[c-nsp] DHCP snooping across several switches

Victor Sudakov sudakov at sibptus.tomsk.ru
Mon Sep 26 04:36:30 EDT 2005


Colleagues, 

Does anybody use DHCP snooping?

Please consider the following setup (use a fixed width font):

              CustomerB 
                  |
Server -Fe0/1- SwitchA -Fe0/2- SwitchB - CustomerA
                  |
               CustomerC 

I enable DHCP snooping on SwitchA and mark port Fe0/1 as trusted.
Everything works fine for the customers.

However as soon as I enable DHCP snooping on SwitchB also, SwitchA
refuses to forward DHCP requests from CustomerA to Server because:

SwitchA: DHCP_SNOOPING: drop message with non-zero giaddr or option 
82 value on untrusted port, message type: DHCPREQUEST

On SwitchA, I tried to mark Fe0/2 also as trusted, but this causes a
broadcast storm of DHCPREQUESTs (it seems that SwitchA receives a
DHCPREQUEST from CustomerA via Fe0/2 and forwards it back to Fe0/2
because it is a trusted port).

Any ideas how I could protect the whole switched network from rogue
DHCP servers? There is only one authorized DHCP server (the Server behind
SwitchA).



-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/


More information about the cisco-nsp mailing list