Hi,

You should not need to configure anything specific regarding Option-82 on your Windows DHCP servers; in fact, the only thing that is expected from your DHCP servers is to ignore the value of this option when assigning an IP address to the client, and include the complete Option-82 exactly as received in their reply.

It has been a known issue, however, that Windows DHCP servers do not handle Option-82 properly; if my memory serves me well, they simply do not respond to packets with Option-82 at all. Disabling the insertion of the Option-82 helps in those cases.

However, let's not jump to conclusions. Can you describe your network in more detail? In particular,

• You have Cat3750 and HP switches. Which of these switches are access layer switches, and which are distribution layer switches?
• What exact switches are configured with DHCP Snooping?
• What exact switches are configured as DHCP Relay Agents?
• By any chance, do you have an option of running Wireshark on your DHCP servers to see whether the client DHCP packets arrive to the DHCP servers when you have the DHCP Snooping activated?

Best regards,
Peter

Hi,

Thanks for reply, these are answers to points you asked me :

• You have Cat3750 and HP switches. Which of these switches are access layer switches, and which are distribution layer switches?  I have 7 production access HP switches Cat3750-24 + 1 testing switch (total of 8), each one is connected (by 1 truncked interface) to 2 cisco core switches with HSRP configured. those Cisco core switches are connected to our hoster Wan link.
• What exact switches are configured with DHCP Snooping? I configured the testing switch.
• What exact switches are configured as DHCP Relay Agents? The same testing switch.
• By any chance, do you have an option of running Wireshark on your DHCP servers to see whether the client DHCP packets arrive to the DHCP servers when you have the DHCP Snooping activated? yes I'll do it this afternoon.

Could you please tell me if i must configure dhcp-snooping and Relay-Agent also on the Cisco core switches or it's not necessary.

The purpose of all that is to activate ARP protect in the switches, I can't go on without fixing the first step (DHCP Snooping).

Thanks a lot for the reply.

Hello,

Thank you for your response.

Can you perhaps post the complete configuration of your testing switch where you are testing the DHCP Snooping? I suspect that we should start from there, as everything either breaks or starts working based on the DHCP Snooping configured on that switch. Please also include exact information about the port where the client is connected, and the uplink ports that connect to the core switches.

Also, if there is a chance of performing the Wireshark capture on the DHCP server, that would be also very helpful.

Could you please tell me if i must configure dhcp-snooping and Relay-Agent also on the Cisco core switches or it's not necessary.

That is certainly not necessary. DHCP Snooping should only be used on access layer switches; it has no purpose on distribution or core switches if the DHCP packets have already been validated at the access layer. As for DHCP Relay Agent, it cannot be activated arbitrarily - it should be configured only on the default gateway of the VLAN where the DHCP clients live (the ip helper-address command).

Best regards,
Peter

I actually have the same setup and the same issue. The problem is with the authorized servers. I have added the DHCP servers to the authorized list. DHCP renew work fine because the request is first unicast to the known DHCP IP address. However, new leases aren't handled that way. They are broadcast requests, that are then picked up by the relay agent and forwarded to the DHCP servers. Herein lies the issue. The IP address that the switch receives in the return packet is the gateway address. Basically, from what I have seen so far, you will need to add all of your gateways (VLAN interface IP on your router that is setup with IP-Helper) to the authorized IP address list. For me, this is way to inconvenient. I am researching to see if the relay agent can return the DHCP server IP address.

For now, I have removed all authorized servers from the list. This makes the HP switch only use the trusted port setting, allowing any DHCP ACKs from the trusted port no matter what the IP. This is a bit flawed as you may get a rogue DHCP server on a VLAN that is assigned to a switch that does not have DHCP-Snooping enabled. Once all your switches are setup with DHCP-Snooping, you should be fine.