Implementing DHCP Snooping

[HugoMAL]

Hi all!

I just have a question about the implementation of DHCP Snooping.

I have a OS6450 and connected to him are 4 OS6350.

The DHCP Server is configured on the OS6850 and it's working fine. But I want to prevent someone of "injecting" a DHCP Server on my network since it's going to be possible to the users to connect and disconnect to the switches as they pleased.

So my question is, through the manual I saw that you could activate DHCP Snooping with "ip helper dhcp-snooping enable" command and then with "ip helper dhcp-snooping port X/X-X trust#" I could choose which ones are trusted to receive DHCP Server request packets.

Do I need to configure one every single switch these commands and trust the ports that are connected between them? Cause it's what I'm doing and in the ports that are AP's connected (and supposely just receiving DHCP Client requests) I'm getting these warnings in the console. (DHCP Server is OFF on the virtual controller of the AP'S)

WED APR 06 10:03:17 : IP-HELPER (22) warning message:
+++ Mac Movement for MacAddr: bc:85:56:c1:9:fd from port 1018 to port 1017

WED APR 06 10:03:56 : IP-HELPER (22) warning message:
+++ Mac Movement for MacAddr: bc:85:56:c1:9:fd from port 1018 to port 1017


Sorry for the long post, if you just could explain me how the dhcp snooping works I can easily configure myself, just need a little theory !


Thanks a lot!

[silvio]

You should activate dhcp snooping at the access switches and trust the uplink to core.
If the core is your dhcp server than you should not activate dhcp snooping there.
Other feature is userports - also at the accessports - where you can forbit dhcp offers.
regards
Silvio

[HugoMAL]

Hi Silvio and thanks for the quick response!

Ok I was thinking the same but I was not sure. That feature is the "Port trust mode" that i mencioned before right? Where you can filter, block or allow all dhcp traffic? Just to be sure that we are in the same page and it's not another feature that I missed. (I read everything in cookbook and it must be it)

I will implement like you said. Just a quick one, about those warnings messages any idea what could it be? It happens when I enable the snooping and when I walk through a floor and my phone or laptop connect to the AP'S (they are 3 on each floor) the messages appear in the console and are the ports where the AP's are connected. It's something i should worry about...? or just a debug message that warns me that mac is "jumping around"?

Sorry for the long posts but if I give more information you can help me faster and better.

Thanks again for your time
Hugo

[silvio]

Hi,
with the following config you use dhcp-snooping:

Code: Select all

ip helper dhcp-snooping enable
ip helper dhcp-snooping binding enable
ip helper dhcp-snooping ip-source-filter port 1/1-48 enable   (user)
ip helper dhcp-snooping port 1/50 trust  (uplink)

I mean in my last post that there are is an other feature that dropes dhcp-offer: Userports

What message did you see? Maybe the reason is the binding enable together with ip-source filter. That is for protect against arp-spoofing. The switch learns the dhcp-clients and build a internal table. But if the same IP is at an other port visible than this traffic will be blocked (with message).
So you should not configure the source-filter option at the AP-ports.
regards
Silvio

[HugoMAL]

Hi,

I'm going to follow your advice and thanks for that explanation, that was very useful and i'm sure that it will work cause it makes sense.

Regards,
Hugo

[HugoMAL]

Hi again,

Still having the same warning and others similar to this one, only the port is changed and the macs.

WED APR 06 10:03:17 : IP-HELPER (22) warning message:
+++ Mac Movement for MacAddr: bc:85:56:c1:9:fd from port 1018 to port 1017

This happens when the devices jump from one ap to another one. I tried what you told me Silvio but Ip-source filter is no longer supported in my software version (OS6350-P24 6.7.1.146.R01 GA)

I did some tests like:

1- I activated the dhcp snooping (ip helper dhcp-snooping enable)
2- Then i trusted my uplink port (ip helper dhcp-snooping port 1/25 trust)
3- The binding table is enabled by default. So I deactivated but error still happens.

I was thinking that if I deactivated the binding table the switch couldn't compare the mac's of the devices right? So it shouldn't gave me any warning message. I'm really out of options here, i'm reading everything that i can but i'm going to be honest, i'm starting to get a little desperate

If someone has a tip I really appreciate that.

Thanks again for your time Silvio.

[silvio]

maybe there are some limited features at 6350 (the cheapest switch)....
Did you see the message also if you disable dhcp-snooping?
Is this only a message for info or is the traffic for this users are blocked?
If blocked than you should open a ticket at Alcatel.
Other solution: instead of dhcp-snooping you can use user-ports with shutdown for dhcp.

regards
Silvio

[HugoMAL]

Hi Silvio,

the message only appears if I activate the dhcp-snopping. I think that it's only a info message (although it says that it's "warning message) because the traffic to that devices is not blocked! I'm trying to see if i can deactivate the warning message in some debug feature.

I read about user-ports feature, going to try to implement with the same purpose as dhcp-snooping.

Thanks for your time.

Regards