Need help understanding why I need dhcp snooping trust on my access interface when using ip helper?

dpwtheitguy

All, 

Hope everyone is doing well. Looking a dhcp snooping for today's topic. Basically I have a DHCP server in another subnet and when I enable dhcp snooping I expected that I would only have to enable trust ports in two place lanswitch's interface facing the router and dcswitch's interface facing the dhcp server.

However when I lab this topology I end up needing to put trust on all interfaces in the process.

Topology
dhcpclient >> (e1) lanswitch (e0) >> Router << dcswitch << dhcpserver

My understanding is that snooping only happens on data coming into a port and only applies to offer and accept traffic coming from the DHCP server. Which doesn't juve with my lab where I have to apply a trust to the lanswitch's interface serving dhclient (e1). 

Any one clarify where I might being going wrong? Or help me better understand the snooping process as it pretains to being relayed by the DHCP helper? 

Gngogh

HI,

By default, the Cisco DHCP snooping code on the Cisco Catalyst switches inserts option-82 into the DHCP packet but sets giaddr to 0.0.0.0, which causes the Cisco DHCP relay (ip helper) to drop all DHCP packets from a Cisco switch configured with DHCP snooping.

https://www.spheron1.uk/2010/11/03/cisco-dhcp-snooping-with-a-cisco-dhcp-relay-ip-helper-and-dhcp-option-82/

Gngogh

HI,

By default, the Cisco DHCP snooping code on the Cisco Catalyst switches inserts option-82 into the DHCP packet but sets giaddr to 0.0.0.0, which causes the Cisco DHCP relay (ip helper) to drop all DHCP packets from a Cisco switch configured with DHCP snooping.

https://www.spheron1.uk/2010/11/03/cisco-dhcp-snooping-with-a-cisco-dhcp-relay-ip-helper-and-dhcp-option-82/

mohsinkhan1515

DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes. However, the most common DoS scenario is that of an end-user plugging in a consumer-grade router at their desk, ignorant that the device they plugged in is a DHCP server by default.

JDMurray

mohsinkhan1515 said:

DHCP snooping is a layer 2 security technology ...

And that answer is copied directly from the Sonicwall Switch Admin Guide.

UsualSuspect7

DHCP Snooping basically has a few features but from my understanding it trusts the interface on the relay as it's the port of entry towards the DHCP server for the VLAN/Subnets. DHCP Snooping trust applied to the interface also has additional features such as rate limiting and it also builds a database of ip to arp mapping. I believe it's also requirement for arp inspecting.