DHCP Snooping

[maxyz]

Anybody has any experience with dhcp snooping on 5520? i activated it but it apparently completely blocks dhcp? or we do not understand the feature?

description:
- dhcp snooping enabled on vlan 10
- dhcp server on port 1/10
- port 1/10 trusted, all other ports untrusted
- as soon as we enable dhcp snooping dhcp offers are blocked allthough they should go through on port 1/10, as this port is configured trusted?

config:
...
! Model = Ethernet Routing Switch 5520-24T-PWR
! Software version = v5.1.0.015
...
! *** VLAN ***
!
vlan configcontrol flexible
vlan name 1 "VLAN #1"
vlan create 10 name "Users" type port
vlan create 100 name "Admin" type port
vlan ports 1/1-21 tagging unTagAll filter-untagged-frame disable filter-unregistered-frames enable priority 0
vlan ports 1/22-24 tagging tagAll filter-untagged-frame enable filter-unregistered-frames enable priority 0
vlan ports 2/1-21 tagging unTagAll filter-untagged-frame disable filter-unregistered-frames enable priority 0
vlan ports 2/22-24 tagging tagAll filter-untagged-frame enable filter-unregistered-frames enable priority 0
vlan members 1 NONE
vlan members 10 1/2-24,2/2-24
vlan members 100 1/1,1/22-24,2/1,2/22-24
vlan ports 1/1 pvid 100
vlan ports 1/2-14 pvid 10
vlan ports 2/1 pvid 100
vlan ports 2/2-24 pvid 10
vlan igmp unknown-mcast-no-flood disable
vlan igmp 1 snooping disable
vlan igmp 1 proxy disable robust-value 2 query-interval 125
vlan igmp 10 snooping disable
vlan igmp 10 proxy disable robust-value 2 query-interval 125
vlan igmp 100 snooping disable
vlan igmp 100 proxy disable robust-value 2 query-interval 125
vlan configcontrol strict
auto-pvid
...
! *** DHCP SNOOPING ***
!
ip dhcp-snooping
no ip dhcp-snooping vlan
ip dhcp-snooping vlan 10
interface FastEthernet ALL
default ip dhcp-snooping
ip dhcp-snooping port 1/10 trusted
exit
...

 

[andy88]

can you post captures from the following

show ip dhcp-snooping
show ip dhcp-snooping interface 1/1-1/24
show ip dhcp-snooping binding

 

[maxyz]

i currently don't have access to the switches. will post asap. in the meantime what i remember from this commands outputs:


show ip dhcp-snooping:
- showed that it is globally enabled and enabled on vlan 10

show ip dhcp-snooping interface 1/1-1/24:
- showed port 1/10 trusted all other untrusted

show ip dhcp-snooping binding:
- showed an empty table

 

[maxyz]

ok, here the outputs:

Core#show ip dhcp-snooping
Global DHCP snooping state: Enabled
DHCP
VLAN Snooping
---- --------
1 Disabled
10 Enabled
100 Disabled
Core#show ip dhcp-snooping inter
Core#show ip dhcp-snooping interface 1/1-24
DHCP
Unit/Port Snooping
--------- --------
1 /1 Untrusted
1 /2 Untrusted
1 /3 Untrusted
1 /4 Untrusted
1 /5 Untrusted
1 /6 Untrusted
1 /7 Untrusted
1 /8 Untrusted
1 /9 Untrusted
1 /10 Trusted
1 /11 Untrusted
1 /12 Untrusted
1 /13 Untrusted
1 /14 Untrusted
1 /15 Untrusted
1 /16 Untrusted
1 /17 Untrusted
1 /18 Untrusted
1 /19 Untrusted
1 /20 Untrusted
1 /21 Untrusted
1 /22 Untrusted
1 /23 Untrusted
1 /24 Untrusted
Core#
Core#
Core#show ip dhcp-snooping bi
Core#show ip dhcp-snooping binding
MAC IP Lease (sec) VID Unit/Port
--------------------------------------------------------------------
Total Entries: 0
Core#

 

[andy88]

Is the server directly connected to 1/10 or is there anything else in the path?

Are the users trying to get dhcp in vlan 10 locally connected to the switch or are they connecting from another switch?

 

[maxyz]

this stack represents the core. the server is connected directly to 1/10. the users are connecting from other switches which are connected via vlan-trunks (which run over dmlt trunks on ports 1/22,2/22 - 1/23,2/23 - 1/24,2/24).

 

[andy88]

I read in the documentation that this doesn't work with routed or tagged traffic as dhcp snoop cannot read the packets.

I got the imperssion that dhcp would work in this situation as all dhcp traffic would pass through the switch un-inspected.

 

[andy88]

You need to set the dmlt ports as trusted and enforce snooping (untrusted ports)on the edge devices

 

[maxyz]

thanks a lot for your answers so far, andy88

unfortunately the edge devices (45xx) do not support dhcp snooping. so my intention was to at least enforce it on the core to limit a possible "attack" to a single edge segment.

do you know of any nortel documentation with a good description of their implementation of dhcp snooping? the 55xx security config guide does not really describe its detailed behaviour.

my understandig was that dhcp snooping does not allow incoming dhcp replies/offers on untrusted ports. but apparenlty it does also not allow requests from multiple sources on untrusted ports?

 

[maxyz]

just to follow up and close this case.

the feature works perfectly and the config as mentioned in my first post turns out to be correct.

its a little bit embarassing: was all our (or the clients server admins)fault, the dhcp server was not conneced to port 1/10 but to another untrusted port.

andy88, anyway thx for the answers.

this:

You need to set the dmlt ports as trusted and enforce snooping (untrusted ports)on the edge devices

seems to work for us with "untrusted" on the trunk links. if not would not work at all because our access switches do not support dhcp snooping.