additionally I also apply the best-practise DHCP snooping rate limit of 100 pps:


ip dhcp snooping limit rate 100


A typical access port will look like:


interface FastEthernet0/1

switchport

switchport mode access

switchport access vlan 10

ip dhcp snooping limit rate 100


A routed uplink will look like:


interface GigabitEthernet0/1

no switchport

ip address 192.168.255.1 255.255.255.252


You would also globally enable DHCP snooping as well as for each VLAN you wish to enable it on. Also if you are using Windows 2000/2003 DHCP servers you need to disable the Option 82 insertion:


ip dhcp snooping vlan 10,100

no ip dhcp snooping information option

ip dhcp snooping



Obviously in your Distribution & Core switches there is no additional configuration needed for DHCP snooping since it is purely the job of the access switches where your DHCP clients are.


HTH


Andy

Marwan ALshawi Wed, 08/13/2008 - 01:11
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

then Andy


agree with me in L3 no need for DHCP snooping

such as routed interfaces

only for the layer 2 interfaces


on layer three SVIs u need only ip dhcp helper



andrew.butterworth Wed, 08/13/2008 - 01:18
User Badges:
  • Gold, 750 points or more

Yes, in a COMPLETELY routed environment then you don't need DHCP Snooping, just IP Helpers. However in this environment they have Layer-2 switchports at the access-layer where hosts are attached, this is where DHCP snooping is needed to prevent rogue DHCP servers from being able to issue IP addresses or to mitigate infected hosts from starving the DHCP pools (using the DHCP snooping rate limit feature).


Andy

mrashby Wed, 08/13/2008 - 08:58
User Badges:

Andrew,

In the above configuration what does the "ip dhcp snooping limit rate 100" command do?



Mario

Marwan ALshawi Wed, 08/13/2008 - 18:47
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

the ip dhcp snooping limit rate


Configures the number of DHCP packets per second (pps) that an interface can receive


hope this helpful

Actions

This Discussion