[c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails

Daniel Dib daniel.dib at reaper.nu
Wed Jul 18 15:28:13 EDT 2007



-----Ursprungligt meddelande-----
Från: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] För Jay Hennigan
Skickat: den 18 juli 2007 20:24
Till: cisco-nsp at puck.nether.net
Ämne: [c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails

I have a network with a 3550 switch behind a PIX.  The PIX is acting as 
the DHCP server on its inside interface.  We had an incident with a 
rogue DHCP server on the LAN.

Turning on DHCP snooping on the switch causes the PIX to stop handing 
out leases.  I'm new to DHCP snooping configs, this is probably 
something simple I've overlooked in the configuration, I've RTFM to no 
avail.


Switch is Version 12.2(37)SE1, PIX is 7.2(2)

Switch config:

!
ip dhcp snooping vlan 1
ip dhcp snooping
!
!
interface FastEthernet0/48
  description PIX inside
  switchport mode access
  spanning-tree portfast
  ip dhcp snooping trust
!

sw1#sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is configured on the following Interfaces:

Insertion of option 82 is enabled
    circuit-id format: vlan-mod-port
     remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/48             yes         unlimited


PIX config:

dhcpd dns x.x.x.x y.y.y.y
dhcpd domain foo.com
!
dhcpd address 192.168.100.50-192.168.100.200 inside
dhcpd dns y.y.y.y z.z.z.z interface inside
dhcpd domain foo.com interface inside
dhcpd enable inside


PIX debug shows the following on receipt of a DHCP request:

DHCPD: inconsistent relay information.
DHCPD: relay information option exists, but giaddr is zero.
DHCPD: Unable to load workspace.
DHCPD: inconsistent relay information.
DHCPD: relay information option exists, but giaddr is zero.
DHCPD: Unable to load workspace.

Turning off snooping on the switch brings it back operational.


--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

You are inserting option 82 in the DHCP request.
Maybe the PIX doesn't understand this format and that's why it's not working
with snooping?

Try no ip dhcp snooping information option in global config mode.

/Daniel



More information about the cisco-nsp mailing list