dhcp snooping vs. giaddr

franklaszlo · ‎02-01-2007

Hello,

it seems to me that dhcp snooping drops incoming DHCP packets even on a trusted interface if the packet has giaddr set.

(the giaddr is set, because this packet get relayed from a branch office router)

Is that true ? Is there any way the get it through the switch where dhcp snooping is enabled ?

Tanks,

Laszlo

bjw · ‎02-01-2007

Laszlo,

Does DHCP Snooping how any syslog warnings regarding a positive snooping action ?

And, look at this:

If the relay agent inserts option 82 but does not set the giaddr field in the DHCP packet, the DHCP server interface must be configured as a trusted interface by using the ip dhcp relay information trusted global configuration command. This configuration prevents the server from dropping the DHCP message.

From: http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide09186a0080173d22.html

franklaszlo · ‎02-01-2007

Hi all,

For the simple part of the network it works,

however, this is how this part looks like :

DHCP Client in question

I

BO VPN Router (DHCP Relay agent, option insertion enabled)

I

Iternet

I

1841 router, VPN endpoint

I

vlan 5 access port, trusted on Catalyst 3560

[

ip dhcp snooping vlan 1,3-6

no ip dhcp snooping verify mac-address

ip dhcp snooping

]

vlan 1 access port, trusted on Catalyst 3560

I

Windows Server 2003 DHCP

On the 3560 I debugged dhcp snooping, and found that dhcp discover packets reaching the switch, with :

- giaddr set to the ip address of the BO router LAN if,

- ip sa as above, ip da is the address of the dhcp server

- smac ?,

- dmac is set to the vlan 5 SVI interface of the 3560

The switch wants to flood it to vlan 5, and also send it to cpu port vlan 5 (?).

At the same time I monitored traffic on the dhcp server, and I did not find any dhcp packet reaching the server.

So this is the full story...

Any ideas ?

bjw · ‎02-01-2007

Or this

Enabling the DHCP-Snooping Host-Tracking Information Option

If you enable the host-tracking information option, the DHCP relay agent information option (option 82) is added to the client packets that are being forwarded. The relay agent option contains the agent circuit ID and the agent remote ID information. The circuit ID suboption contains the port and the VLAN number of the client. The remote ID suboption contains the MAC address of the switch. Before inserting the host-tracking information, the switch verifies that the DHCP messages do not have an existing relay information option or a nonzero giaddr field. Before removing the host-tracking information, the switch verifies that the DHCP reply messages are from a trusted port and that the MAC address of the remote ID and the local switch match. If the packet comes from a trusted port and the addresses do not match, the packet is forwarded.

To configure the host-tracking information option for DHCP snooping, perform this task:

Task Command

Step 1

Enable the DHCP-snooping host-tracking information option.

set dhcp-snooping information host-tracking enable

Step 2

Display the MAC address for the host-tracking information option.

show dhcp-snooping config

This example shows how to configure the DHCP-snooping host-tracking information option:

Console> (enable) set dhcp-snooping information host-tracking enable

DHCP Snooping Information Option Enabled.

Console> (enable) show dhcp-snooping config

DHCP Snooping MAC address matching is enabled.

DHCP Snooping host-tracking information option is disabled.

Remote ID used in information option is 00-d0-00-4c-1b-ff.

Console> (enable)

IN

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008022f26c.html

sandegu2 · ‎03-25-2014

can anyone tell me how to configure giaddr field in cisco asr901 router

and in ixia packet stream