cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
954
Views
2
Helpful
2
Replies

Do I need to configure ip dhcp snooping relay information trust-all?

rookie R
Level 1
Level 1

Hi all!

Snipaste_2023-08-24_12-44-13.jpg

 

From what I understand,if I enable the DHCP snooping on vlan 1 and vlan 2 of the SW10 and don't turn down the IP dhcp information option, which is default configured in the Cisco devices, then the SW10 would insert the option 82 field into the DHCP messages such as DHCP request, but since SW10 is not a DHCP relay device, the GIADDR field in the option 82 is all zero like 0.0.0.0, so I must configure IP dhcp relay information trust-all on DHCP relay devices, SW1 and SW2, otherwise, they would discard all the DHCP messages due to sanity check. After receiving the DHCP messages, the DHCP relay devices then forward the DHCP messages to the DHCP server that is not in the same network segment, so the GIADDR field would be the IP address of the DHCP relay devices when the DHCP server receives it, my questions is:

 

1. Are the understandings I wrote before correct?

2. Will the DHCP messages pass the sanity check of the DHCP server and be further processed by the DHCP server? My theory is the server will accept it, it won't be discarded due to GIADDR field because it's not all zero when the DHCP server receives it

3.Do I need to configure the ip dhcp snooping relay information trust-all to let the server accept the DHCP messages?

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello @rookie R ,

To your questions:

1. You understood it perfectly. Congratulations! It's not often that people have this deep and precise understanding. I am impressed!

2. In your scenario, yes, once the DHCP messages reach the DHCP server, it will accept them because along with the Option 82 present, they have a non-zero GIADDR field. It is not necessary to configure "ip dhcp relay information trust-all" on the DHCP server if you already configured it on your Relay Agents.

3. No, you do not need to configure the DHCP server with "ip dhcp relay information trust-all" anymore. After the DHCP messages from the clients pass the sanity check on the Relay Agent, the Relay Agent will keep the Option 82 (added by the DHCP Snooping-enabled switches) intact and will insert its own IP address into the GIADDR field, then forward this modified DHCP message to the specified DHCP server as a unicast. Once the DHCP server receives this message, its own sanity check stating "if Option 82 is present, GIADDR must be non-zero" will be automatically satisfied.

An additional comment: This sanity check on the non-zero GIADDR value in presence of Option 82 is specific to IOS/IOS XE DHCP servers and relay agents. Different operating systems and DHCP relay agent/server implementations may behave differently. I recall that years back, when I tested this with the ISC DHCP server (an open-source DHCP server for Linux), it didn't care about non-zero GIADDR in presence of Option 82. So take this as a specific behavior of IOS/IOS XE only.

Please feel welcome to ask further!

Best regards,
Peter

 

View solution in original post

2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

Hello @rookie R ,

To your questions:

1. You understood it perfectly. Congratulations! It's not often that people have this deep and precise understanding. I am impressed!

2. In your scenario, yes, once the DHCP messages reach the DHCP server, it will accept them because along with the Option 82 present, they have a non-zero GIADDR field. It is not necessary to configure "ip dhcp relay information trust-all" on the DHCP server if you already configured it on your Relay Agents.

3. No, you do not need to configure the DHCP server with "ip dhcp relay information trust-all" anymore. After the DHCP messages from the clients pass the sanity check on the Relay Agent, the Relay Agent will keep the Option 82 (added by the DHCP Snooping-enabled switches) intact and will insert its own IP address into the GIADDR field, then forward this modified DHCP message to the specified DHCP server as a unicast. Once the DHCP server receives this message, its own sanity check stating "if Option 82 is present, GIADDR must be non-zero" will be automatically satisfied.

An additional comment: This sanity check on the non-zero GIADDR value in presence of Option 82 is specific to IOS/IOS XE DHCP servers and relay agents. Different operating systems and DHCP relay agent/server implementations may behave differently. I recall that years back, when I tested this with the ISC DHCP server (an open-source DHCP server for Linux), it didn't care about non-zero GIADDR in presence of Option 82. So take this as a specific behavior of IOS/IOS XE only.

Please feel welcome to ask further!

Best regards,
Peter

 

Thanks so much for answering my question again. Seeing your reply makes my whole day extremely happy. Thanks to your guidance, I think I may finally know a little about option 82 and DHCP snooping, I read your post about option 82 several times, and it really helped me a lot. https://community.cisco.com/t5/switching/dhcp-snooping/m-p/1622878#M164843

Review Cisco Networking for a $25 gift card