[c-nsp] ip dhcp relay (was: DHCP snooping with PIX 7.22 as dhcp server fails

Jeff Kell jeff-kell at utc.edu
Wed Jul 18 16:26:06 EDT 2007 

Jay Hennigan wrote:
> Masood Ahmad Shah wrote:
>> The caveat with DHCP snooping is that you must establish a trust
>> relationship with downstream DHCP snoopers on a trunk port:
>>
>>     Switch(config-if)# ip dhcp relay information trusted
> 
> I saw that in the docs, but there is no trunking and no downstream 
> switch.  One PIX connected to one switch port f0/48 as an access port.

Man, talk about timing... that "ip dhcp relay" command sent shudders down my spine...

*Today* we were working on implementation of "another" network admission control to replace our current CCA.  The current structure has been in place for several years relatively untouched, the new one is a gradual overlay rather than an abrupt forklift.

The first "vlan" we converted, we activated the SVI, configured the helper-address to point to the "new" appliance for DHCP, and fired away.  The client did not receive a DHCP response.

Hmmm, perhaps the appliance is buggy.  Let's point it at our newly configured, stock ISC DHCP linux server.  Same results, no DHCP, no joy.

Sniff the appliance interface - we see valid discover/offer pairs as expected.

Sniff the ISC DHCP server interface - we see valid discover/offer pairs as expected.

Sniff the client interface - we see discover, but no return offer.

A few hours later we discover "ip dhcp relay information option" in the configuration of the switch (3550 on 12.1(22)EA5a).  Nobody on the team remembers ever doing any IOS "dhcp" configurations at all.  However, removing the configuration item resolves the problem.  Adding it back returns the problem, so we definitely found the culprit, and we blame it on a former team member now relocated into industry :-)

I'm still scratching my head over why this configuration item alone (snooping was disabled, no other 'dhcp' in the running config, etc) would shoot us in the foot.  The documentation leaves much to be desired.  Is there a good write-up on these features?  (command reference doesn't count, we can see the parameters just fine, now tell us what they really do :-) ).

Jeff

More information about the cisco-nsp mailing list