cancel
Showing results for 
Search instead for 
Did you mean: 

dhcp-snooping trusted servers

dhcp-snooping trusted servers

David_Rickard
New Contributor
Hi all,

I am just looking at using extreme as edge switches, have been using them for core and aggregation for years. We have a large network with two central DHCP servers which we then use UDP forwarding from each user vlan.

As I see it, we need to enable dhcp snooping on all ports of the switch including the uplinks so they see the server packets on the uplinks as well as the client packets on the edge ports. This will discard server packets on all ports by default so we either need to set the uplinks as trusted ports or use the trusted server feature.

The trusted server commend is better because it will guard against rogue packets on the uplinks too, but there is a limit of 8 and if we have four user vlans on a switch, we would need to issue two trusted server commands for each of the central servers on each vlan (eight commands) PLUS one per VLAN for the local gateway relay address so we will easily run out of trusted servers.

Is this right? How do people get round this, or do you just use the trusted port commands for large networks?

Also, I have read somewhere you can't put snooping on LAG ports, as all our uplinks are LAGged does this mean the feature is completely useless to us anyway?
15 REPLIES 15

David_Rickard
New Contributor
I know what dhcp snooping does, if you read my posts you will see I get all that. I was not asking what dhcp snooping does or how to configure it. I did not ask how to trust a port, or what trusting ports does.

For thr fourth time in this thread I will explain the question.

There is a restriction of no more than 8 trusted servers on a switch.

If you have two DHCP servers, they have a native address each , that is two.
If they are routed, you then have one address for the DHCP helper, that makes three.

You have to configure the trusted servers per vlan, so you have to specify three addresses for each VLAN.

Doing this for two VLANS uses six addresses out of the 8 you can use.

This means if you use DHCP snooping trusted servers, you can't do it for more than two VLANs. This seems like an unreasonable restriction. I was asking whether that is correct, or whether I have misunderstood how that works.

Your DHCP configuration is the same as ours, but we don't presently do DHCP snooping on the L3 connection to the core

I have just re-read my post and I made that very confusing. We do trusted servers on our HP switches as it is not vlan-tied so it's easy to configure, but by having to put all the trusted servers in each vlan, extremes then run into the restriction.

I guess I have my answer in that everyone just uses trsted ports but with your additional measure of trusted servers on the L3 link.

Many thanks

Jarek
New Contributor II
David, my explanation was to short .

"Aggregation - bootprelay with two DHCP servers "

I meant, I have 2 central DHCP servers, and I use bootprelay on agggregation switches.

About "two DHCP trusted servers on uplink vlan to core"

I have L3 connection only between core and aggragation.
Because I use dhcp-snooping, I need a trusted port with ip-security violation-action none (for dhcp-snooping table), and so on ..

--
Jarek

Thanks, we have been using trusted ports because our HP switches don't do it per VLAN, so it's less restrictive and we were just expecting to do the same with extreme. As for why, we don't trust our network being a large university all sorts of stuff gets plugged into our switches without us knowing! So the trusted port is better than nothing but doesn't cover all the bases.

It's interesting using DHCP on your aggregation, we don't becuase we do trust our core, but maybe we shouldn't. That's really helpful thanks.
GTM-P2G8KFN