Questions about DHCP Snooping

Answered Question
Mar 20th, 2009
User Badges:

Hi!


I have some questions about dhcp snooping:

If I have a dhcp server localy on my 3750, is any interface on that switch considered Trusted? I route all the vlans in the same switch...

If I connect a Wireless LAN Controller to that same 3750, how should I treat that port? I guess the WLC is a relay-agent?


Regards

Johan

Correct Answer by davy.timmermans about 8 years 1 month ago

A DHCP offer cannot come from a DHCP untrusted and as your WLC doesn't assign IP addresses this port shouldn't be trusted

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Giuseppe Larosa Fri, 03/20/2009 - 01:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Johan,

when you enable DHCP snooping the default state of all ports is untrusted.


you need to turn to trusted where needed.


For example the port where the WLAN controller connects has to be made trusted or wireless users csnnot get an ip address.


Hope to help

Giuseppe



jmandersson Fri, 03/20/2009 - 01:29
User Badges:

Hi Giuseppe,


But why should a port where the WLAN controller connect considered Trusted?

Wouldn't that mean that i trust every client on the WLAN?


/johan



Giuseppe Larosa Fri, 03/20/2009 - 03:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Johan,

not sure about the WLAN controller but all ports were multiple DHCP requests are expected should be configured as trusted.


So the question becomes how the client traffic is sent to the wired infrastructure.


You can implement wireless specific authentication methods to allow access only to legitimate users.


Hope to help

Giuseppe


jmandersson Fri, 03/20/2009 - 03:51
User Badges:

"all ports were multiple DHCP requests are expected should be configured as trusted."


Thanks, it was a answer like that that I was looking for!


Thanks /johan

davy.timmermans Fri, 03/20/2009 - 06:07
User Badges:
  • Silver, 250 points or more

Personally I think that the port to the WLC controller should be untrusted as the WLC controller doesn't act as DHCP server.


All ports to the DHCP servers should be trusted.


Thus if your DHCP server is on another segment you need to trust all intermediate trunk + port of the DHCP server.





Correct Answer
davy.timmermans Fri, 03/20/2009 - 10:37
User Badges:
  • Silver, 250 points or more

A DHCP offer cannot come from a DHCP untrusted and as your WLC doesn't assign IP addresses this port shouldn't be trusted

Actions

This Discussion