Solved: adding dhcp option 82 on a C2960S

nico.deranter · ‎12-13-2012

Hello again,

I have a very simple setup containing 3 C2960S switches:

switch 1: central switch, acting as router between VLAN 1 en VLAN 2

switch 2+3: edge switches, connected via 1 link to central switch, both on VLAN 2

Clients connect to switch 2 and 3 using dhcp, switch 1 uses dhcp relay to forward requests from VLAN 2 to the dhcp server on VLAN 1. So far so good.

Now I want switch 1 to add option 82 to the dhcp requests so the dhcp server can see whether the request came through switch 2 or switch 3.

I tried turning on dhcp option 82 support on switch 1 by doing:

ip dhcp relay information trust-all

ip dhcp snooping vlan 1-2

ip dhcp snooping

...

interface GigabitEthernet1/0/11

description DHCP server

ip dhcp snooping trust

...

interface GigabitEthernet1/0/23

switchport access vlan 2

switchport mode access

ip dhcp snooping trust

!

interface GigabitEthernet1/0/24

switchport access vlan 2

switchport mode access

ip dhcp snooping trust

!

interface Vlan2

ip address 10.203.0.1 255.255.0.0

ip helper-address 10.103.0.202

However 'dhcpdump' on the dhcp server shows option 82 is not available.

What am I doing wrong?

Nico

Peter Paluch · ‎12-16-2012

Hi Nico,

If your clients connect to switches 2 and 3, there is no reason to run DHCP Snooping on switch 1 because the DHCP messages have already been sanitized. If there is no particular reason to run DHCP Snooping on the switch 1 then I strongly recommend deactivating it there. The DHCP Snooping is a protection technique intended for access layer switches, however, once the DHCP messages have been checked by DHCP Snooping at the access layer, there is no point in re-checking them at distribution layer switches. This is one of quite common mistakes I do see often: turning on DHCP Snooping all across the switched network "just to be sure". This does more harm than good.

In addition, please check whether your switch 1 supports this global configuration command:

ip dhcp relay information policy keep

If yes then please add it to your configuration. This should make sure that if a DHCP message arrives from switch 2 or 3 and already has Option-82 present (which it should) then the DHCP Relay Agent running on switch 1 should keep it unchanged.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎12-16-2012

Hi Nico,

If your clients connect to switches 2 and 3, there is no reason to run DHCP Snooping on switch 1 because the DHCP messages have already been sanitized. If there is no particular reason to run DHCP Snooping on the switch 1 then I strongly recommend deactivating it there. The DHCP Snooping is a protection technique intended for access layer switches, however, once the DHCP messages have been checked by DHCP Snooping at the access layer, there is no point in re-checking them at distribution layer switches. This is one of quite common mistakes I do see often: turning on DHCP Snooping all across the switched network "just to be sure". This does more harm than good.

In addition, please check whether your switch 1 supports this global configuration command:

ip dhcp relay information policy keep

If yes then please add it to your configuration. This should make sure that if a DHCP message arrives from switch 2 or 3 and already has Option-82 present (which it should) then the DHCP Relay Agent running on switch 1 should keep it unchanged.

Best regards,

Peter

nico.deranter · ‎12-17-2012

I solved it in the mean time by turhing on dhcp snooping on the edge switches indead. I was hoping I could get away by only turning it on on the central switch as I already needed to know from which edge switch the request was coming, not from which port on the edge switch. Also I would have prefered just having to configure 1 switch in stead of all edge switches :-)

Nico