--when you enable snooping on the switch, it automatically enables option 82.
--Now, when a IOS DHCP server receives a request packet with option 82 enabled it expects the giaddr field to be populated with the the IP addr of the relay but the switch sets that to 0.0.0.0 with just the snooping enabled, no SVI, helper etc and when that is the case the router discard the request. --So either trust option 82 with giaddr set to 0.0.0.0 on the router with "*ip dhcp relay information trust-all"* or --Do not send the request with option 82 set on the switch where snooping is enabled with " *no ip dhcp snooping information option"* * * -Sri On Sun, Jun 24, 2012 at 6:19 AM, Kingsley Charles < [email protected]> wrote: > With IPSG + port security, the switch doesn't cache the mac address of the > client, hence the switch will not know how to forward the DHCP > offer back to the client. Having dhcp option enabled, it will use the > Option 82 parameters to send it on the port to which the client is > connected. > > With regards > Kings > > > On Sun, Jun 24, 2012 at 1:25 PM, Eugene Pefti <[email protected]>wrote: > >> It sounds like a dogma, Kings >> Can you please elaborate why? >> >> Sent from iPhone >> >> On Jun 24, 2012, at 12:05 AM, "Kingsley Charles" < >> [email protected]> wrote: >> >> With *ip verify source port-security* always have option enabled else >> the DHCP packet from DHCP server will never find it's way to the client. >> >> >> >> With regards >> Kings >> >> On Sun, Jun 24, 2012 at 7:36 AM, Eugene Pefti <[email protected]>wrote: >> >>> Hello Ernesto,**** >>> >>> I just remembered someone posted this question here recently about >>> option 82 use in various scenarios and wanted to comment on it as I ran >>> into a similar situation even though this topic was extensively discussed >>> here and join to your curiosity. First my understanding about this option >>> (mostly as a gotcha) is as follows:**** >>> >>> ** ** >>> >>> A switch performing DHCP Snooping inserts by default the Option 82 into >>> the DHCP messages from clients.**** >>> >>> However, each DHCP message contains a field called GIADDR where the IP >>> address of the possible relay agent **** >>> >>> May be recorded if the DHCP message was relayed. Naturally, when a DHCP >>> message passes through a DHCP **** >>> >>> Snooping switch, it is not relayed (i.e. taken from one VLAN and >>> switched into another), so an access switch **** >>> >>> does not modify the GIADDR field which remains set to 0.0.0.0. However, >>> at least the Cisco DHCP Server **** >>> >>> performs a sanity check on received DHCP messages and it drops DHCP >>> messages that contain the Option 82 **** >>> >>> but whose GIADDR field is set to 0.0.0.0 **** >>> >>> ** ** >>> >>> Moreover, the Option 82 is inserted by the access switches performing >>> the DHCP Snooping and it contains two important parts:**** >>> >>> **1) **The Circuit ID that identifies the port to which the client >>> is connected (the VLAN and the physical port location in a switch)**** >>> >>> **2) **The Remote ID that identifies the access switch to which >>> the client is connected (by the MAC address of the switch)**** >>> >>> ** ** >>> >>> So, having said that we have three different scenarios:**** >>> >>> ** ** >>> >>> **1) **IP Source guard IP/MAC checking which is on page 74 of >>> Yusuf’s security presentation. It doesn’t say anything about the DHCP >>> server support of option 82 at all.**** >>> >>> If read Cisco guide on IPSG **** >>> >>> >>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swdhcp82.html#wp1294425 >>> **** >>> >>> we can find this Note:**** >>> >>> *When you enable both IP Source Guard and Port Security (exactly as in >>> our first scenario), using the ip verify source port-security interface >>> configuration command, there are two caveats: * >>> >>> * The DHCP server must support option 82, or the client is not assigned >>> an IP address.* >>> >>> ** ** >>> >>> So, my understanding here is that if we don’t know >>> anything about the DHCP server support for option 82 we’d better disable >>> this option on the access-layer switch. But Yusuf leaves it enabled!**** >>> >>> ** ** >>> >>> **2) **IP Source guard IP checking only. It’s mostly an opposite >>> to what is said above. We don’t have *ip verify source port-security*and I >>> would like to know why we have to disable this option >>> **** >>> >>> **** >>> >>> **3) **DAI scenario. Since DAI is heavily dependent on DHCP >>> snooping and having option 82 disabled is a recommendation for DHCP >>> snooping then I’d understand that it is also disabled for DAI. Correct me >>> here if I’m wrong.**** >>> >>> ** ** >>> >>> Eugene**** >>> >>> ** ** >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Ernesto >>> Gonzalez >>> *Sent:* Tuesday, June 19, 2012 9:48 AM >>> *To:* [email protected] >>> *Subject:* [OSL | CCIE_Security] no ip dhcp snooping information option* >>> *** >>> >>> ** ** >>> >>> This is the Yusuf L2 attack presentation I am referring to: >>> >>> http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf >>> >>> -- >>> Ernesto Gonzalez G.**** >>> >>> On Tue, Jun 19, 2012 at 10:20 AM, Ernesto González <[email protected]> >>> wrote:**** >>> >>> *Good day guys, >>> >>> I was looking for some clarification on when the "no ip dhcp snooping >>> information option" command is required (to get task points) and when it >>> isn't. >>> >>> There are two workarounds to the option 82 issue: >>> >>> 1. no ip dhcp snooping information option - SW >>> 2. a. (globally) ip dhcp relay information trust-all - IOS DHCP Server >>> b. (interface) ip dhcp relay information trusted - IOS DHCP Server >>> >>> Now the scenarios: >>> >>> Scenario#1 - IPSG* >>> >>> *NO ip dhcp snooping information option* - REQUIRED per Yusuf ex 8.4 >>> Lab # 2 and Yusuf L2 Security presentation page 74 >>> >>> *Scenario#2 - IPSG + mac-address validation (port-security) >>> * >>> *ip dhcp snooping information option* - REQUIRED per >>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swdhcp82.html#wp1294425and >>> Yusuf L2 Security presentation page 74 >>> *ip dhcp relay information trusted* - REQUIRED >>> >>> *Scenario#3 - DAI* >>> >>> *NO ip dhcp snooping information option* - REQUIRED per Yusuf L2 >>> Security presentation page 59 >>> >>> *Are these correct? Am I missing anything? >>> >>> Thanks for you assistance!!! >>> >>> -- >>> Ernesto Gonzalez G.***** >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
