I'm running into kind of a weird one -- wondering if anyone has ever seen this before, or has a better idea of how to accomplish this?
I have an ASR920 that I want to use to aggregate customer traffic. Mainly for (bridged) dsl and fiber customers. Normally (on the older cisco stuff we're replacing) I'd enable dhcp relay on the routed interface, and then enable dhcp snooping on the vlan to make sure no one can attempt to be the dhcp server for the network (it's happened before). DHCP relay is working fine, but I can't seem to get DHCP snooping to work right. Normally in a layer-2 scenario I'd enable 'ip dhcp snooping trust' on the upstream interface, but it doesn't seem to work on a layer-3 interface. For example (simplified) ip dhcp snooping bridge-domain 100 ip dhcp snooping information option allow-untrusted ip dhcp snooping interface BDI100 description Subscribers ip dhcp relay source-interface BDI100 ip address xxxx ip helper-address yyyy interface TenGigabitEthernet0/0/11 description Feed ip address 10.10.0.10 255.255.255.252 mpls ip I can't add the dhcp trust command to the feed, it won't accept the command. In this example, the subs on bdi100 cannot get ip addresses, and no requests are sent to the DHCP relay server. If I disable snooping, dhcp relay works fine. All the docs for the ASR920 show that the dhcp trust command should be on the interface leading to the dhcp server, which is how we've always done it. Though that was on a layer 2 interface. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/