DHCP snooping/ PXE

Unanswered Question
Apr 25th, 2009

Hi,

Is there any specification(RFC or otherwise) that describes the behavior of DHCP snooping, specially how it would behave in conjunction with PXE support.

Please take some time to refer to MS PXE support.

http://support.microsoft.com/kb/244036

How is the second DHCP OFFER packet received from the RIS server intended for the same client, handled by a DHCP enabled switch?

Since there is a second DHCP OFFER packet intended to the same client I am curious to know how this is handled by a DHCP enabled switch.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Giuseppe Larosa Sun, 04/26/2009 - 23:59

Hello Ranil,

this is a very good question.

in a switch without DHCP snooping to support PXE you need:

-spanning-tree portfast on the port or the PXE process will time out

- an ip helper address command for the RIS server on the L3 device has to be added to that for the DHCP server

the multiple ip helper-address commands cause the DHCP offer to be translated to all the helper-address unicast destinations.

From the point of view of DHCP snooping is important that the port(s) where server side messages are received are classified as trusted or they will be discarded.

On a client untrusted port DHCP snooping performs several checks:

only client side messages are accepted

the client messages can be examined to verify that

DHCP decline and release messages arrive on the ports where the ip addresses had been assigned.

the source MAC address of frame and client-id inside the packet are the same.

The idea is to avoid man in the middle and denial of service attacks (scope depletion).

I'm not sure but probably two DHCP offers arriving on the same client untrusted port could be accepted if so DHCP snooping and PXE can coexist.

see

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a00800f0804.shtml#pxe

But initial implementations of DHCP snooping were a problem with PXE:

CSCeh22506

A switch now forwards DHCP-acknowledge packets from a Pre-Boot Execution Environment (PXE) server when IP DHCP snooping is enabled.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_22_ea4/release/notes/ol7190.html

So you need to verify if your switches are affected by this bug.

Hope to help

Giuseppe

Actions

Login or Register to take actions

This Discussion

Posted April 25, 2009 at 1:54 PM
Stats:
Replies:1 Avg. Rating:5
Views:1537 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,155
3 7,745
4 7,088
5 6,747
Rank Username Points
135
83
80
69
38