[c-nsp] DHCP snooping across several switches
Boyan Jordanov
bjordanov at orbitel.bg
Wed Nov 23 04:14:00 EST 2005
Hi
I am wondering did you find any solution for this case, because i fall exactly
in the same situation.
On Monday 26 September 2005 11:36, Victor Sudakov wrote:
> Colleagues,
>
> Does anybody use DHCP snooping?
>
> Please consider the following setup (use a fixed width font):
>
> CustomerB
>
> Server -Fe0/1- SwitchA -Fe0/2- SwitchB - CustomerA
>
> CustomerC
>
> I enable DHCP snooping on SwitchA and mark port Fe0/1 as trusted.
> Everything works fine for the customers.
>
> However as soon as I enable DHCP snooping on SwitchB also, SwitchA
> refuses to forward DHCP requests from CustomerA to Server because:
>
> SwitchA: DHCP_SNOOPING: drop message with non-zero giaddr or option
> 82 value on untrusted port, message type: DHCPREQUEST
>
> On SwitchA, I tried to mark Fe0/2 also as trusted, but this causes a
> broadcast storm of DHCPREQUESTs (it seems that SwitchA receives a
> DHCPREQUEST from CustomerA via Fe0/2 and forwards it back to Fe0/2
> because it is a trusted port).
>
> Any ideas how I could protect the whole switched network from rogue
> DHCP servers? There is only one authorized DHCP server (the Server behind
> SwitchA).
--
Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002
More information about the cisco-nsp
mailing list