Restrict client DHCP requests using DHCP snoop

What do you get when a multi-site network with several different domains was setup using a single class C IP subnet and an 8 bit mask? Broadcast storm mayhem! While ideally the solution for this organization would be to logically re-segment their network into smaller domain specific subnets such that inter-domain communications are not broadcast everywhere; often times a more “creative” (cheaper) solution is needed. This article deals how to restrict DHCP requests to and from servers based on domain and site location without the privilege of having domain specific subnets.

In this particular example I’m using an HP Procurve 4204vl swich to force all clients connected to that particular switch to only use a single DHCP server also connected to the switch stack. Since all the clients have IP addresses in the same subnet as 5 other domains with their own respective DHCP servers, restricting the clients connected to this switch from obtaining a DHCP address from another DHCP server is critical. Here’s what you’ll need to configure your switch:

  • DHCP server IP address
  • The switch or stack port number the server is connected to
  • The vlan number your clients & server are connected to (can be default vlan)
  • The dhcp snoop syntax for your particular switch

In this example, the server IP address is 10.10.10.1, the switch IP address is 10.10.10.2, and the port number is the DHCP server is connected to is B10. Then your configuration should look something like this:

vlan 1
name “DEFAULT_VLAN”
untagged A1-A24,B1-B24,C1-C24
ip address 10.10.10.2 255.255.0.0
exit
dhcp-snooping
dhcp-snooping authorized-server 10.10.10.1
no dhcp-snooping option 82
dhcp-snooping vlan 1
interface B10
dhcp-snooping trust
exit

What this configuration does is permit DHCP requests within local switched network (all ports except B10) which is our trunk port that connects our switch to the core switch. By preventing DHCP requests and offers on the trunk this configuration basically prevents clients on the local LAN from reaching beyond the borders of their own network for DHCP while still allowing them to connect to other resources on the much larger subnet.