[OSL | CCIE_Security] DHCP snooping with relay agents many issues

Wed, 11 Apr 2012 01:03:33 -0700 

Hi all

I have a DHCP client that doesn't have DHCP server in it's vlan rather a
router in vlan2 is configured for ip helper address. The DHCP server is in
vlan 3.


DHCP client ------------- Router (configured with ip helper address)
---------sw1 ----trunk-----sw2-----Router (DHCP Server)


vlan2
vlan3                               vlan3


Now I enable DHCP snooping for vlan 3, I am not able to get an IP address
for the DHCP client.

The following are the various issues:

Issue1
=====

The DHCP discover's src mac address and chaddress are different and hence
the packet is being dropped by sw2

Fixed it using "no ip dhcp snooping verify mac-address"

Issue 2
=====

Sw2 configured for dhcp snooping drops DHCP discover packet as it as
non-zero Gig addr.

Fixed it using "no ip dhcp snooping verify no-relay-agent-address"


Issue 3
=====

Atlast, the DHCP discover reaches the IOS DHCP server but the offer get's
dropped because the switch says that it can't find the output port. Pitty,
the switch has
the mac address in it's mac address table mapped to it's trunk port but
still doen't forward.



Cat4(config)#ip dhcp snooping erface: Fa0/7, MAC da: 001b.54aa.fa5e, MAC
sa: 001
b.d50f.f251, IP da: 10.7.7.4, IP sa: 10.7.7.7, DHCP ciaddr: 0.0.0.0, DHCP
yiaddr
: 10.7.7.15, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.7.7.4, DHCP chaddr:
001b.54aa
.fa5e
Apr 11 07:03:19.477: DHCP_SNOOPING: DHCP packet may be headed in the
direction o
f the relay 10.7.7.4, not extracting option82 information
Apr 11 07:03:19.477: DHCP_SNOOPING_SW: bridge packet output port set is
null, pa
cket is dropped.


Cat4#sh mac address-table address ?
  H.H.H  48 bit mac address

Cat4#sh mac address-table address 001b.54aa.fa5e
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   7    001b.54aa.fa5e    DYNAMIC     Fa0/23
Total Mac Addresses for this criterion: 1



So the fix for issue 3, I just disabled dhcp snooping :-)


Dhcp snooping does lot of validation for security which is good but bad
when there is relay agent.


With regards
Kings

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to