This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- dhcp-snooping trusted servers
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
dhcp-snooping trusted servers
dhcp-snooping trusted servers
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-11-2016 09:02 AM
Hi all,
I am just looking at using extreme as edge switches, have been using them for core and aggregation for years. We have a large network with two central DHCP servers which we then use UDP forwarding from each user vlan.
As I see it, we need to enable dhcp snooping on all ports of the switch including the uplinks so they see the server packets on the uplinks as well as the client packets on the edge ports. This will discard server packets on all ports by default so we either need to set the uplinks as trusted ports or use the trusted server feature.
The trusted server commend is better because it will guard against rogue packets on the uplinks too, but there is a limit of 8 and if we have four user vlans on a switch, we would need to issue two trusted server commands for each of the central servers on each vlan (eight commands) PLUS one per VLAN for the local gateway relay address so we will easily run out of trusted servers.
Is this right? How do people get round this, or do you just use the trusted port commands for large networks?
Also, I have read somewhere you can't put snooping on LAG ports, as all our uplinks are LAGged does this mean the feature is completely useless to us anyway?
I am just looking at using extreme as edge switches, have been using them for core and aggregation for years. We have a large network with two central DHCP servers which we then use UDP forwarding from each user vlan.
As I see it, we need to enable dhcp snooping on all ports of the switch including the uplinks so they see the server packets on the uplinks as well as the client packets on the edge ports. This will discard server packets on all ports by default so we either need to set the uplinks as trusted ports or use the trusted server feature.
The trusted server commend is better because it will guard against rogue packets on the uplinks too, but there is a limit of 8 and if we have four user vlans on a switch, we would need to issue two trusted server commands for each of the central servers on each vlan (eight commands) PLUS one per VLAN for the local gateway relay address so we will easily run out of trusted servers.
Is this right? How do people get round this, or do you just use the trusted port commands for large networks?
Also, I have read somewhere you can't put snooping on LAG ports, as all our uplinks are LAGged does this mean the feature is completely useless to us anyway?
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-17-2017 06:46 AM
David,
you asked also "How do people get round this, or do you just use the trusted port commands for large networks?"
Short example how I use DHCP and ip-sec features:
1) Edge (L2) only uplink port is trusted for dhcp servers
- I don't use trusted servers per vlan, because we trust our network
- dhcp-snooping with violation-action drop-packet block-mac duration
- If hardware has space for ACL: ip-security source-ip-lockdown
2) Aggregation (L2/L3)
- bootprelay with two DHCP servers
- dhcp-snooping with violation-action drop-packet block-mac duration
- two DHCP trusted servers on uplink vlan to core
- arp validation
- enable arp learning learn-from-dhcp, disable arp learning learn-from-arp
- arp gratuitous-protection
- ip-security dhcp-bindings storage
- ACL filters per vlan
--
Jarek
you asked also "How do people get round this, or do you just use the trusted port commands for large networks?"
Short example how I use DHCP and ip-sec features:
1) Edge (L2) only uplink port is trusted for dhcp servers
- I don't use trusted servers per vlan, because we trust our network
- dhcp-snooping with violation-action drop-packet block-mac duration
- If hardware has space for ACL: ip-security source-ip-lockdown
2) Aggregation (L2/L3)
- bootprelay with two DHCP servers
- dhcp-snooping with violation-action drop-packet block-mac duration
- two DHCP trusted servers on uplink vlan to core
- arp validation
- enable arp learning learn-from-dhcp, disable arp learning learn-from-arp
- arp gratuitous-protection
- ip-security dhcp-bindings storage
- ACL filters per vlan
--
Jarek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-17-2017 05:28 AM
Adding to this what Jarek mentioned depending upon DHCP snooping configuration the switch drops packets and can disable the port either temporarily or permanently, even can black hole the MAC address too. Configuring one or more trusted ports the switch assumes that all DHCP server packets on the trusted port are valid.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-16-2017 11:03 AM
The problem is that if we specify trusted servers, we can have only a maximum of 8 server addresses across the whole switch. If we have two addresses used for the server's real addresses, then we need one for the dhcp helper in each vlan, meaning we need to configure three addresses in each VLAN so enabling this on two vlans will use up three of the 8 available entries and so no more vlans can have dhcp snooping enabled (with trusted server addresses). This seems a remarkably low limit.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-16-2017 11:03 AM
Hi David,
let's assume that your uplink ports on edge switch are trusted.
Add trusted port without DHCP servers
configure trusted-ports 50 trust-for dhcp-server
From EXOS command reference:
Trusted ports do not block traffic; rather, the switch forwards any DHCP server packets that appear on trusted ports.
You can also add on your uplink port:
enable ip-security dhcp-snooping vlan lan1 port 50 violation-action none
enable ip-security dhcp-snooping vlan lan2 port 50 violation-action none
enable ip-security dhcp-snooping vlan lan3 port 50 violation-action none--
Jarek
let's assume that your uplink ports on edge switch are trusted.
Add trusted port without DHCP servers
configure trusted-ports 50 trust-for dhcp-server
From EXOS command reference:
Trusted ports do not block traffic; rather, the switch forwards any DHCP server packets that appear on trusted ports.
You can also add on your uplink port:
enable ip-security dhcp-snooping vlan lan1 port 50 violation-action none
enable ip-security dhcp-snooping vlan lan2 port 50 violation-action none
enable ip-security dhcp-snooping vlan lan3 port 50 violation-action none--
Jarek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-16-2017 06:36 AM
I can see so far nothing has been updated here for the last 6 months or so.
Coming to the dhcp-snooping for trusted servers what i could suggest you as below:
You can enable DHCP snooping on a per port and per vlan basis but coming to trusted DHCP server it is always on a per vlan basis only. If configured for DHCP snooping, the switch snoops DHCP packets on the indicated ports and builds a DHCP bindings database of IP address and MAC address bindings from the received packets.
If configured for trusted DHCP server, the switch forwards only DHCP packets from the trusted
servers. The switch drops DHCP packets from other DHCP snooping-enabled ports.
Coming to the dhcp-snooping for trusted servers what i could suggest you as below:
You can enable DHCP snooping on a per port and per vlan basis but coming to trusted DHCP server it is always on a per vlan basis only. If configured for DHCP snooping, the switch snoops DHCP packets on the indicated ports and builds a DHCP bindings database of IP address and MAC address bindings from the received packets.
If configured for trusted DHCP server, the switch forwards only DHCP packets from the trusted
servers. The switch drops DHCP packets from other DHCP snooping-enabled ports.
