DHCP snooping

Unanswered Question
Nov 5th, 2009

Hi,

I have a question about DHCP snooping. I want to enable this feature on two 6509 Catalyst switches that are doing Layer 3 Etherchannel towards the DHCP server and relaying DHCP requests by using the ip helper-address command. Here's the topology: http://img442.imageshack.us/img442/6159/dhcpsnoop.jpg

After reading a few articles, I'm still not sure where to put some of the commands to enable that feature аnd I don't feel like experimenting on a live production network (unfortunately I can't lab it up). I was planning on issuing the following commands:

1) ip dhcp snooping information option (global conf mode) ---- to enable DHCP option-82 data insertion

2) ip dhcp snooping vlan 10 (global conf mode) ---- enables DHCP snooping on a VLAN

3) Then I need to configure DHCP trust state on the appropriate interfaces, but I can't apply the "ip dhcp snooping trust" command to the Port-Channel interfaces because there's no such command. So I figured I'd apply this command to the interfaces that compose the EtherChannel, but I can't do that either for the same reason. Do I really need to apply that command in my case?

4*) Some people say that I also need to apply the "ip dhcp relay information trusted" command to the SVI interface, but Cisco says the opposite -

"When DHCP snooping is enabled, these Cisco IOS DHCP commands are not available on the switch:

...

- ip dhcp relay information trusted interface configuration command

...

If you enter these commands, the switch returns an error message, and the configuration is not applied."

5) And, of course, I enable it by issuing the "ip dhcp snooping" command.

If anybody has any suggestions on how to enable DHCP snooping in my case or have the same setup up and running, your help will be greatly appreciated. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Peter Paluch Fri, 11/06/2009 - 02:05

Hello,

Regarding your commands:

1) On switches I had experience with, the "ip dhcp snooping information option" is already active. However, entering it should not do any harm.

2) Correct.

3) Interesting. I am looking on my 3560G running 12.2(52)SE and the command "ip dhcp snooping trust" is available on Port-channel interfaces. I would personally think that this command is necessary and cannot be omitted, however, you are suggesting that the command is not available on the Port-channel nor the member interfaces. That is strange. What exact IOS version are you running?

4) The command "ip dhcp relay information trusted" is necessary for the following reason: When a DHCP request is forwarded by a switch running the DHCP snooping feature, the Option 82 (so-called relay information option) will be added to the request by the swich. However, the IP address of the relay agent in the DHCP request (the GIADDR) will remain set to 0.0.0.0 because the switch is not a real DHCP relay, it justs added the Option 82 for its own DHCP snooping purposes. If the DHCP server is running on a different switch than the one doing the DHCP snooping, it will reject this DHCP packet because it will contain the Option 82, yet the IP address of the relay agent in the request will be set to 0.0.0.0 which is illogical to the DHCP server (if there is no relay agent, how come that the request contains the relay agent information option?) In this case, the problem can be corrected by the command "ip dhcp relay information trusted" that allows the DHCP server to process DHCP requests with the relay IP address set to 0.0.0.0.

In short: use that command if the DHCP server is on another switch than the one doing the DHCP snooping.

5) Correct, this command is necessary.

Clearly, there is something strange regarding the "ip dhcp snooping trust" command in your case. Let's first see what is your exact IOS version and then look up some details in the configuration guides for that version.

Best regards,

Peter

saiiven07 Fri, 11/06/2009 - 06:00

Peter,

First of all, I'd like to thank you for your attention to my problem and for your detailed input and suggestions. Looks like the only thing left to figure out is where I should or shouldn't apply the "ip dhcp snooping trust" command :)

As for the IOS version that I'm running, it's as follows:

Cisco IOS Software, s3223_rp Software (s3223_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI2a, RELEASE SOFTWARE (fc2)

s3223-advipservicesk9_wan-mz.122-33.SXI2a.bin

Cisco Feature Navigator says that DHCP Snooping is a supported feature in this release.

But as you can see there's no such command:

xxx(config)#int Port-channel1.35

xxx(config-subif)#ip dhcp ?

client DHCP client configuration

relay DHCP relay configuration parameters

xxx(config-subif)#exit

xxx(config)#

Member interfaces:

xxx(config)#interface gigabitEthernet 5/1

xxx(config-if)#ip dhcp snooping ?

limit DHCP Snooping limit

packets Enable DHCP Snooping on interface

xxx(config-if)#

Maybe I need to issue some snooping related command first, like "ip dhcp snooping vlan 10"? I wish I could lab it up.

And all our 6500's are running that release, I can't even determine whether it's a bug or not.

Actions

This Discussion