topic RE: dhcp-snooping trusted servers in ExtremeSwitching (EXOS/Switch Engine)

dhcp-snooping trusted servers

David_Rickard — Mon, 11 Jul 2016 16:02:00 GMT

Hi all,

I am just looking at using extreme as edge switches, have been using them for core and aggregation for years. We have a large network with two central DHCP servers which we then use UDP forwarding from each user vlan.

As I see it, we need to enable dhcp snooping on all ports of the switch including the uplinks so they see the server packets on the uplinks as well as the client packets on the edge ports. This will discard server packets on all ports by default so we either need to set the uplinks as trusted ports or use the trusted server feature.

The trusted server commend is better because it will guard against rogue packets on the uplinks too, but there is a limit of 8 and if we have four user vlans on a switch, we would need to issue two trusted server commands for each of the central servers on each vlan (eight commands) PLUS one per VLAN for the local gateway relay address so we will easily run out of trusted servers.

Is this right? How do people get round this, or do you just use the trusted port commands for large networks?

Also, I have read somewhere you can't put snooping on LAG ports, as all our uplinks are LAGged does this mean the feature is completely useless to us anyway?

RE: dhcp-snooping trusted servers

dflouret — Mon, 11 Jul 2016 22:53:00 GMT

David,

Have you checked the bootprelay command?

You can enable it globally for a virtual router and all its vlans
enable bootprelay vr vr-defaultor only for specific vlans
enable bootprelay vlan test
You can also add one or more DHCP servers globally to the virtual router for all vlans to use
configure bootprelay add 10.1.0.1or configure specific DHCP servers for individual vlans
configure bootprelay vlan test add 10.2.0.2

RE: dhcp-snooping trusted servers

David_Rickard — Tue, 12 Jul 2016 11:36:00 GMT

Why? We have udp forwarding working well, has been for years on many switches. My question is about dhcp-snooping,

RE: dhcp-snooping trusted servers

dflouret — Tue, 12 Jul 2016 12:16:00 GMT

I'm sorry, I misread your question.

RE: dhcp-snooping trusted servers

David_Rickard — Tue, 12 Jul 2016 12:55:00 GMT

No problem Daniel, if you have any advice regarding the snooping I'd be really grateful, this seems very confusing.

RE: dhcp-snooping trusted servers

Balaji — Wed, 13 Jul 2016 01:54:00 GMT

David,

How many DHCP Servers do you have ?

RE: dhcp-snooping trusted servers

David_Rickard — Wed, 13 Jul 2016 13:47:00 GMT

We have a large network with two central DHCP servers which we then use UDP forwarding from each user vlan. The problem is that we have seen once DHCP clients have had a response to the initial broadcast, they seem to unicast directly to the server IP, so our current snooping settings (on HP switches) has to recognise the local relay agent and the central servers. That's fine but when the settings are tied to a VLAN, that means three trusted servers have to be enabled per vlan and with a limit of 8 across the whole switch, that means we can't have more than two vlans with DHCP.

RE: dhcp-snooping trusted servers

Tripathy__Priya — Mon, 16 Jan 2017 14:36:00 GMT

I can see so far nothing has been updated here for the last 6 months or so.

Coming to the dhcp-snooping for trusted servers what i could suggest you as below:

You can enable DHCP snooping on a per port and per vlan basis but coming to trusted DHCP server it is always on a per vlan basis only. If configured for DHCP snooping, the switch snoops DHCP packets on the indicated ports and builds a DHCP bindings database of IP address and MAC address bindings from the received packets.

If configured for trusted DHCP server, the switch forwards only DHCP packets from the trusted
servers. The switch drops DHCP packets from other DHCP snooping-enabled ports.

RE: dhcp-snooping trusted servers

David_Rickard — Mon, 16 Jan 2017 19:03:00 GMT

The problem is that if we specify trusted servers, we can have only a maximum of 8 server addresses across the whole switch. If we have two addresses used for the server's real addresses, then we need one for the dhcp helper in each vlan, meaning we need to configure three addresses in each VLAN so enabling this on two vlans will use up three of the 8 available entries and so no more vlans can have dhcp snooping enabled (with trusted server addresses). This seems a remarkably low limit.

RE: dhcp-snooping trusted servers

Jarek — Mon, 16 Jan 2017 19:03:00 GMT

Hi David,
let's assume that your uplink ports on edge switch are trusted.

Add trusted port without DHCP servers

configure trusted-ports 50 trust-for dhcp-server
From EXOS command reference:
Trusted ports do not block traffic; rather, the switch forwards any DHCP server packets that appear on trusted ports.
You can also add on your uplink port:

enable ip-security dhcp-snooping vlan lan1 port 50 violation-action none
enable ip-security dhcp-snooping vlan lan2 port 50 violation-action none
enable ip-security dhcp-snooping vlan lan3 port 50 violation-action none--
Jarek

RE: dhcp-snooping trusted servers

Tripathy__Priya — Tue, 17 Jan 2017 13:28:00 GMT

Adding to this what Jarek mentioned depending upon DHCP snooping configuration the switch drops packets and can disable the port either temporarily or permanently, even can black hole the MAC address too. Configuring one or more trusted ports the switch assumes that all DHCP server packets on the trusted port are valid.

RE: dhcp-snooping trusted servers

David_Rickard — Tue, 17 Jan 2017 14:46:00 GMT

I know what dhcp snooping does, if you read my posts you will see I get all that. I was not asking what dhcp snooping does or how to configure it. I did not ask how to trust a port, or what trusting ports does.

For thr fourth time in this thread I will explain the question.

There is a restriction of no more than 8 trusted servers on a switch.

If you have two DHCP servers, they have a native address each , that is two.
If they are routed, you then have one address for the DHCP helper, that makes three.

You have to configure the trusted servers per vlan, so you have to specify three addresses for each VLAN.

Doing this for two VLANS uses six addresses out of the 8 you can use.

This means if you use DHCP snooping trusted servers, you can't do it for more than two VLANs. This seems like an unreasonable restriction. I was asking whether that is correct, or whether I have misunderstood how that works.

RE: dhcp-snooping trusted servers

Jarek — Tue, 17 Jan 2017 14:46:00 GMT

David,
you asked also "How do people get round this, or do you just use the trusted port commands for large networks?"

Short example how I use DHCP and ip-sec features:
1) Edge (L2) only uplink port is trusted for dhcp servers
- I don't use trusted servers per vlan, because we trust our network
- dhcp-snooping with violation-action drop-packet block-mac duration
- If hardware has space for ACL: ip-security source-ip-lockdown

2) Aggregation (L2/L3)
- bootprelay with two DHCP servers
- dhcp-snooping with violation-action drop-packet block-mac duration
- two DHCP trusted servers on uplink vlan to core
- arp validation
- enable arp learning learn-from-dhcp, disable arp learning learn-from-arp
- arp gratuitous-protection
- ip-security dhcp-bindings storage
- ACL filters per vlan

--
Jarek

RE: dhcp-snooping trusted servers

David_Rickard — Tue, 17 Jan 2017 14:46:00 GMT

Thanks, we have been using trusted ports because our HP switches don't do it per VLAN, so it's less restrictive and we were just expecting to do the same with extreme. As for why, we don't trust our network being a large university all sorts of stuff gets plugged into our switches without us knowing! So the trusted port is better than nothing but doesn't cover all the bases.

It's interesting using DHCP on your aggregation, we don't becuase we do trust our core, but maybe we shouldn't. That's really helpful thanks.

RE: dhcp-snooping trusted servers

Jarek — Tue, 17 Jan 2017 14:46:00 GMT

David, my explanation was to short .

"Aggregation - bootprelay with two DHCP servers "

I meant, I have 2 central DHCP servers, and I use bootprelay on agggregation switches.

About "two DHCP trusted servers on uplink vlan to core"

I have L3 connection only between core and aggragation.
Because I use dhcp-snooping, I need a trusted port with ip-security violation-action none (for dhcp-snooping table), and so on ..

--
Jarek

RE: dhcp-snooping trusted servers

David_Rickard — Tue, 17 Jan 2017 14:46:00 GMT

Your DHCP configuration is the same as ours, but we don't presently do DHCP snooping on the L3 connection to the core

I have just re-read my post and I made that very confusing. We do trusted servers on our HP switches as it is not vlan-tied so it's easy to configure, but by having to put all the trusted servers in each vlan, extremes then run into the restriction.

I guess I have my answer in that everyone just uses trsted ports but with your additional measure of trusted servers on the L3 link.

Many thanks