Test topology
Environment: DHCP server and DHCP clients belong to the same VLAN, but clients belong to different switches, and the L2 and L3 switches turn on DHCP snooping to conclude
configuration of the L3 switch
172.28.27.0 255.255.255.0172.28.27.254 172.28.28.15 ! ! 27
IP DHCP snooping information option allow-untrusted //must add this command because the L3 switch also has DHCP snooping turned on, as explained below
IP DHCP snooping
Interface gigabitethernet0/0
Switchport Trunk Encapsulation dot1q
Switchport mode Trunk
Media-type RJ45
Speed 1000
Duplex full
No negotiation auto
IP DHCP snooping limit rate 720
L2 Switch Configuration
IP DHCP snooping VLANIP dhcp snooping!interface GigabitEthernet0/0mode trunk media-
type Duplex full no negotiation auto IP DHCP snooping trust
Description
1. The DHCP request message from the L2 switch has been inserted with option 82 information, and if the gi0/0 of L3 is set to a trusted port, the DHCP request message with the 82 option is allowed but does not establish a DHCP listener binding table for it. That is, there are only win10 binding entries on L3, and no
There is a binding entry for Win11 . If you deploy dai,ipsg at this time , because the L2 switch does not support these two features, for L3 switches, the data coming from the L2 switch can be compromised by IP spoofing and ARP spoofing. On the other hand, because the L3 switch does not have PC2 bindings
entries, and Dai and IPSG must rely on DHCP to listen for binding tables. Therefore, if you need to re -configure dai or ipsg on the L3 switch , you cannot set the gi0/0 of the L3 switch to a trusted port. However, when the gi0/0 port is set to untrusted, by default the untrusted port discards the received plug-in
DHCP request message with the 82 option. The DHCP request message from the L2 switch is also being inserted with option 82 information. the ip DHCP snooping information option allow-untrusted (global) command must be configured, otherwise the L3 switch discards these DHCP requests
message, the win11 on the L2 switch will not get an IP address. Only after this command is configured does the L3 switch receive DHCP packets that have been inserted with option 82 from the L2 switch and establish binding entries for the information .
Of course, if you encounter the switch does not support IP DHCP snooping information option allow-untrusted command can have the following two solutions:
① using the IP DHCP relay information trusted(in-VLAN) command within an int VLAN of an unsupported switch
② on the access layer switch to turn off the function of inserting option82 no ip DHCP snooping information option
2, because the Cisco switch will turn on the DHCP snooping after the default IP DHCP snooping limit rate 15 function, the above test L2 switch if the client is full, but L3 connection L2 interface is a non-trusted interface exists limit rate 15 function, the same as L2 each non-trusted interface
all the same, imagine a scenario where 48 clients at a time at the same time, the DHCP request message is initiated, because L3 's downstream port defaults to a speed limit of 15 packets, which will cause the majority of client DHCP request messages to be discarded, so in order to avoid this situation should be properly adjusted in the L3 downstream interface
Limit rate speed, calculated as follows:
assuming that 2960 is the port, so the simple set speed limit is*15=720
Note: IP DHCP snooping limit rate needs to be set only if the DHCP snooping converged switch or core is enabled. If there is a large number of access layer switches under a core or aggregation switch, the speed limit setting needs to be noted because the maximum limit rate for the port is 2048, so
you need to adjust the limit rate on the access layer port to make it smaller But it needs to be adjusted to a reasonable value, because being too small can cause the IP address to get slow
Extended:
when IP DHCP snooping information option allow-untrusted is not turned on for the L3 switch, using debug capture IP DHCP L3 information on Snoong will see that messages from L2 are constantly discarded, Because the message carries the GIADDR field and is illegal
l3#Debugontype: DHCPDISCOVER, MAC sa:5000.000b.0000
(v) Cisco DHCP snooping instance 3-Multi-switch environment (DHCP server and DHCP client in the same VLAN)