[c-nsp] Relay info in snooped DHCP responses
hani.mustafa at noorgroup.net
Fri Oct 1 19:38:07 EDT 2004
I would sniff DHCP packets with/without DHCP snooping turned on, then analyse them with tcpdump/ethereal.
Any peculiar difference in the "offending" packet?
* Martin Hamilton <m at martinh.net> [2004-09-28 19:24:49 +0100]:
> I've been experimenting with DHCP snooping on my Catalyst 2950s,
> along the lines suggested here: http://www.thtech.net/article/10.
> Have run into an interesting situation and was wondering what
> other people had seen...
> The option 82 info is supposed to have been removed before the
> DHCP response makes it back to the client. But... I'm seeing a
> colleague's ISC dhclient (an old version shipped with Caldera
> OpenLinux) segfault when snooping is enabled. dhclient complains
> that its having problems parsing the option 82 field in the DHCP
> response, and crashes before ACKing.
> I'm not too bothered about this particular dhclient's behaviour,
> as it's just one person and could easily be upgraded. However, I
> suspect that there are going to be other DHCP clients in older
> OSes and embedded systems that get confused by the option field
> being present. Also wondering whether it has been mangled in
> being transferred between edge switch, router (DHCP helper), and
> DHCP server - haven't investigated this yet.
> Anyone else experienced a similar problem with DHCP snooping?
> NB I realise that I can use SNMP traps to get MAC address
> notifications, and ACLs to block rogue DHCP servers. Would like
> to figure out what's wrong with the snooping though :-)
> FWIW I'm on 12.1(20)EA1 on the 2950s - subsequent release notes
> don't mention DHCP snooping related changes. My config looks
> like this:
> ip dhcp snooping
> ip dhcp snooping vlan 1 4094
> ip dhcp snooping information option
> int range fa0/1 - 24
> desc user facing ports
> switchport access vlan NNN
> no ip dhcp snooping trust
> int range gi0/1 - 2
> desc uplink ports
> ip dhcp snooping trust
> I've tested with and without the information option line. I'm
> using "ip dhcp relay information trusted" on the L3 interface
> which is routing the VLAN the user ports are bound to.
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp