dhcp-snooping trusted servers
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-11-2016 09:02 AM
Hi all,
I am just looking at using extreme as edge switches, have been using them for core and aggregation for years. We have a large network with two central DHCP servers which we then use UDP forwarding from each user vlan.
As I see it, we need to enable dhcp snooping on all ports of the switch including the uplinks so they see the server packets on the uplinks as well as the client packets on the edge ports. This will discard server packets on all ports by default so we either need to set the uplinks as trusted ports or use the trusted server feature.
The trusted server commend is better because it will guard against rogue packets on the uplinks too, but there is a limit of 8 and if we have four user vlans on a switch, we would need to issue two trusted server commands for each of the central servers on each vlan (eight commands) PLUS one per VLAN for the local gateway relay address so we will easily run out of trusted servers.
Is this right? How do people get round this, or do you just use the trusted port commands for large networks?
Also, I have read somewhere you can't put snooping on LAG ports, as all our uplinks are LAGged does this mean the feature is completely useless to us anyway?
I am just looking at using extreme as edge switches, have been using them for core and aggregation for years. We have a large network with two central DHCP servers which we then use UDP forwarding from each user vlan.
As I see it, we need to enable dhcp snooping on all ports of the switch including the uplinks so they see the server packets on the uplinks as well as the client packets on the edge ports. This will discard server packets on all ports by default so we either need to set the uplinks as trusted ports or use the trusted server feature.
The trusted server commend is better because it will guard against rogue packets on the uplinks too, but there is a limit of 8 and if we have four user vlans on a switch, we would need to issue two trusted server commands for each of the central servers on each vlan (eight commands) PLUS one per VLAN for the local gateway relay address so we will easily run out of trusted servers.
Is this right? How do people get round this, or do you just use the trusted port commands for large networks?
Also, I have read somewhere you can't put snooping on LAG ports, as all our uplinks are LAGged does this mean the feature is completely useless to us anyway?
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-13-2016 06:47 AM
We have a large network with two central DHCP servers which we then use UDP forwarding from each user vlan. The problem is that we have seen once DHCP clients have had a response to the initial broadcast, they seem to unicast directly to the server IP, so our current snooping settings (on HP switches) has to recognise the local relay agent and the central servers. That's fine but when the settings are tied to a VLAN, that means three trusted servers have to be enabled per vlan and with a limit of 8 across the whole switch, that means we can't have more than two vlans with DHCP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-12-2016 06:54 PM
David,
How many DHCP Servers do you have ?
How many DHCP Servers do you have ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-12-2016 05:55 AM
No problem Daniel, if you have any advice regarding the snooping I'd be really grateful, this seems very confusing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-12-2016 05:16 AM
I'm sorry, I misread your question.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-12-2016 04:36 AM
Why? We have udp forwarding working well, has been for years on many switches. My question is about dhcp-snooping,
