DHCP Snooping

Recently I had to enable DHCP Snooping on the production network in our office. Although DHCP Snooping is a topic in my recent SWITCH studies, I found the documentation a bit less than desirable. It was easy finding an explanation on how to implement this on a single switch, but what if you have lots of switches? How do you configure the trunks? I decided to test this in a lab and write a blog post for future reference.

Here’s the lab I used (click for a larger image):

I used my laptop as a DHCP client and an ASA 5505 as the DHCP server. For the switches I used some 2950′s that we had lying around. Here is how everything is connected:

  • The ASA is connected to Fa0/24 of SW2
  • The Laptop is connected to Fa0/1 of SW1
  • SW1 and SW2 are connected via a cross cable between their Gi0/1 interfaces

The initial setup is not shown in the drawing. I wanted to test a single switch scenario to make sure a basic setup of DHCP Snooping worked before I stepped it up a notch and implemented the multi switch scenario. So I had the laptop temporary connected to Fa0/1 in SW2. First I setup DHCP Snooping for vlan 1 (normally vlan 1 is not used, but for this test I did not bother to create a vlan and just used the default):

SW2(config)#ip dhcp snooping
SW2(config)#ip dhcp snooping vlan 1

Then Fa0/24 on SW2 was set to be trusted by configuring the following:

SW2(config)#int fa0/24
SW2(config-if)#ip dhcp snooping trust

I did not get an IP address on the laptop. So why did I not get an ip address? Isn’t Fa0/24 trusted?
By using “debug ip dhcp snooping packet” and “debug ip dhcp snooping event” I found this error:

DHCP_SNOOPING_SW: bridlge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (1)

I did some google searching and it turns out that some clients don’t accept the insertion of dhcp option-82. This behaviour can be turned off by using this command;

SW2(config)#no ip dhcp snooping information option

Then I did get an IP address from the dhcp server, so on to the next step.
First step, basic setup and preventing the insertion of option-82 on SW1, just like we did on SW2:

SW1(config)#ip dhcp snooping

SW1(config)#ip dhcp snooping vlan 1
SW1(config)#no ip dhcp snooping information option

I connected the switches as shown in the drawing and connected my laptop to Fa0/1 on SW1. I did not get an ip address.
After some experimenting I found I needed to set the following on Gi0/1 on SW1, which is the trunk to SW2:

SW1(config-if)#ip dhcp snooping trust

It makes sense since Gi0/1 is the port on which the DHCPOFFER comes into SW1. After configuring “ip dhcp snooping trust” on Gi0/1 the lab was working as intended.

This led me to the conclusion that the ports that need to be set to trust are the port to which the dhcp server is connected and the trunk ports in the switch to which clients are connected. It is not needed to trust the trunk port on the switch to which the dhcp server is connected as the DHCPOFFER goes out of the switch on that port and the trust only needs to be set on interfaces where the DHCPOFFER comes into the switch.

I hope this helps you with the implementation of DHCP Snooping.

This entry was posted in Networking, Systems. Bookmark the permalink.