[c-nsp] DHCP Snooping on an ASR920 ?

fj.bernal at brnet.es fj.bernal at brnet.es
Tue May 5 12:28:47 EDT 2020 

Hi.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/
xe-16-7/dhcp-xe-16-7-book/dhcp-accting-sec-xe.html

See "update arp" on section " Securing ARP Table Entries to DHCP Leases"

Regards

-----Mensaje original-----
De: cisco-nsp <cisco-nsp-bounces at puck.nether.net> En nombre de Shawn L
Enviado el: martes, 5 de mayo de 2020 16:43
Para: Cisco Network Service Providers <cisco-nsp at puck.nether.net>
Asunto: [c-nsp] DHCP Snooping on an ASR920 ?

I'm running into kind of a weird one -- wondering if anyone has ever seen
this before, or has a better idea of how to accomplish this?

I have an ASR920 that I want to use to aggregate customer traffic.  Mainly
for (bridged) dsl and fiber customers.

Normally (on the older cisco stuff we're replacing) I'd enable dhcp relay on
the routed interface, and then enable dhcp snooping on the vlan to make sure
no one can attempt to be the dhcp server for the network (it's happened
before).

DHCP relay is working fine, but I can't seem to get DHCP snooping to work
right.  Normally in a layer-2 scenario I'd enable 'ip dhcp snooping trust'
on the upstream interface, but it doesn't seem to work on a layer-3
interface.

For example (simplified)

ip dhcp snooping bridge-domain 100
ip dhcp snooping information option allow-untrusted ip dhcp snooping

interface BDI100
 description Subscribers
 ip dhcp relay source-interface BDI100
 ip address xxxx
 ip helper-address yyyy

interface TenGigabitEthernet0/0/11
 description Feed
 ip address 10.10.0.10 255.255.255.252
 mpls ip

I can't add the dhcp trust command to the feed, it won't accept the command.
In this example, the subs on bdi100 cannot get ip addresses, and no requests
are sent to the DHCP relay server.  If I disable snooping, dhcp relay works
fine.  All the docs for the ASR920 show that the dhcp trust command should
be on the interface leading to the dhcp server, which is how we've always
done it.  Though that was on a layer 2 interface.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list