I've been reviewing the whole DHCP snooping feature on MS switches, with the case at my house and also with customers and I would like to hear all your opinions on it.
Btw: the new GUI for configuring DHCP snooping and RA guard is gorgeous 😉
So the Cisco Catalyst way of doing DHCP snooping is having trusted ports and rate limiting. The MS way of doing it is by recording the MAC addresses of the hosts sending DHCP offers and acks or RA's for IPv6 and offering the ability to block them selectively or allow selectively in a default block policy.
Both ways have their merits however like in my home case I cannot enable the block all /allow selective way due to the following. I have one switch and one MX in front of it. However due to having a provider device that needs to be in front of the MX for a certain IP range that has to be reachable from the ISP directly to the device I have an external VLAN on 3 ports on the switch. A modem port, a firewall WAN port, a ISP device port. DHCP offers/acks and RA's coming from the ISP headend towards my MX WAN port are also seen on the switch. And since I cannot be sure the MAC address of the ISP headend will always be the same I could have a potential outage if I would enable block by default.
I know most of you will probably say I should use a separate "ISP" switch to circumvent the problem however I personally believe a simple addition to the feature like having trusted ports would be a better way to go about it.
I'm also curious when Meraki will fix the DAI issues which are also dependent on DHCP snooping. And you do have trusted ports in DAI.
We have always taken customer feedback very seriously, and have an option in the customer dashboard for feedback submissions. Please use the “Give your feedback” button which is located at the bottom right corner of every page in the dashboard 🙂