03-16-2009 03:03 AM - edited 03-06-2019 04:36 AM
What's the relationship between option 82 and DHCP snooping?
You can choose not to insert option 82. But why won't you?
On the access switches it's required to configure:
ip dhcp snooping
ip dhcp snooping vlan x y
and on trunks:
ip dhcp snooping trust
but do you have to configure something on the distribution layer or on a aggregation switch?
What if an access switch is not configured for DHCP snooping in a 'DHCP snooping configured' network? Will these clients able to receive an IP; will the switch understand option 82.
Thanks in advance
03-16-2009 09:01 AM
We had to put "no ip dhcp snooping information option" in because it was causing our DHCP servers grief.
DHCP snooping is local to the switch, you don't have to run it on intervening switches at all. It's very useful on the 35xx chassis with "ip verify source" as long as you know nobody is supposed to be hooking up minihubs. The 2960s don't support that, but they still keep spoofs off the network.
Do note you also have to put a trust statement on the ports connected to your DHCP servers, not just uplinks. :-)
03-17-2009 05:51 AM
Thus if my DHCP server is in the DMZ zone, then I don't need to configure DHCP snooping on that switch?
03-17-2009 06:16 AM
Just as long as any switch that is running DHCP snooping is trusting any ports that replies from the DHCP server come in on, no other switch needs to be configured in any way.
I think the option 82 stuff still happens in the relay agent -- it is just that whatever DHCP snooping does additionally to option 82 seems to bollox things up on some servers. I may be wrong there, but I don't think you have to turn off option 82 anywhere but in the dhcp snooping config on switches running dhcp snooping, and depending on your servers, you may not even have to do that.
Just if you decide to use SCP for your switch database there are a few nuances -- you have to start with a tftp file and get it working, then switch to SCP to get a successful first write, then everything works normally.
For anything SSH related, I recommend 46SE or 50SE, a lot of the previous builds had memory issues in the SSH code.
01-18-2010 06:25 AM
Anyone know if the core switch configured as a relay with ip helper need to be configured with IP snooping?
We have this issue where our DHCP server had a connection in every VLAN. Now we just moved to a DHCP server in a secured zone with dhcp relays and ip helper on the layer 3 coreswitch, but it's not working. Right now dhcp snooping is only enabled on the access switches and I'm starting to think it needs to be enabled on the core as well. this is confusing
01-18-2010 07:28 AM
On the core you may need to tweak the relay to allow
option 82 through. Depends on exactly how you want
it to work but this should get you started:
ip dhcp relay information policy keep
no ip dhcp relay information check
ip dhcp relay information trust-all
If you don't do that it will drop DHCP packets that
have option-82, and if your edge switches are
attaching the option, that will be all packets.
Note you can also do this on a per-interface basis;
the above commands allow 82 through globally.
You could also go to each edge switch and issue
"no ip dhcp snooping information option" but
it's easier to change the core and you might want option
82 in the future.
In that case, if the IOS is new enough on the edge,
then on all downlinks from one edge switch to the
deeper one in the stack, issue:
ip dhcp-snooping information option allow-untrusted
If IOS is not new enough you will have to:
ip dhcp-snooping trust
Note that this is in the oppsite direction -- downlinks --
from the normal "ip dhcp-snooping trust" statement which
you need to get dhcp-snooping to work on uplinks.
01-18-2010 07:15 AM
Hi,
DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted DHCP message is a message that is received from outside the network or firewall causing denial of service attacks.
Option 82 is the Relay Agent Information Option as described in RFC 3046 to insert circuit specific information into a request that is being forwarded to a DHCP server.In it’s default configuration, the DHCP Relay Agent Information Option passes along port and agent information to a central DHCP server. It is useful in statistical analysis, as well as, indicating where an assigned IP address physically connects to the network.
The first step to configure DHCP Snooping is to turn on DHCP snooping in all Cisco Switches using the “ip dhcp snooping” command,All Cisco Switches (config)#ip dhcp snooping
Second step is to configure the trusted interfaces on trunk ports also to reach DHCP server.
Interface not explcicitly configured as a trust interface is treated as an untrusted interface.
ciscoswitch(config)# interface fa0/0
ciscoswitch(config-if)# ip dhcp snooping trust
Hope that clear out your query !!
If helpful do rate the valueable post.
Regards
Ganesh.H
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: