[c-nsp] DHCP Snooping on an ASR920 ?
Shawn L
shawn at rmrf.us
Tue May 5 10:42:36 EDT 2020
I'm running into kind of a weird one -- wondering if anyone has ever seen
this before, or has a better idea of how to accomplish this?
I have an ASR920 that I want to use to aggregate customer traffic. Mainly
for (bridged) dsl and fiber customers.
Normally (on the older cisco stuff we're replacing) I'd enable dhcp relay
on the routed interface, and then enable dhcp snooping on the vlan to make
sure no one can attempt to be the dhcp server for the network (it's
happened before).
DHCP relay is working fine, but I can't seem to get DHCP snooping to work
right. Normally in a layer-2 scenario I'd enable 'ip dhcp snooping trust'
on the upstream interface, but it doesn't seem to work on a layer-3
interface.
For example (simplified)
ip dhcp snooping bridge-domain 100
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
interface BDI100
description Subscribers
ip dhcp relay source-interface BDI100
ip address xxxx
ip helper-address yyyy
interface TenGigabitEthernet0/0/11
description Feed
ip address 10.10.0.10 255.255.255.252
mpls ip
I can't add the dhcp trust command to the feed, it won't accept the
command. In this example, the subs on bdi100 cannot get ip addresses, and
no requests are sent to the DHCP relay server. If I disable snooping, dhcp
relay works fine. All the docs for the ASR920 show that the dhcp trust
command should be on the interface leading to the dhcp server, which is how
we've always done it. Though that was on a layer 2 interface.
More information about the cisco-nsp
mailing list