DHCP Relay agent with DHCP Snooping

robbo79871 · ‎08-22-2018

Hi, i'm having trouble getting my DHCP server and relay agent to work correctly. In the image I've setup DHCP snooping on all 3 switches and trusted ports Gi1/1 on SW1 and 2.

i disabled DHCP snooping on L3SW1 just to see if it did anything, it started working. Once i enabled it again, PC1 fails to get an IP. So the issue is with DHCP snooping on L3SW1, but why? The commands you see in the image are the exact same commands on SW1 and SW2.

Thanks

Seb Rupik · ‎08-22-2018

HI there,
If the commands on L3SW1 are the same as SW1 and SW2, then you are trusting the wrong interface. It should be Gi0/1 .

Please can you post the output of sh ip dhcp snooping from L3SW1 when it is enabled.

cheers,
Seb.

robbo79871 · ‎08-22-2018

Hi, thanks for the reply, the command sh ip dhcp snooping above is from when DHCP snooping was enabled on L3SW1 when it wasn't working. It doesn't seem like i was trusting the Gi0/1 int on L3SW1 as you suggested which is a good point, i dont know why the packets werent at least being forwarded out the Gi 0/1 interface though. As far as i understand, DHCP snooping being trusted on Gi0/1 would trust Offer and Ack packets from a DHCP server but even if the port was untrusted as it is above the interface should still forward the packets out, but i'm not sure and would have to test that.

Thanks for your input.

Seb Rupik · ‎08-23-2018

Correct, the trust status of a port would not effect wether a DHCP broadcast would be forwarded. The 'Trust' state governs wether the switchport forwards DHCP offer traffic.

If you wanted to test if the DHCP Discover packets were being forwarded when the Gi0/0 was trusted, you would need to configre a SPAN port on R2 f0/0. Or configure DHCP server debugging on R2 and check the logs.

So when you put L2SW1 Gi0/0 in a trust state, does it displayed under sh ip dhcp snooping ?

cheers,

Seb.

robbo79871 · ‎08-25-2018

It would appear you can't configure DHCP snooping trust on routed ports or VLAN interfaces.

Seb Rupik · ‎08-28-2018

Ah, I didn't notice the routed interface in your diagram.

DHCP snooping is a access layer security measure, as it is at the edge of the network where you would expect rogue DHCP servers to be found. There shouldn't be any need to trust the DHCP servers buried deep in the upper layers of your infrastucture.

As you pointed out in the first post, DHCP snooping doesn't work on L3SW1 as it can't be configured as desired, ie trusting the upstream DHCP server. Just stick to cofiguring DHCP snooping on the access-layer SW1&2 switches and you'll be fine.

cheers,

Seb.

yaojinjie022 · ‎04-20-2022

Hi buddy,

I had encontered the same problem, the same topology, when disabled L3 SW dhcp snooping, PC could got ip address from DHCP svr, when enable dhcp snooping on L3 SW1, PC could not got ip address from DHCP svr.

I had added a PC to L3 SW1 for test,capture "R2 F0/0" (the interface connect DHCP svr and L3SW1)with wireshark, notice when PC(connect to SW3) initiate dhcp, "R2 F0/0" received 6packets, three from dhcp relay agent(unicast) ,three from PC(broadcast),the 6 all without option82;while PC(connect to L2)initiat dhcp, "R2 F0/0" received 3 packets, with option 82, if I closed the option 82 on L2 SW, the DHCP server would receive nothing.

so wired, I had search a mass of document, did not found solution hitheto.

If you made break through, please leave message, thanks in advance!

best regard,

Jinjie

yaojinjie022 · ‎04-20-2022

Hi,

Add some information, with dhcp snooping enable on L3 SW1, even 3 discovery packets from PC(connect to L2 SW) arrived DHCP server, DHCP server had no offer through "R2 F0/0", I'm not sure if the DHCP server ignore(that means no offer reply) or "R2 F0/0"filter the reply.

your sinerely,

Jinjie.