[c-nsp] Relay info in snooped DHCP responses

Hani Mustafa hani.mustafa at noorgroup.net
Fri Oct 1 19:38:07 EDT 2004 

I would sniff DHCP packets with/without DHCP snooping turned on, then analyse them with tcpdump/ethereal.

Any peculiar difference in the "offending" packet?

~Hani Mustafa

* Martin Hamilton <m at martinh.net> [2004-09-28 19:24:49 +0100]:

> I've been experimenting with DHCP snooping on my Catalyst 2950s,
> along the lines suggested here: http://www.thtech.net/article/10.
> Have run into an interesting situation and was wondering what
> other people had seen...
> 
> The option 82 info is supposed to have been removed before the
> DHCP response makes it back to the client.  But... I'm seeing a
> colleague's ISC dhclient (an old version shipped with Caldera
> OpenLinux) segfault when snooping is enabled.  dhclient complains
> that its having problems parsing the option 82 field in the DHCP
> response, and crashes before ACKing.
> 
> I'm not too bothered about this particular dhclient's behaviour,
> as it's just one person and could easily be upgraded.  However, I
> suspect that there are going to be other DHCP clients in older
> OSes and embedded systems that get confused by the option field
> being present.  Also wondering whether it has been mangled in
> being transferred between edge switch, router (DHCP helper), and
> DHCP server - haven't investigated this yet.
> 
> Anyone else experienced a similar problem with DHCP snooping?
> 
> NB I realise that I can use SNMP traps to get MAC address
> notifications, and ACLs to block rogue DHCP servers.  Would like
> to figure out what's wrong with the snooping though :-)
> 
> FWIW I'm on 12.1(20)EA1 on the 2950s - subsequent release notes
> don't mention DHCP snooping related changes.  My config looks
> like this:
> 
>   ip dhcp snooping
>   ip dhcp snooping vlan 1 4094
>   ip dhcp snooping information option
>   int range fa0/1 - 24
>     desc user facing ports
>     switchport access vlan NNN
>     no ip dhcp snooping trust
>   int range gi0/1 - 2
>     desc uplink ports
>     ip dhcp snooping trust
> 
> I've tested with and without the information option line.  I'm
> using "ip dhcp relay information trusted" on the L3 interface
> which is routing the VLAN the user ports are bound to.
> 
> Cheers,
> 
> Martin
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list