Ethernet Switches & Routers

Reply
Highlighted
Contributor
Posts: 31
Registered: ‎02-10-2011
Accepted Solution

First time configuring dhcp snooping

Hi all,

 

I would like to configure DHCP snooping. I have a network with some FCX624 .

 

I have 2 DHCP servers in differents VLANs and i have "ip helper address" configured in the client Vlans to can obtain DHCP releases from this 2 servers...

 

I have 2 doubts:

  • If I enable DHCP snooping in one switch of the clients VLAN it's ok or I need to enable it in all the switches of this ¿Vlan?
  • I have some access switches connected to the FCX ... If you connect to one port of an access switch a client DHCP and in the same switch a DHCP server this traffic is trusted or not?  ¿All the ports of this VLAN are untrusted included the ports of the access switches connected to the FCX switch?

Thanks all ¡¡¡

Occasional Contributor
Posts: 12
Registered: ‎06-18-2011

Re: First time configuring dhcp snooping

Normally the forwarding of dhcp requests is configured on the appropriate ve(s) on your router.  Since the dhcp requests are broadcast your layer 2 switches simply forward the traffic without careing what it is.  No configuration is needed on the layer 2 switches  Once the request hits the ve on your router it is forwarded if you have things configured properly.  If you do not have forwarding setup the request is dropped by the ve just like all other broadcast traffic.

 

Below is a sample configuration for a simple network. One client subnet is 192.168.99.0 and the other client subnet is 192.168.101.0.  The dhcp server is on a distant subnet 192.168.100.0

 

interface ve 99

ip address 192.168.99.1 255.255.255.0

ip helper-address 192.168.100.11 <-----this is the address of your dhcp server

 

interface ve 100

ip address 192.168.100.1 255.255.255.0 <----this is the server subnet.  No special configuration is needed hear

 

interface ve 101

ip address 192.168.101.1 255.255.255.0

ip helper-address 192.168.100.11 <-----this is the address of your dhcp server

 

 

Contributor
Posts: 31
Registered: ‎02-10-2011

Re: First time configuring dhcp snooping

Thanks for your reply...

 

Yes, i Know how to configure dhcp on diferents subnets. It's only necesary on the switch with the Ve of the Vlan, not in the access/layer 2 switches.

 

My doubt is for configure dhcp snooping... In what switches I need to configure it. Only in the switch with the VE interface. In the switch that connects the dhcp server, in both switches, on all switches of this Vlan? Etc...

 

Thanks...

Frequent Contributor
Posts: 144
Registered: ‎11-07-2013

Re: First time configuring dhcp snooping

Hi,

   You only need this on the switch running the VE's.  Howevver make sure your clients point there default gateay to there VLAN's VE IP address.

 

Thanks

Michael.

Thanks
Michael
Contributor
Posts: 40
Registered: ‎01-28-2013

Re: First time configuring dhcp snooping

[ Edited ]

I just tried to enable DHCP snooping during a maintenance window last nite, but it failed to work correctly.

 

I marked my trusted ports that the DHCP servers are connected to with the command "dhcp snooping trust", and issued the commands "ip dhcp snooping vlan 10" and "ip dhcp snooping vlan 200" on the core switch, and each access switch. Did I only need to issue the last two commands on the core switch?

 

I read on a Cisco forum that DHCP snooping trust should be set on each incoming port, of each device, where the DHCP server replies are coming from, so I did a "dhcp snooping trust" on every fiber incoming uplink port for the access switches, still no go.

 

Now I read this post with an issue exactly like I'm having, and they say on a Cisco you issue the command "ip dhcp relay information trusted VLAN" https://supportforums.cisco.com/discussion/10908051/dhcp-snooping-problem

 

In every senario, my wireless access points stopped showing my public SSID with DHCP snooping enabled. If I rebooted the WAPs, the public SSID would show up and work for a minute or two, but then disappear and stop allowing connections.

 

I'm not sure what to do to move forward. Please help :)

 

My network: I have a core switch, with access switches each directly connected (via fiber) to the core. On the access switches I have wireless access points (Ubiquiti Unfi AP-AC), that tag the appropriate vlan depending on which SSID is chosen (public SSID to guest vlan, or private SSID to data vlan). There are three vlans (data, VoIP, and guest). I have two DHCP servers in a synced cluster that answer DHCP client requests for the data vlan, and VoIP vlans, with ip helper on the VoIP vlan ve interface. The guest vlan has no ve, but a business cable modem that has a DHCP server in it for the guest vlan. The switch ports that my access points are connected to, are tagged in the data and guest vlans with dual-mode in the data vlan.

Contributor
Posts: 40
Registered: ‎01-28-2013

Re: First time configuring dhcp snooping

Basically I need to have a configuration like in the diagram under the section named "DHCP Option 82" on this page:

http://packetpushers.net/ccnp-studies-configuring-dhcp-snooping/

 

It's still not clear if I need to execute the "DHCP snooping vlan X" on each switch in the chain, or just on the end access switch. Then it's also confusing reading about the Option 82 and to know if this issue, as described in the above linked article, also applies to the Brocade world. I'd assume it does, but I can't find the equivelent Brocade configuration options.

 

Thanks in advance to whomever even reads this :)

Contributor
Posts: 40
Registered: ‎01-28-2013

Re: First time configuring dhcp snooping

[ Edited ]

OK, I got it all working.

I wanted to write back in the hopes that it might help someone else.

Follow up observations to my first maintenance window: During my first attempt at this, it left my guest WiFi SSID not working. Since it didn't work during that first maintenance window, I rolled back all my changes to where they were before I started the maintenance, but the guest SSID still didn't show up! So I went home, hoping that I could fix the guest WiFi SSID issue the next morning. The next morning when I came in, the guest SSID was working correctly. So I guess it just had to sit idle and "figure out" something before the Ubiquiti access points would broadcast the guest SSID. That was strange!

 

So, my next maintenance window, I ended up setting "ip dhcp snooping trust" on all the access switches uplink ports (the ports on the access switches, that lead to the core switch). I also set "ip dhcp snooping vlan X" on all my vlans, on each access switch, and the core switch. I didn't set "ip dhcp snooping trust" on any "ve" interface. I also set "ip dhcp snooping trust" on all the ports the the WiFi access points are connected to (though I'm not sure this is needed). After changing all these settings, I once again had no guest SSID on any of my WiFi access points. I rebooted all the access points and let them sit overnight. In the morning my guest SSID was working correctly. Now everything is good.

 

Hope this helps someone else having this problem.

Community Manager
Posts: 165
Registered: ‎03-03-2014

Re: First time configuring dhcp snooping

@evargas

 

While enaged with TAC Support working on a resolution please continue to communicate over email directly with your TAC support rep to avoid any private customer specific information from being posted to the community.  Once your post is resolved, we will make sure to post the generic resolution back to the community to help other members.

 

Please let me know if there is anything else I can help facilliate your case resolution.

 

Thank you

Jason McClellan
Community Manager
@jasondmcclellan

TAC Engaged

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Download FREE NVMe eBook