[c-nsp] Relay info in snooped DHCP responses
Martin Hamilton
m at martinh.net
Tue Sep 28 14:24:49 EDT 2004
I've been experimenting with DHCP snooping on my Catalyst 2950s,
along the lines suggested here: http://www.thtech.net/article/10.
Have run into an interesting situation and was wondering what
other people had seen...
The option 82 info is supposed to have been removed before the
DHCP response makes it back to the client. But... I'm seeing a
colleague's ISC dhclient (an old version shipped with Caldera
OpenLinux) segfault when snooping is enabled. dhclient complains
that its having problems parsing the option 82 field in the DHCP
response, and crashes before ACKing.
I'm not too bothered about this particular dhclient's behaviour,
as it's just one person and could easily be upgraded. However, I
suspect that there are going to be other DHCP clients in older
OSes and embedded systems that get confused by the option field
being present. Also wondering whether it has been mangled in
being transferred between edge switch, router (DHCP helper), and
DHCP server - haven't investigated this yet.
Anyone else experienced a similar problem with DHCP snooping?
NB I realise that I can use SNMP traps to get MAC address
notifications, and ACLs to block rogue DHCP servers. Would like
to figure out what's wrong with the snooping though :-)
FWIW I'm on 12.1(20)EA1 on the 2950s - subsequent release notes
don't mention DHCP snooping related changes. My config looks
like this:
ip dhcp snooping
ip dhcp snooping vlan 1 4094
ip dhcp snooping information option
int range fa0/1 - 24
desc user facing ports
switchport access vlan NNN
no ip dhcp snooping trust
int range gi0/1 - 2
desc uplink ports
ip dhcp snooping trust
I've tested with and without the information option line. I'm
using "ip dhcp relay information trusted" on the L3 interface
which is routing the VLAN the user ports are bound to.
Cheers,
Martin
More information about the cisco-nsp
mailing list