We are trying to deploy ISG functionality into our small network. But faced with the problem. Our aggregation switch Cisco Catalyst 3750G (C3750-ADVIPSERVICESK9-M), Version 12.2(44)SE4 drops all DHCP requests from access switches (Allied telesis 8000s) to our BRAS Cisco 7201 (C7200P-ADVENTERPRISEK9-M), Version 15.2(4)S. Sounds strange, because our network scheme is L2 scheme, C3750G is used as L2 switch, no routing and anything else in the L3 besides management IP, simple transit of a dozen of VLANs. The scheme:

Client (Home router - FastEthernet (DHCP))  <----> Access Switch (Allied Telesis 8000s, IP DHCP Snooping with Option 82 in VLAN40 both on access ports and in trunk towards Cisco 3750G)  <--->  Cisco 3750G (Trunk) <----> Cisco 7201 <-----> Billing with ISG (Option 82 capable)

For ISG connections we use the Vlan 40, and all users through trunks are terminated on Cisco 7201. If I change Cisco 3750 with Allied Telesis AT-9924T as aggregation switch - everything is working smoothly, all clients are receiving IP addresses. I have alredy read a ton of docs concerning the drops of DHCP requests with Option 82 in them, but haven't seen the definite answer, how to transit these sorts of packets through the trunks of Cisco 3750G without drops and changes...

Here is the snapshot of Cisco Catalyst 3750G config:

___________________________________________

!

ip dhcp snooping vlan 40-49

no ip dhcp snooping verify mac-address

ip dhcp snooping

!

!

interface GigabitEthernet1/0/11

description --ISG Client connections to Cisco 7201--

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 40

ip dhcp snooping trust

!

interface GigabitEthernet1/0/12

description --Test connections from ISG AT8000s--

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 9,40

switchport mode trunk

ip dhcp snooping trust

!

!

vlan 40

name ISG-Services

!

!
ip dhcp snooping vlan 40-49
no ip dhcp snooping verify mac-address
ip dhcp snooping
!
!
interface GigabitEthernet1/0/11
description --ISG Client connections to Cisco 7201--
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 40
ip dhcp snooping trust
!
interface GigabitEthernet1/0/12
description --Test connections from ISG AT8000s--
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 9,40
switchport mode trunk
ip dhcp snooping trust
!
!
vlan 40
name ISG-Services
!

__________________________________________________

As U see, nothing interesting, trunk from the access switch (Gi1/0/12) and trunk to Cisco 7201 (Gi1/0/11). Why Catalyst permits itself to inspect anything in VLAN 40, I wonder!

Anybody, who won the fight with such problems, help please!

PS.

Cat3750#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
40-49
DHCP snooping is operational on following VLANs:
40
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is disabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
GigabitEthernet1/0/11        yes         unlimited
GigabitEthernet1/0/12        yes         unlimited