DHCP snooping

Unanswered Question
Mar 16th, 2009
User Badges:

What's the relationship between option 82 and DHCP snooping?

You can choose not to insert option 82. But why won't you?


On the access switches it's required to configure:

ip dhcp snooping

ip dhcp snooping vlan x y


and on trunks:

ip dhcp snooping trust


but do you have to configure something on the distribution layer or on a aggregation switch?


What if an access switch is not configured for DHCP snooping in a 'DHCP snooping configured' network? Will these clients able to receive an IP; will the switch understand option 82.


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
b.julin Mon, 03/16/2009 - 09:01
User Badges:
  • Bronze, 100 points or more

We had to put "no ip dhcp snooping information option" in because it was causing our DHCP servers grief.


DHCP snooping is local to the switch, you don't have to run it on intervening switches at all. It's very useful on the 35xx chassis with "ip verify source" as long as you know nobody is supposed to be hooking up minihubs. The 2960s don't support that, but they still keep spoofs off the network.


Do note you also have to put a trust statement on the ports connected to your DHCP servers, not just uplinks. :-)





jandebruyn1976 Tue, 03/17/2009 - 05:51
User Badges:

Thus if my DHCP server is in the DMZ zone, then I don't need to configure DHCP snooping on that switch?



b.julin Tue, 03/17/2009 - 06:16
User Badges:
  • Bronze, 100 points or more


Just as long as any switch that is running DHCP snooping is trusting any ports that replies from the DHCP server come in on, no other switch needs to be configured in any way.


I think the option 82 stuff still happens in the relay agent -- it is just that whatever DHCP snooping does additionally to option 82 seems to bollox things up on some servers. I may be wrong there, but I don't think you have to turn off option 82 anywhere but in the dhcp snooping config on switches running dhcp snooping, and depending on your servers, you may not even have to do that.


Just if you decide to use SCP for your switch database there are a few nuances -- you have to start with a tftp file and get it working, then switch to SCP to get a successful first write, then everything works normally.


For anything SSH related, I recommend 46SE or 50SE, a lot of the previous builds had memory issues in the SSH code.




martin.belisle@... Mon, 01/18/2010 - 06:25
User Badges:

Anyone know if the core switch configured as a relay with ip helper need to be configured with IP snooping?


We have this issue where our DHCP server had a connection in every VLAN.  Now we just moved to a DHCP server in a secured zone with dhcp relays and ip helper on the layer 3 coreswitch, but it's not working. Right now dhcp snooping is only enabled on the access switches and I'm starting to think it needs to be enabled on the core as well.  this is confusing 

b.julin Mon, 01/18/2010 - 07:28
User Badges:
  • Bronze, 100 points or more

On the core you may need to tweak the relay to allow

option 82 through.  Depends on exactly how you want

it to work but this should get you started:


ip dhcp relay information policy keep
no ip dhcp relay information check
ip dhcp relay information trust-all


If you don't do that it will drop DHCP packets that

have option-82, and if your edge switches are

attaching the option, that will be all packets.


Note you can also do this on a per-interface basis;

the above commands allow 82 through globally.


You could also go to each edge switch and issue

"no ip dhcp snooping information option" but

it's easier to change the core and you might want option

82 in the future.


In that case, if the IOS is new enough on the edge,

then on all downlinks from one edge switch to the

deeper one in the stack, issue:


ip dhcp-snooping information option allow-untrusted


If IOS is not new enough you will have to:


ip dhcp-snooping trust


Note that this is in the oppsite direction -- downlinks --

from the normal "ip dhcp-snooping trust" statement which

you need to get dhcp-snooping to work on uplinks.

Ganesh Hariharan Mon, 01/18/2010 - 07:15
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi,


DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted DHCP message is a message that is received from outside the network or firewall causing denial of service attacks.


Option 82 is the Relay Agent Information Option as described in RFC 3046  to insert circuit specific information into a request that is being forwarded to a DHCP server.In it’s default configuration, the DHCP Relay Agent Information Option passes along port and agent information to a central DHCP server. It is useful in statistical analysis, as well as, indicating where an assigned IP address physically connects to the network.


The first step to configure DHCP Snooping is to turn on DHCP snooping in all Cisco Switches using the “ip dhcp snooping” command,All Cisco Switches (config)#ip dhcp snooping


Second step is to configure the trusted interfaces on trunk ports also to reach DHCP server.


Interface not explcicitly configured as a trust interface is treated as an untrusted interface.


    ciscoswitch(config)# interface fa0/0
    ciscoswitch(config-if)# ip dhcp snooping trust


Hope that clear out your query !!


If helpful do rate the valueable post.


Regards

Ganesh.H

Actions

This Discussion