cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8189
Views
6
Helpful
6
Replies

DHCP Snooping in a full L3 environment

mbonner
Level 1
Level 1

I have a C/D/A architecture, all routed links; we want to implement DHCP snooping throughout the company, however, all the documentation I've seen relates to L2 uplinks from the Access tier.

Will DHCP snooping work if the Access tier has routed uplinks? What does the configuration look like, how can I configure individual interfaces (not vlans) as uplinks?

1 Accepted Solution

Accepted Solutions

Yes, DHCP snooping will work in the Layer-3 to the edge environment you describe. Since you have routed uplinks then you don't need the 'ip dhcp snooping trust' interface command on these links - you don't need any additional configuration at all.

I have this deployed in my 'test' environment and it works perfectly. You still need to apply 'trust' to the actual layer-2 switchports where the DHCP servers are connected to. Additionally I also apply the best-practise DHCP snooping rate limit of 100 pps:

ip dhcp snooping limit rate 100

A typical access port will look like:

interface FastEthernet0/1

switchport

switchport mode access

switchport access vlan 10

ip dhcp snooping limit rate 100

A routed uplink will look like:

interface GigabitEthernet0/1

no switchport

ip address 192.168.255.1 255.255.255.252

You would also globally enable DHCP snooping as well as for each VLAN you wish to enable it on. Also if you are using Windows 2000/2003 DHCP servers you need to disable the Option 82 insertion:

ip dhcp snooping vlan 10,100

no ip dhcp snooping information option

ip dhcp snooping

Obviously in your Distribution & Core switches there is no additional configuration needed for DHCP snooping since it is purely the job of the access switches where your DHCP clients are.

HTH

Andy

View solution in original post

6 Replies 6

Marwan ALshawi
VIP Alumni
VIP Alumni

if u gonna work on L3 u dont need snooping u need ip helper

so u gonna put the DHCP server IP manuly !

Yes, DHCP snooping will work in the Layer-3 to the edge environment you describe. Since you have routed uplinks then you don't need the 'ip dhcp snooping trust' interface command on these links - you don't need any additional configuration at all.

I have this deployed in my 'test' environment and it works perfectly. You still need to apply 'trust' to the actual layer-2 switchports where the DHCP servers are connected to. Additionally I also apply the best-practise DHCP snooping rate limit of 100 pps:

ip dhcp snooping limit rate 100

A typical access port will look like:

interface FastEthernet0/1

switchport

switchport mode access

switchport access vlan 10

ip dhcp snooping limit rate 100

A routed uplink will look like:

interface GigabitEthernet0/1

no switchport

ip address 192.168.255.1 255.255.255.252

You would also globally enable DHCP snooping as well as for each VLAN you wish to enable it on. Also if you are using Windows 2000/2003 DHCP servers you need to disable the Option 82 insertion:

ip dhcp snooping vlan 10,100

no ip dhcp snooping information option

ip dhcp snooping

Obviously in your Distribution & Core switches there is no additional configuration needed for DHCP snooping since it is purely the job of the access switches where your DHCP clients are.

HTH

Andy

then Andy

agree with me in L3 no need for DHCP snooping

such as routed interfaces

only for the layer 2 interfaces

on layer three SVIs u need only ip dhcp helper

Yes, in a COMPLETELY routed environment then you don't need DHCP Snooping, just IP Helpers. However in this environment they have Layer-2 switchports at the access-layer where hosts are attached, this is where DHCP snooping is needed to prevent rogue DHCP servers from being able to issue IP addresses or to mitigate infected hosts from starving the DHCP pools (using the DHCP snooping rate limit feature).

Andy

Andrew,

In the above configuration what does the "ip dhcp snooping limit rate 100" command do?

Mario

the ip dhcp snooping limit rate

Configures the number of DHCP packets per second (pps) that an interface can receive

hope this helpful

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: