Did you try to make the SW2 port connected to DHCP server trusted: "ip dhcp snooping trusted"
I remember doing something similar for the client in production environment and I had to enable DHCP snooping on all switches. In your case the trunk between SW1 and SW2 would be on trusted interfaces. And secondly, to overcome your second issue I'd do something else. If your DHCP Server is IOS router to accept DHCP messages with a zero “giaddr” I'd use the global command: ip dhcp relay information trust-all or the interface-level command ip dhcp relay information trusted. From: Kingsley Charles <[email protected]<mailto:[email protected]>> Date: Wed, 11 Apr 2012 13:37:49 +0530 To: <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_Security] DHCP snooping with relay agents many issues dhcp snooping is configured on sw2 only On Wed, Apr 11, 2012 at 1:33 PM, Kingsley Charles <[email protected]<mailto:[email protected]>> wrote: Hi all I have a DHCP client that doesn't have DHCP server in it's vlan rather a router in vlan2 is configured for ip helper address. The DHCP server is in vlan 3. DHCP client ------------- Router (configured with ip helper address) ---------sw1 ----trunk-----sw2-----Router (DHCP Server) vlan2 vlan3 vlan3 Now I enable DHCP snooping for vlan 3, I am not able to get an IP address for the DHCP client. The following are the various issues: Issue1 ===== The DHCP discover's src mac address and chaddress are different and hence the packet is being dropped by sw2 Fixed it using "no ip dhcp snooping verify mac-address" Issue 2 ===== Sw2 configured for dhcp snooping drops DHCP discover packet as it as non-zero Gig addr. Fixed it using "no ip dhcp snooping verify no-relay-agent-address" Issue 3 ===== Atlast, the DHCP discover reaches the IOS DHCP server but the offer get's dropped because the switch says that it can't find the output port. Pitty, the switch has the mac address in it's mac address table mapped to it's trunk port but still doen't forward. Cat4(config)#ip dhcp snooping erface: Fa0/7, MAC da: 001b.54aa.fa5e, MAC sa: 001 b.d50f.f251, IP da: 10.7.7.4, IP sa: 10.7.7.7, DHCP ciaddr: 0.0.0.0, DHCP yiaddr : 10.7.7.15, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.7.7.4, DHCP chaddr: 001b.54aa .fa5e Apr 11 07:03:19.477: DHCP_SNOOPING: DHCP packet may be headed in the direction o f the relay 10.7.7.4, not extracting option82 information Apr 11 07:03:19.477: DHCP_SNOOPING_SW: bridge packet output port set is null, pa cket is dropped. Cat4#sh mac address-table address ? H.H.H 48 bit mac address Cat4#sh mac address-table address 001b.54aa.fa5e Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 7 001b.54aa.fa5e DYNAMIC Fa0/23 Total Mac Addresses for this criterion: 1 So the fix for issue 3, I just disabled dhcp snooping :-) Dhcp snooping does lot of validation for security which is good but bad when there is relay agent. With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
