dhcp-snooping trusted servers

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi all,

I am just looking at using extreme as edge switches, have been using them for core and aggregation for years.  We have a large network with two central DHCP servers which we then use UDP forwarding from each user vlan.

As I see it, we need to enable dhcp snooping on all ports of the switch including the uplinks so they see the server packets on the uplinks as well as the client packets on the edge ports.  This will discard server packets on all ports by default so we either need to set the uplinks as trusted ports or use the trusted server feature.

The trusted server commend is better because it will guard against rogue packets on the uplinks too, but there is a limit of 8 and if we have four user vlans on a switch, we would need to issue two trusted server commands for each of the central servers on each vlan (eight commands) PLUS one per VLAN for the local gateway relay address so we will easily run out of trusted servers.

Is this right? How do people get round this, or do you just use the trusted port commands for large networks?

Also, I have read somewhere you can't put snooping on LAG ports, as all our uplinks are LAGged does this mean the feature is completely useless to us anyway?
Photo of David Rickard

David Rickard

  • 144 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
David,

Have you checked the bootprelay command?

You can enable it globally for a virtual router and all its vlans
enable bootprelay vr vr-default
or only for specific vlans
enable bootprelay vlan test

You can also add one or more DHCP servers globally to the virtual router for all vlans to use
configure bootprelay add 10.1.0.1
or configure specific DHCP servers for individual vlans
configure bootprelay vlan test add 10.2.0.2
Photo of David Rickard

David Rickard

  • 144 Points 100 badge 2x thumb
Why?  We have udp forwarding working well, has been for years on many switches.  My question is about dhcp-snooping,
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
I'm sorry, I misread your question.
Photo of David Rickard

David Rickard

  • 144 Points 100 badge 2x thumb
No problem Daniel, if you have any advice regarding the snooping I'd be really grateful, this seems very confusing.
Photo of Balaji

Balaji, Employee

  • 776 Points 500 badge 2x thumb
David, 

How many DHCP Servers do you have ?
Photo of David Rickard

David Rickard

  • 144 Points 100 badge 2x thumb
We have a large network with two central DHCP servers which we then use UDP forwarding from each user vlan.  The problem is that we have seen once DHCP clients have had a response to the initial broadcast, they seem to unicast directly to the server IP, so our current snooping settings (on HP switches) has to recognise the local relay agent and the central servers.  That's fine but when the settings are tied to a VLAN, that means three trusted servers have to be enabled per vlan and with a limit of 8 across the whole switch, that means we can't have more than two vlans with DHCP.
Photo of Tripathy, Priya Ranjan

Tripathy, Priya Ranjan, ESE

  • 2,306 Points 2k badge 2x thumb
I can see so far nothing has been updated here for  the last 6 months or so. 

Coming to the dhcp-snooping for trusted servers what i could suggest you as below:

You can enable DHCP snooping on a per port and per vlan basis but coming to trusted DHCP server it is always on a per vlan basis only.  If configured for DHCP snooping, the switch snoops DHCP packets on the indicated ports and builds a DHCP bindings database of IP address and MAC address bindings from the received packets.

If configured for trusted DHCP server, the switch forwards only DHCP packets from the trusted
servers. The switch drops DHCP packets from other DHCP snooping-enabled ports.
Photo of David Rickard

David Rickard

  • 144 Points 100 badge 2x thumb
The problem is that if we specify trusted servers, we can have only a maximum of 8 server addresses across the whole switch.  If we have two addresses used for the server's real addresses, then we need one for the dhcp helper in each vlan, meaning we need to configure three addresses in each VLAN so enabling this on two vlans will use up three of the 8 available entries and so no more vlans can have dhcp snooping enabled (with trusted server addresses).  This seems a remarkably low limit.
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Hi David, 
let's assume that your uplink ports on edge switch are trusted.

Add trusted port without DHCP servers

configure trusted-ports 50 trust-for dhcp-server

From EXOS command reference:
Trusted ports do not block traffic; rather, the switch forwards any DHCP server packets that appear on trusted ports.

