DHCP snooping

mirofahmymirofahmy
in CCIE Security Technical

image

According to the figure

If we deploy ip helper in the interface vlan10

And dhcp  client at  vlan  10 request and address from dhcp server at vlan 20 traffic    will go to interface vlan 10 and then will take the giaddr 10.10.10.254 then traffic

 Will go to the server at switch 2

The replay from dhcp server at switch  2  will come to  Switch 1 and then it will remove giadd 10.10.10.254 then send the replay to client

 

If we put

Ip dhcp realy information option  …….at switch 1

The relay  switch 2 will put the option 82   in the request of the clinet to server then when reply come it will remove option 82 and send to the clinet

 

 

If we use  dhcp snooping

The rely will remove old  option 82 of the relay added before and put its new option 82 ( New dhcp snooping option) and put the giadd zero

 

To avoide these  problem  ( of giaddr zero )we can use

 

no ip dhcp snooping information option

That mean traffic will go to switch 2 without option 82 at and giaddr will still the same as before 10.10.10.254

So  we should use  the previous command Ip dhcp realy information option   at switch 1 ??? that is the question or we can only use

no ip dhcp snooping information option

And if we put the

ip dhcp relay information trust-all  ……………that mean the traffic will go to switch 2 with  new option 82  giadd  zero and pass it to DHCP sever

that mean trffic will go to switch 2 and server with giaddr zero

Kindly clarify and if I have wrong clarification kindly send me   and if we have many switches 3 or 4 until clinet request go to server what is the best solution

· Share on FacebookShare on Twitter

Comments

  • mirofahmymirofahmy

    kindly i need to arise my question to INE  expert to answer my question

    · Share on FacebookShare on Twitter
  • jkdrouterjkdrouter

    By default a layer2 switch inserts remote-id in dhcp requests. It requires dhcp snooping to be turned on, and the feature is disbaled with

    no ip dhcp snooping information option

    which will disable insertion of opt 82 globaly. Switch will not change giaddr address.

    By default a layer 2 switch will frop packets with option 82 on untrusted ports. On trusted ports opt 82 is allowed. This check is only done if snooping is enabled. To enable opt 82 on untrusted ports (say when you have two or more layer 2 switches connected back to back) you need

    ip dhcp snooping information option allow-untrusted

    As far as relay agent goes (layer 3 device), you need

    ip dhcp relay information trusted (per interface) or

    ip dhcp relay information trust-all (globaly)

    to process DHCP packets with giaddr=0 and opt 82 set (when you have layer 2 switch setting opt 82 before packets get to relay agent.

    Finally, if relay agent gets packet with opt 82, it will overwrite it with its own opt 82. To change this you need

    ip dhcp relay information policy keep

     

     

     

    · Share on FacebookShare on Twitter
  • mirofahmymirofahmy

     


    thanks JK

    but if u have any  reference documentation about that that is great

    also if u have native configuration example fro dhcp snooping over multiple switches including layer 2 and layer 3   

    that is a great

    · Share on FacebookShare on Twitter
  • mirofahmymirofahmy


    thanks JK

    but if u have any  reference documentation about that that is great

    also if u have native configuration example fro dhcp snooping over multiple switches including layer 2 and layer 3  

    that is a great

    · Share on FacebookShare on Twitter
Sign In or Register to comment.