cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3471
Views
5
Helpful
1
Replies

DHCP snooping/ PXE

rsgamage1
Level 3
Level 3

Hi,

Is there any specification(RFC or otherwise) that describes the behavior of DHCP snooping, specially how it would behave in conjunction with PXE support.

Please take some time to refer to MS PXE support.

http://support.microsoft.com/kb/244036

How is the second DHCP OFFER packet received from the RIS server intended for the same client, handled by a DHCP enabled switch?

Since there is a second DHCP OFFER packet intended to the same client I am curious to know how this is handled by a DHCP enabled switch.

Thanks

1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Ranil,

this is a very good question.

in a switch without DHCP snooping to support PXE you need:

-spanning-tree portfast on the port or the PXE process will time out

- an ip helper address command for the RIS server on the L3 device has to be added to that for the DHCP server

the multiple ip helper-address commands cause the DHCP offer to be translated to all the helper-address unicast destinations.

From the point of view of DHCP snooping is important that the port(s) where server side messages are received are classified as trusted or they will be discarded.

On a client untrusted port DHCP snooping performs several checks:

only client side messages are accepted

the client messages can be examined to verify that

DHCP decline and release messages arrive on the ports where the ip addresses had been assigned.

the source MAC address of frame and client-id inside the packet are the same.

The idea is to avoid man in the middle and denial of service attacks (scope depletion).

I'm not sure but probably two DHCP offers arriving on the same client untrusted port could be accepted if so DHCP snooping and PXE can coexist.

see

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a00800f0804.shtml#pxe

But initial implementations of DHCP snooping were a problem with PXE:

CSCeh22506

A switch now forwards DHCP-acknowledge packets from a Pre-Boot Execution Environment (PXE) server when IP DHCP snooping is enabled.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_22_ea4/release/notes/ol7190.html

So you need to verify if your switches are affected by this bug.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco