I'm having trouble determining where/how to implement DHCP snooping on our campus.
The core for our campus is a pair of 6506's etherchanneled to each other and 3750 stacks which serve as the distribution layer. The 3750's are trunked to our access layer switches (3560Gs, 3550s and some 3500XLs). The 6506s have MSFCs configured with the SVIs for each of 50+ end-to-end VLANs and run HSRP. DHCP is enabled on a few nets/vlans currently. Those nets/vlans have the ip-helper address configured. In addition, the supervisors on the 6506s serve as VTP servers and are the only CatOS on campus. We're trying to test dhcp snooping but haven't had much success.
Our DHCP server is located near the core. DHCP snooping is enabled on most of the 3560Gs globally and only the uplinks are trusted. All of our access switches are in a stacked configuration similar to... core -> bldg1 dist -> bldg1a -> bldg1b -> bldg1c... It didn't make sense to trust offers from downstream. My understanding of trust relates to where offers are originating. Is this correct or is there more information exchanged that requires bidirectional trust?
The VLAN SVIs don't seem to allow for snooping configuration. Should I be looking at the dist. or access levels? The access level seems like it would be an administrative nightmare in a large VTP domain!
You want to do it at the access layer since that is where your clients are. If you have your DHCP servers at the core then it shouldn't be too much of an administrative nightmare, but I am not familiar with your network so I don't really know. Make sure you trust your uplinks.
My global config says nothing more than "ip dhcp snooping" and the uplink port is configured with "ip dhcp snooping trust". Should I also configure "ip dhcp snooping vlan 10" if vlan 10 is assigned to an access port on the switch (and also do that for each switch that has a port configured for vlan 10) + each additional vlan assigned on the switch. Sorry - I know that sounded rambling...
Yes, you enable snooping first globally (like you already did) and then per-vlan that you want protection on.
After you enable snooping, you might want to look into IP Source Guard and Dynamic ARP Inspection too. These are additional security features you can utilize once you have a working snooping setup. Please do take care that you understand what these features do before turning them on, or you'll be scrambling to fix a mess.
Yeah, snooping should be enabled at the access layer. That is kind of the point of the feature. It then prevents users from running rogue DHCP servers. Yes, it is quite the job to implement on a large network with lots of vlans, but it can be done.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...