Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1791
Views
0
Helpful
2
Replies

IP DHCP Snooping over L3 links

Isaac Morgan
Level 1
Level 1

‎04-10-2012 12:28 AM - edited ‎03-07-2019 06:02 AM

Hi,

I am working in a environment that is classed as collapssed Layer 3 environment.  We have a core 6500 with routed links to 3560's which are access switches.

topology.png

We have layer 3 vlans on the access switches, one for data one for voice.

On the layer 3 vlans we have ip helper addresses that are used for DHCP.  The DHCP servers are located on the 6500.

I recently had a incident where someone plugged a netgear router into a desk point because they thought they could use it for a switch.  This router then started to dish out IP addresses to people in the morning for those who came in and docked their laptops.  99% of people weren't affected because they have desktop PC's are their leases hadn't expired.

Now we have bpduguard, bpdufilter to prevent people from plugging in switches that send out BPDU's.  However this doesn't prevent the above senario where someone plugs a router or a 'dumb' switch that doesn't send BPDU's.

Because of the above senario I started looking at DHCP Snooping, but I am unsure on a couple of things.

With the topology of our network I understand that I don't need to configure IP DHCP Snooping Trust on the L3 uplinks to our core switch.  From what I understand I just need to enable IP DHCP Snooping globaly and then on the VLAN's on the access switch (because of the L3 topology VLAN's are local to the access switches).  Only if I had L2 uplinks to the core would I need to configure IP DHCP Snooping Trust on the trunk links.

Can anyone confirm if my understanding is correct, or perhaps provide further info for me.  Most examples/configurations I have seen are for L2 configurations only.

Regards,

Isaac

Labels:
0 Helpful
2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

‎04-14-2012 02:48 PM

Hello Isaac,

To my best understanding, your judgement of the situation is correct. As the trusted DHCP state is configured only on switchports and not on routed ports, you should be fine with simply activating the DHCP Snooping globally and on selected VLANs, but you should not be required to configure any port as trusted port.

Testing out this configuration should be largely easy because after activating the DHCP Snooping, the worst thing that can happen is your clients becoming unable to obtain their IP config via DHCP - but as this operation is performed infrequently, your clients should not notice anything during your testing period if performed swiftly.

Best regards,

Peter

0 Helpful

Isaac Morgan
Level 1
Level 1
In response to Peter Paluch

‎04-14-2012 03:06 PM

Hi Peter,

Thanks for the reply.

I have a change window this week to test it out so I will post the results once I have tested.

Isaac.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card