dhcp snooping

Jacob Samuel · ‎05-11-2010

Hi Friends,

I have to enable dhcp snooping in our production network. I want to enable dhcp snooping on one vlan only.I did the following configuration on one of the edge switch which is in tetsting purpose-

Testing Edge Switch

!

ip dhcp snooping vlan 10

ip dhcp snooping

ip dhcp snooping information options

!

int gig 0/1

des *** connect to core1 ****

ip dhcp snooping trust

sw mode trunk

!

int gig 0/2

des *** connect to core2 ****

ip dhcp snooping trust

sw mode trunk

!

I connected my testing pc to the switch but it is not getting IP Address.

On the Core i didnt enable dhcp snooping till now, since it is in production. Do i need to enable dhcp snooping configuration and the uplink ports & dhcp server port as trusted ports aslo? then only it will work?

And do we need to configure dhcp database agent also, is it a must?

Appreciate your valuable input ASAP

Thanks and Regards

Sunny

Peter Paluch · ‎05-11-2010

Hello,

With the DHCP Snooping, the switch performing this function inserts a DHCP Option-82 (the DHCP Relay Information option) into all DHCP packets received on untrusted ports in order to identify where does a particular DHCP request come from. The DHCP server copies the value of this option into its replies. This way, a switch can forward the DHCP response to the exact port from which the original request came.

However, while an access layer switch performing the DHCP Snooping inserts the DHCP Option-82 into relayed DHCP packets, it does not populate the request's Relay Agent IP address field (the GIADDR field) and it remains set to 0.0.0.0. Some DHCP server implementations, including the one in the Cisco IOS, perform sanity checks on received DHCP requests before responding to them. Normally, it is considered invalid to receive a DHCP packet that contains the Option 82 but whose GIADDR field is set to 0.0.0.0. Such packets are dropped by the IOS DHCP server, and this may be the cause of your problems.

In order to solve this problem, you should configure your DHCP server to also accept DHCP packets having Option-82 present without having the GIADDR field set. On Cisco devices running DHCP server, this can be done either in the global configuration mode using the command ip dhcp relay information trust-all or on a particular Layer3 interface (routed port, SVI) using the command ip dhcp relay information trusted.

Let us know if this worked for you.

You do not need to enable DHCP Snooping on other switches. The DHCP Snooping is usually deployed as an access layer protection technique. Once the DHCP requests has been sanitized at the network edge, there is no real increase in security if running the DHCP Snooping deeper in the network. You also do not need the DHCP database agent for the DHCP Snooping to work.

Best regards,

Peter

Jacob Samuel · ‎05-22-2010

Hi Peter,

Thanks a lot for the detailed update.

I completed the task last week, and below are the config i did on all my edge switches-

ip dhcp-snooping vlan 10

no ip dhcp snooping information options

ip dhcp snooping

!

int range fa 0/1-48

ip dhcp snooping limit rate 100

!

int range gig 0/1-2

ip dhcp snooping trust

!

no ip dhcp snooping information options is the only command i added later in the edge swtiches to make this work fro the LAN.

I did not enable dhcp snooping on the core devices, only enabled on the access layer Edge Switcehs.

if i use

# sh ip dhcp snooping database

it is not giving any details.

But I can see the dhcp snooping entries by using

#sh ip dhcp snooping binding database

Can you pleaes tell me if it is the normal behavior only? And how can i confirm that the dhcp snooping is working in a way which i exactly want?

regards

Sunny

ramji_avinash · ‎05-23-2010

Hi Sunny,

The only thing u can do is u can enable ip dhcp snooping in vlan 10 and enable trust only only on the port where the dhcp server is connected !!! i think this should resolve the problem or else u can even add ip dhcp snooping information options as it would forward the the request to a trusted server .