DHCP snooping trust port?

RVilhelmsen
Getting noticed

DHCP snooping trust port?

Hi,

 

Is it possible to trust a port for dhcp responses, like in the cisco world, ip dhcp snooping trust, instead of trusting mac addresses?

 

/Robert

 

8 REPLIES 8
Adam
Kind of a big deal

Just curious why you'd want to trust a port instead of a Mac? Worried about spoofing?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Because from time to time, we create new vlans, and the dhcp server then have a new mac address for this vlan - and instead of maintaining mac addresses, it´s more easy to trust a single port.

 

Adam
Kind of a big deal

If it is the same DHCP server that is providing DHCP for the additional VLAN then it shouldn't be an additional Mac address.  It should be the same one.  But to answer the question you are asking, it is not possible to trust a DHCP server by port.  The only currently supported mechanism is via mac.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

sometimes it is a new dhcp server. and with 45 locations it would be easy (via template) to only allow dhcp servers on certain ports.

Adam
Kind of a big deal

Sorry if I'm playing devil's advocate.  But if it is a new DHCP server you'd have to add that port anyway which would be pretty much the same exact work as adding the mac address right?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
jdsilva
Kind of a big deal

Actually, I think you both might be correct here.

 

If I'm following correctly, @RVilhelmsen you're talking about multiple locations and therefore using a helper-address to forward DHCP requests upstream somewhere. In this scenario the ports that require trust aren't going to change at a given site even if you change the DHCP server, or change its location.

 

 But if that's the case then even if you change the DHCP server, the MAC that you need to trust isn't going to change anyway. The local gateway will be doing the DHCP forwarding, so the switches at a given location will always see the MAC of the gateway as the DHCP server regardless of where the gateway is configured for helper-address. So in this case you still set the MAC once, and then just change the helper-address as required. 

 

This breaks down at the "HQ" site where the actual DHCP servers reside though, and for that LAN you'd have to modify the MAC allowed under DHCP snooping.

 

 

*Edit, sorry I have DNS on the brain from another issue today. Edited this to read DHCP.

Well, we have local dhcp servers on each site, so no dhcp forwarding going on.

But my end point is, if we could trust a port also, this could be managed with templates.

jdsilva
Kind of a big deal

OK, well nevermind then! 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels