Kingsley, A shameless plug, but have you read my recent blog series on DHCP snooping?
http://blog.ipexpert.com/2012/03/26/understanding-dhcp-snooping-part-one-the-problem/ http://blog.ipexpert.com/2012/03/29/understanding-dhcp-snooping-part-two-single-switch-operation/ http://blog.ipexpert.com/2012/04/02/understanding-dhcp-snooping-part-three-multi-switch-operation/ http://blog.ipexpert.com/2012/04/05/understanding-dhcp-relays/ http://blog.ipexpert.com/2012/04/10/understanding-dhcp-snooping-part-four-operation-with-dhcp-relays/ What you observe is addressed in Part Four, but please read the previous articles as well, as on its own Part Four doesn't make as much sense. -- Marko Milivojevic - CCIE #18427 (SP R&S) Senior CCIE Instructor - IPexpert On Wed, Apr 11, 2012 at 01:03, Kingsley Charles <kingsley.char...@gmail.com>wrote: > Hi all > > I have a DHCP client that doesn't have DHCP server in it's vlan rather a > router in vlan2 is configured for ip helper address. The DHCP server is in > vlan 3. > > > DHCP client ------------- Router (configured with ip helper address) > ---------sw1 ----trunk-----sw2-----Router (DHCP Server) > > > vlan2 > vlan3 vlan3 > > > Now I enable DHCP snooping for vlan 3, I am not able to get an IP address > for the DHCP client. > > The following are the various issues: > > Issue1 > ===== > > The DHCP discover's src mac address and chaddress are different and hence > the packet is being dropped by sw2 > > Fixed it using "no ip dhcp snooping verify mac-address" > > Issue 2 > ===== > > Sw2 configured for dhcp snooping drops DHCP discover packet as it as > non-zero Gig addr. > > Fixed it using "no ip dhcp snooping verify no-relay-agent-address" > > > Issue 3 > ===== > > Atlast, the DHCP discover reaches the IOS DHCP server but the offer get's > dropped because the switch says that it can't find the output port. Pitty, > the switch has > the mac address in it's mac address table mapped to it's trunk port but > still doen't forward. > > > > Cat4(config)#ip dhcp snooping erface: Fa0/7, MAC da: 001b.54aa.fa5e, MAC > sa: 001 > b.d50f.f251, IP da: 10.7.7.4, IP sa: 10.7.7.7, DHCP ciaddr: 0.0.0.0, DHCP > yiaddr > : 10.7.7.15, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.7.7.4, DHCP chaddr: > 001b.54aa > .fa5e > Apr 11 07:03:19.477: DHCP_SNOOPING: DHCP packet may be headed in the > direction o > f the relay 10.7.7.4, not extracting option82 information > Apr 11 07:03:19.477: DHCP_SNOOPING_SW: bridge packet output port set is > null, pa > cket is dropped. > > > Cat4#sh mac address-table address ? > H.H.H 48 bit mac address > > Cat4#sh mac address-table address 001b.54aa.fa5e > Mac Address Table > ------------------------------------------- > > Vlan Mac Address Type Ports > ---- ----------- -------- ----- > 7 001b.54aa.fa5e DYNAMIC Fa0/23 > Total Mac Addresses for this criterion: 1 > > > > So the fix for issue 3, I just disabled dhcp snooping :-) > > > Dhcp snooping does lot of validation for security which is good but bad > when there is relay agent. > > > With regards > Kings > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
