Design questions for DHCP Snooping

Unanswered Question
Oct 20th, 2009

Hi,

We need to implement DHCP snooping on our network to protect our DHCP architecture, and also meet the pre-requisites for Dynamic ARP inspection and IP Source Guard.

I have a few questions regarding DHCP Snooping.

1) I have read elswhere that when you enable "DHCP Snooping" in global config, all ports are automatically set to untrusted. Would I be correct in saying that if I pre-configure a port connecting to a DHCP server as "dhcp snooping trust" prior to enabling "dhcp snooping" in global config, DHCP replies will continue unaffected ?

2) I understand that interswitch links need to be configured with "dhcp snooping trust", do I need to configure this on all links between the various switch blocks? e.g. Server Farm, Core and Distribution Layers ?

3) Can DHCP Snooping be enabled without affecting services? (im repeating myself a little here I know) For example if I pre configure all the interswitch links (if required) as trusted links and all ports that connect to DHCP servers as trusted links, can I then enable "dhcp snooping" and "dhcp snooping vlan x" without impacting the operational DHCP service ?

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Wed, 10/21/2009 - 06:14

Hello Chris,

1) this should be tested in a lab environment the command can be even rejected if dhcp snooping is not enabled globally before.

OR it can be accepted but the command on global config could be implicitly enabled.

in command reference I've found a note:

DHCP snooping is enabled on a VLAN only if both global snooping and the VLAN snooping are enabled.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/44sg/command/reference/int_sess.html#wp1975695

2) yes you need to trust inter switch links in both ends of the link if DHCP snooping is enabled also at distribution (see following considerations)

3) be careful, DHCP snooping should be deployed at access layer only if possible (if a strict hierarchy is used in your campus).

Other colleagues have reported very high cpu usage on core C6500 switches after having enabled DHCP snooping.

Again if you network is strictly hierarchical no client vlan ports should be present on distribution and core switches.

Hope to help

Giuseppe

cbeswick Wed, 10/21/2009 - 23:03

Many thanks for your reply Guiseppe.

We are using Supervisor 720-3B in our 6500's on software 12.2(18)SXF8, and will be upgrading to 12.2(33)SXH very soon. I have tested some dhcp snooping config by setting interswitch links, and ports that connect to DHCP servers as trusted, followed by the two global config commands "ip dhcp snooping" and "ip dhcp snooping vlan x", and it appears to work fine.

I am a little confused about your last statement, "DHCP snooping should be deployed at access layer only if possible".

We do employ a strict hierachical design where access layer Vlans terminate on access layer switches, aggregated by dual distribution layer switches, which are all in turn connected via 2 6509 core switches. A similar dual distribution layer aggregates a number of access layer switches providing connectivity to our server farm.

In order to rollout dhcp snooping across the campus (using Vlan 10 as an example), I would expect to deploy the following:

Access Layer

------------

1) Enable "ip dhcp snooping trust" on the two uplinks to the distribution layer.

2) Disable option 82 with "no ip dhcp snooping information option"

3) Enable dhcp snooping with "ip dhcp snooping" and "ip dhcp snooping vlan 10"

Distribution Layer

------------------

1) Enable "ip dhcp snooping trust" on all links to every access switch, the etherchannel connecting to the other resilient distribution switch and the links to the core.

2) Disable option 82 with "no ip dhcp snooping information option"

3) Enable "ip dhcp snooping" and "ip dhcp snooping vlan 10"

Core Layer

----------

1) Enable "ip dhcp snooping trust" on all links to every distribution switch (including that which aggregates the server access layer), and also on the link to the other core switch.

2) Disable option 82 with "no ip dhcp snooping information option"

3) Enable "ip dhcp snooping" and "ip dhcp snooping vlan 10"

In addition to this I would also then configure "ip dhcp snooping trust" on the server switch port that connects to our DHCP Servers and also on the uplinks to its distribution switch block.

Apologies for the long post.

Giuseppe Larosa Thu, 10/22/2009 - 05:32

Hello Chris,

>> I am a little confused about your last statement, "DHCP snooping should be deployed at access layer only if possible".

look at your action plan:

you are going to enable IP DHCP snooping on your distribution and core switches with all interesting ports trusted.

for this reason I would consider to enable it only at access layer.

if no end users are on core switches you don't need it.

if no end users ports are on distribution switches again you don't need it.

Hope to help

Giuseppe

cbeswick Thu, 10/22/2009 - 05:56

Thanks again Giuseppe.

Thinking about it this makes perfect sense. I just need to enable DHCP snooping on the DHCP server ports (in line with enabling dhcp snooping on access switches as discussed), and trust the uplinks, leaving the core / distribution alone.

blue phoenix Mon, 10/03/2016 - 07:03

Hi all,

Just did a lab where I have a use vlan 30 on another switch block and a dhcp server in vlan 10(a router ) on another switch block.  The switch blocks communicate via the 2 core routers.

I have also the trouble of finding out where to enable the dhcp snooping feature.  With hit and miss configs, what I did was enable this 3 global commands on the access switch on the user side or vlan 30 (it's an L3 switch because I need to enable the L0 interface for management).

ip dhcp snooping vlan 30
no ip dhcp snooping information option
ip dhcp snooping

and then enable ip dhcp snooping trust on the uplink port to the distribution switch.

interface Ethernet2/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust

From there, I would just remove ip add dhcp and again add ip add dhcp on the interface of my router that emulates as the pc of the user in vlan 30.

The router successfully acquire the IP address.

Is this the proper steps to implement this?  No need to put ip dhcp snooping or ip dhcp snooping trust on the ports that connect to the DHCP server?.

Cheers,

Actions

This Discussion