[c-nsp] DHCP Snooping on an ASR920 ?

[Shawn L]

I'm running into kind of a weird one -- wondering if anyone has ever seen
this before, or has a better idea of how to accomplish this?

I have an ASR920 that I want to use to aggregate customer traffic.  Mainly
for (bridged) dsl and fiber customers.

Normally (on the older cisco stuff we're replacing) I'd enable dhcp relay
on the routed interface, and then enable dhcp snooping on the vlan to make
sure no one can attempt to be the dhcp server for the network (it's
happened before).

DHCP relay is working fine, but I can't seem to get DHCP snooping to work
right.  Normally in a layer-2 scenario I'd enable 'ip dhcp snooping trust'
on the upstream interface, but it doesn't seem to work on a layer-3
interface.

For example (simplified)

ip dhcp snooping bridge-domain 100
ip dhcp snooping information option allow-untrusted
ip dhcp snooping

interface BDI100
 description Subscribers
 ip dhcp relay source-interface BDI100
 ip address xxxx
 ip helper-address yyyy

interface TenGigabitEthernet0/0/11
 description Feed
 ip address 10.10.0.10 255.255.255.252
 mpls ip

I can't add the dhcp trust command to the feed, it won't accept the
command. In this example, the subs on bdi100 cannot get ip addresses, and
no requests are sent to the DHCP relay server.  If I disable snooping, dhcp
relay works fine.  All the docs for the ASR920 show that the dhcp trust
command should be on the interface leading to the dhcp server, which is how
we've always done it.  Though that was on a layer 2 interface.