08-12-2008 02:25 PM - edited 03-06-2019 12:45 AM
I have a C/D/A architecture, all routed links; we want to implement DHCP snooping throughout the company, however, all the documentation I've seen relates to L2 uplinks from the Access tier.
Will DHCP snooping work if the Access tier has routed uplinks? What does the configuration look like, how can I configure individual interfaces (not vlans) as uplinks?
Solved! Go to Solution.
08-13-2008 12:43 AM
Yes, DHCP snooping will work in the Layer-3 to the edge environment you describe. Since you have routed uplinks then you don't need the 'ip dhcp snooping trust' interface command on these links - you don't need any additional configuration at all.
I have this deployed in my 'test' environment and it works perfectly. You still need to apply 'trust' to the actual layer-2 switchports where the DHCP servers are connected to. Additionally I also apply the best-practise DHCP snooping rate limit of 100 pps:
ip dhcp snooping limit rate 100
A typical access port will look like:
interface FastEthernet0/1
switchport
switchport mode access
switchport access vlan 10
ip dhcp snooping limit rate 100
A routed uplink will look like:
interface GigabitEthernet0/1
no switchport
ip address 192.168.255.1 255.255.255.252
You would also globally enable DHCP snooping as well as for each VLAN you wish to enable it on. Also if you are using Windows 2000/2003 DHCP servers you need to disable the Option 82 insertion:
ip dhcp snooping vlan 10,100
no ip dhcp snooping information option
ip dhcp snooping
Obviously in your Distribution & Core switches there is no additional configuration needed for DHCP snooping since it is purely the job of the access switches where your DHCP clients are.
HTH
Andy
08-12-2008 04:47 PM
if u gonna work on L3 u dont need snooping u need ip helper
so u gonna put the DHCP server IP manuly !
08-13-2008 12:43 AM
Yes, DHCP snooping will work in the Layer-3 to the edge environment you describe. Since you have routed uplinks then you don't need the 'ip dhcp snooping trust' interface command on these links - you don't need any additional configuration at all.
I have this deployed in my 'test' environment and it works perfectly. You still need to apply 'trust' to the actual layer-2 switchports where the DHCP servers are connected to. Additionally I also apply the best-practise DHCP snooping rate limit of 100 pps:
ip dhcp snooping limit rate 100
A typical access port will look like:
interface FastEthernet0/1
switchport
switchport mode access
switchport access vlan 10
ip dhcp snooping limit rate 100
A routed uplink will look like:
interface GigabitEthernet0/1
no switchport
ip address 192.168.255.1 255.255.255.252
You would also globally enable DHCP snooping as well as for each VLAN you wish to enable it on. Also if you are using Windows 2000/2003 DHCP servers you need to disable the Option 82 insertion:
ip dhcp snooping vlan 10,100
no ip dhcp snooping information option
ip dhcp snooping
Obviously in your Distribution & Core switches there is no additional configuration needed for DHCP snooping since it is purely the job of the access switches where your DHCP clients are.
HTH
Andy
08-13-2008 01:11 AM
then Andy
agree with me in L3 no need for DHCP snooping
such as routed interfaces
only for the layer 2 interfaces
on layer three SVIs u need only ip dhcp helper
08-13-2008 01:18 AM
Yes, in a COMPLETELY routed environment then you don't need DHCP Snooping, just IP Helpers. However in this environment they have Layer-2 switchports at the access-layer where hosts are attached, this is where DHCP snooping is needed to prevent rogue DHCP servers from being able to issue IP addresses or to mitigate infected hosts from starving the DHCP pools (using the DHCP snooping rate limit feature).
Andy
08-13-2008 08:58 AM
Andrew,
In the above configuration what does the "ip dhcp snooping limit rate 100" command do?
Mario
08-13-2008 06:47 PM
the ip dhcp snooping limit rate
Configures the number of DHCP packets per second (pps) that an interface can receive
hope this helpful
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: