Intrusion Prevention
Highlighted
Intrusion Prevention

Correctly enable DHCP-Snooping on Core

‎06-09-2017 08:40 AM

I am looking to enable DHCP snooping on my Core EX3300 Virtual Chassis with no downtime for end users. My question is regarding what interfaces will be trusted and untrusted and if my clients will still be able to reach the DHCP server when I turn the protocol on. My topology is as follows:

 

Core EX3300 Virtual Chassis that acts as both the aggregation and access layer. All clients are connected to this switch and are included within one of three vLANs that include an RVI for routing.

 

EX4550 Virtual Chassis connected to the physical server hosts. A dedicated vLAN with an RVI is used to connect this switch with the Core via OSPF. The DHCP servers reside on a fifth vLAN with an RVI that originates from this EX4550 VC.

The Core switch uses the bootp relay-agent-options to provide DHCP to the client vLANs

 

I understand that DHCP-Snooping will need to be activated at the vLAN level on the Core switch. I know DHCP-Snooping automatically marks trunk links as trusted. I am under the impression that DHCP-Snooping will understand that the DHCP server is communicating via L3 will snoop and allow traffic.

 

Can I just enable DHCP-Snooping on the client vlans? or do I need to mark the vlan connecting the Core and Server switches as trusted? I know I can just turn it on and commit confirmed to see what happens but I figured I would check here to see if anyone know the answer.

 

Thank you

5 REPLIES 5
Intrusion Prevention

Re: Correctly enable DHCP-Snooping on Core

‎08-06-2017 08:37 AM

Hello,

Do all end users connected to EX4300 directly or through some access switches? 

Regards,
Lado
Intrusion Prevention

Re: Correctly enable DHCP-Snooping on Core

‎08-07-2017 06:19 AM

Thank you so much for your response.

 

The vast majority of end users connect through the EX3300 VIrtual chassis acting as the core. It is 5 phyisical switches in total.

 

I do have two ex2200-c access switches connected with trunks but only maybe 3 users are connected to them.

 

I would like dhcp-snooping to be activated on the EX3300 VC as well as the two access layer switches.

Intrusion Prevention

Re: Correctly enable DHCP-Snooping on Core

‎08-09-2017 05:40 AM

Hi again Smiley Happy

I think that you have to enable DHCP-snooping only on client's vlan. Not on peering vlan.

And you have to activate on access switches as well, on client's vlan. You have to mark trunk ports connected to EX3300 as trusted ports.

Regards,
Lado
Intrusion Prevention

Re: Correctly enable DHCP-Snooping on Core

‎08-10-2017 12:21 PM

Thank you

 

So to clarify, enable dhcp-snooping on the client vlan for Core and Access layer switches.

 

But do not enable it on the vlan connecting the Core and Cerver switches.

 

Then mark the trunk ports between the Core and Access switches as trusted.

Intrusion Prevention

Re: Correctly enable DHCP-Snooping on Core

‎09-06-2017 11:40 AM

Yes, right. 

Regards,
Lado