[c-nsp] DHCP snooping across several switches
Victor Sudakov
sudakov at sibptus.tomsk.ru
Mon Sep 26 04:36:30 EDT 2005
Colleagues,
Does anybody use DHCP snooping?
Please consider the following setup (use a fixed width font):
CustomerB
|
Server -Fe0/1- SwitchA -Fe0/2- SwitchB - CustomerA
|
CustomerC
I enable DHCP snooping on SwitchA and mark port Fe0/1 as trusted.
Everything works fine for the customers.
However as soon as I enable DHCP snooping on SwitchB also, SwitchA
refuses to forward DHCP requests from CustomerA to Server because:
SwitchA: DHCP_SNOOPING: drop message with non-zero giaddr or option
82 value on untrusted port, message type: DHCPREQUEST
On SwitchA, I tried to mark Fe0/2 also as trusted, but this causes a
broadcast storm of DHCPREQUESTs (it seems that SwitchA receives a
DHCPREQUEST from CustomerA via Fe0/2 and forwards it back to Fe0/2
because it is a trusted port).
Any ideas how I could protect the whole switched network from rogue
DHCP servers? There is only one authorized DHCP server (the Server behind
SwitchA).
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the cisco-nsp
mailing list