You can also add on your uplink port:

enable ip-security dhcp-snooping vlan lan1 port 50 violation-action none
enable ip-security dhcp-snooping vlan lan2 port 50 violation-action none
enable ip-security dhcp-snooping vlan lan3 port 50 violation-action none
--
Jarek
(Edited)
Photo of Tripathy, Priya Ranjan

Tripathy, Priya Ranjan, ESE

  • 2,306 Points 2k badge 2x thumb
Adding to  this what Jarek mentioned depending upon DHCP snooping configuration the switch drops packets and can disable the port either temporarily or permanently, even can black hole the MAC address too. Configuring one or more trusted ports the switch assumes that all DHCP server packets on the trusted port are valid.
Photo of David Rickard

David Rickard

  • 144 Points 100 badge 2x thumb
I know what dhcp snooping does, if you read my posts you will see I get all that.  I was not asking  what dhcp snooping does or how to configure it.  I did not ask how to trust a port, or what trusting ports does.

For thr fourth time in this thread I will explain the question.

There is a restriction of no more than 8 trusted servers on a switch.

If you have two DHCP servers, they have a native address each , that is two.
If they are routed, you then have one address for the DHCP helper, that makes three.

You have to configure the trusted servers per vlan, so you have to specify three addresses for each VLAN.

Doing this for two VLANS uses six addresses out of the 8 you can use.

This means if you use DHCP snooping trusted servers, you can't do it for more than two VLANs.  This seems like an unreasonable restriction.  I was asking whether that is correct, or whether I have misunderstood how that works.
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
David, 
you asked also "How do people get round this, or do you just use the trusted port commands for large networks?"

Short example  how I use DHCP and  ip-sec features:
1) Edge (L2) only uplink port is trusted for dhcp servers
- I don't use trusted servers per vlan, because we trust our network
- dhcp-snooping  with violation-action drop-packet block-mac duration
- If hardware has space for ACL: ip-security source-ip-lockdown

2) Aggregation (L2/L3) 
- bootprelay with two DHCP servers 
- dhcp-snooping with  violation-action drop-packet block-mac duration 
- two DHCP trusted servers on uplink vlan to core
- arp validation 
- enable arp learning learn-from-dhcp, disable arp learning learn-from-arp
- arp gratuitous-protection
- ip-security dhcp-bindings storage
- ACL filters per vlan

--
Jarek
(Edited)
Photo of David Rickard

David Rickard

  • 144 Points 100 badge 2x thumb
Thanks, we have been using trusted ports because our HP switches don't do it per VLAN, so it's less restrictive and we were just expecting to do the same with extreme.  As for why, we don't trust our network being a large university all sorts of stuff gets plugged into our switches without us knowing! So the trusted port is better than nothing but doesn't cover all the bases.

It's interesting using DHCP on your aggregation, we don't becuase we do trust our core, but maybe we shouldn't.  That's really helpful thanks.
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
David, my explanation was to short :).

"Aggregation - bootprelay with two DHCP servers "

I meant, I have 2 central DHCP servers, and I use bootprelay on agggregation switches. 

About "two DHCP trusted servers on uplink vlan to core"

I have L3 connection only between core and aggragation.
Because I use dhcp-snooping, I need a trusted port with ip-security  violation-action none (for dhcp-snooping table), and so on :)..

--
Jarek
Photo of David Rickard

David Rickard

  • 144 Points 100 badge 2x thumb
Your DHCP configuration is the same as ours, but we don't presently do DHCP snooping on the L3 connection to the core

I have just re-read my post and I made that very confusing.  We do trusted servers on our HP switches as it is not vlan-tied so it's easy to configure, but by having to put all the trusted servers in each vlan, extremes then run into the restriction.

I guess I have my answer in that everyone just uses trsted ports but with your additional measure of trusted servers on the L3 link.

Many thanks