Were you able to configure this. I am in a similar situation and I have this working however I am not convinved that it is working correctly hence just want to confirm.
Basically my setup is:
Lan Access switches with various vlan's all have dhcp snooping configured. All uplinks are L3 hence I don't have any way to configure the uplinks as trusted since that option isn't available.
The DHCP server isn't local to the switch hence I haven't configured any trusted interfaces.
Without DHCP snooping enabled a rouge DHCP server was setup locally and it was confirmed that the clients were getting an ip from the rogue DHCP server.
However once DHCP snooping was enabled the clients were getting DHCP from the correct server. A helper address is configured on the L3 SVI interfaces local to the access switch?
My understanding of how this is working is that if any ports local to the switch are connected to a machine that also tries to be a DHCP server the clients won't respond to it because its untrusted by default hence that takes care of any rogue dhcp server locally. However I cannot understand how its deciding that the DHCP server upstream (The correct one) is the one it should get its ip address from. I mean say if someone decides to setup a DHCP server in the core or even on the same subnet as the DHCP server that is the real one than how would the clients decide that they should reject that response. Is there something with DHCP snooping that it will only accept a response from the ip configured in the ip helper address?
There is another feature I am looking into which is Dynamip Arp Inspection. Again I have that working but am not quite sure if its working correctly. The way this was tested was that the arp entry in the L3 switch was cleared for a client hostname Client 1 and another client, let's call it Client 2, on the same switch was configured statically with the same ip as Client 1. Once the arp entry was cleared from the L3 Access switch without Dynamip Arp Inspection Client 2 was immediately able to communicate with the rest of the network with the ip of Client 1 however with Arp Inspection enabled even if the arp entry was cleared Client 2 was unable to communicate with the Network. Does that make sense? Are there any downsides to this like will it cause any problems if the Arp entry aged out after 4 hours which is the default. Thanks
seems like you have the same situation that i have.
see after a lot of testing for the dhcp snooping i have figured out that all L3 interfaces become trusted/relay by default when you enable dhcp snooping. so in your case you have to enable the snooping on the access swiches without giving any trusted interfaces (all default un-trsuted) and for the core side enable dhcp snooping and give the dhcp server a trusted port.
now regarding for the arp inspection feature, once you enabled the arp inspection on your switch it will keep checking the binding database from your dhcp snooping database because it works in conjunction with it, so even if client1 is out of the arp table it's still there in the dhcp snooping binding database and this is apllied for all your PCs that getting IPs dynamically from the dhcp server, and for those with statically IP address you need to configure ARP ACL.
Thank you for replying. That does seem to make sense however in this environment there is just one thing. The DHCP server is not local to this campus and I don't have DHCP snooping enabled throughout so the switch that the DHCP server connects to doesn't have DHCP snooping enabled. Would that be a problem? I am trying to understand how the switch figures out that it will trust the DHCP server that is configured with the helper command as opposed to a reply from any other server located in the campus. I guess if there is no other helper address than it won't make a difference but still I was wondering if there was something more to it.
With regards to arp inspection are there any caveats that you might have noticed. For eg: Just in case the DHCP entry ages out from the Database and at the same time if the arp entry ages out how would that affect the client. Would another client be able to spoof that ip in the case that this particular scenario occurs. Also how does this relate with the arp aging timeout. Thx for your help
I've met another caveat you mentioned. The switch with DHCP snooping enabled configured as DHCP helper does not forward DHCP Requests if its source address is not equal 0.0.0.0 (not an arror but feature). It means that a node cannot ask for IP Address prolongation. Strictly speking it can, but without any respose. It can become a new address only after its old address fully aged out. Consequently its current sessions are dropped. Do you have a similar experience?
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...