Yup, none of that works. I can confirm that. I *firmly* believe it's a bug in IOS. The switch will say it doesn't know the output port and simply drop the packet. Two workarounds:
1. Disable snooping 2. Trust the Relay port -- Marko Milivojevic - CCIE #18427 (SP R&S) Senior CCIE Instructor - IPexpert On Thu, Apr 12, 2012 at 12:44, Kingsley Charles <[email protected]>wrote: > I have disabled option 82 check, giaddr check and src & chaddress > validation. Now I am getting the DHCP offer but switch doesn't forward > informing that is doesn't where to forward the frame. But, if you see the > mac address is there and dhcp offer should have been forwarded. > > With regards > Kings > > > On Thu, Apr 12, 2012 at 10:09 PM, Eugene Pefti <[email protected]>wrote: > >> Another thought, Kings, for your Issue 3. Looking at the output you >> provided prompted me. I believe your Cat4 is SW2 in your diagram? >> How about disabling option 82 on SW2 ? >> As you know when DHCP snooping is enabled the switch adds DHCP >> Information Option (or Option 82) to all received packets. The purpose of >> this option is to identify the device and port that the client connects to. >> Try *no ip dhcp snooping information option* >> >> Eugene >> >> From: Kingsley Charles <[email protected]> >> Date: Wed, 11 Apr 2012 13:37:49 +0530 >> To: <[email protected]> >> Subject: Re: [OSL | CCIE_Security] DHCP snooping with relay agents many >> issues >> >> dhcp snooping is configured on sw2 only >> >> On Wed, Apr 11, 2012 at 1:33 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> Hi all >>> >>> I have a DHCP client that doesn't have DHCP server in it's vlan rather a >>> router in vlan2 is configured for ip helper address. The DHCP server is in >>> vlan 3. >>> >>> >>> DHCP client ------------- Router (configured with ip helper address) >>> ---------sw1 ----trunk-----sw2-----Router (DHCP Server) >>> >>> >>> vlan2 >>> vlan3 vlan3 >>> >>> >>> Now I enable DHCP snooping for vlan 3, I am not able to get an IP >>> address for the DHCP client. >>> >>> The following are the various issues: >>> >>> Issue1 >>> ===== >>> >>> The DHCP discover's src mac address and chaddress are different and >>> hence the packet is being dropped by sw2 >>> >>> Fixed it using "no ip dhcp snooping verify mac-address" >>> >>> Issue 2 >>> ===== >>> >>> Sw2 configured for dhcp snooping drops DHCP discover packet as it as >>> non-zero Gig addr. >>> >>> Fixed it using "no ip dhcp snooping verify no-relay-agent-address" >>> >>> >>> Issue 3 >>> ===== >>> >>> Atlast, the DHCP discover reaches the IOS DHCP server but the offer >>> get's dropped because the switch says that it can't find the output port. >>> Pitty, the switch has >>> the mac address in it's mac address table mapped to it's trunk port but >>> still doen't forward. >>> >>> >>> >>> Cat4(config)#ip dhcp snooping erface: Fa0/7, MAC da: 001b.54aa.fa5e, MAC >>> sa: 001 >>> b.d50f.f251, IP da: 10.7.7.4, IP sa: 10.7.7.7, DHCP ciaddr: 0.0.0.0, >>> DHCP yiaddr >>> : 10.7.7.15, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.7.7.4, DHCP chaddr: >>> 001b.54aa >>> .fa5e >>> Apr 11 07:03:19.477: DHCP_SNOOPING: DHCP packet may be headed in the >>> direction o >>> f the relay 10.7.7.4, not extracting option82 information >>> Apr 11 07:03:19.477: DHCP_SNOOPING_SW: bridge packet output port set is >>> null, pa >>> cket is dropped. >>> >>> >>> Cat4#sh mac address-table address ? >>> H.H.H 48 bit mac address >>> >>> Cat4#sh mac address-table address 001b.54aa.fa5e >>> Mac Address Table >>> ------------------------------------------- >>> >>> Vlan Mac Address Type Ports >>> ---- ----------- -------- ----- >>> 7 001b.54aa.fa5e DYNAMIC Fa0/23 >>> Total Mac Addresses for this criterion: 1 >>> >>> >>> >>> So the fix for issue 3, I just disabled dhcp snooping :-) >>> >>> >>> Dhcp snooping does lot of validation for security which is good but bad >>> when there is relay agent. >>> >>> >>> With regards >>> Kings >>> >>> >> _______________________________________________ For more information >> regarding industry leading CCIE Lab training, please visit >> www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
