[c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails

Masood Ahmad Shah masood at nexlinx.net.pk
Wed Jul 18 15:35:55 EDT 2007 

The caveat with DHCP snooping is that you must establish a trust
relationship with downstream DHCP snoopers on a trunk port:

    Switch(config-if)# ip dhcp relay information trusted



Regards,
Masood Ahmad Shah
Nexlinx
http://www.weblogs.com.pk/jahil/


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Hennigan
Sent: Wednesday, July 18, 2007 11:24 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails

I have a network with a 3550 switch behind a PIX.  The PIX is acting as the
DHCP server on its inside interface.  We had an incident with a rogue DHCP
server on the LAN.

Turning on DHCP snooping on the switch causes the PIX to stop handing out
leases.  I'm new to DHCP snooping configs, this is probably something simple
I've overlooked in the configuration, I've RTFM to no avail.


Switch is Version 12.2(37)SE1, PIX is 7.2(2)

Switch config:

!
ip dhcp snooping vlan 1
ip dhcp snooping
!
!
interface FastEthernet0/48
  description PIX inside
  switchport mode access
  spanning-tree portfast
  ip dhcp snooping trust
!

sw1#sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is configured on the following Interfaces:

Insertion of option 82 is enabled
    circuit-id format: vlan-mod-port
     remote-id format: MAC
Option 82 on untrusted port is not allowed Verification of hwaddr field is
enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/48             yes         unlimited


PIX config:

dhcpd dns x.x.x.x y.y.y.y
dhcpd domain foo.com
!
dhcpd address 192.168.100.50-192.168.100.200 inside dhcpd dns y.y.y.y
z.z.z.z interface inside dhcpd domain foo.com interface inside dhcpd enable
inside


PIX debug shows the following on receipt of a DHCP request:

DHCPD: inconsistent relay information.
DHCPD: relay information option exists, but giaddr is zero.
DHCPD: Unable to load workspace.
DHCPD: inconsistent relay information.
DHCPD: relay information option exists, but giaddr is zero.
DHCPD: Unable to load workspace.

Turning off snooping on the switch brings it back operational.


--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse
Internet Service  -  http://www.impulse.net/ Your local telephone and
internet company - 805 884-6323 - WB6RDV
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list