Link to home
Start Free TrialLog in
Avatar of gan_nazer
gan_nazer

asked on

DHCP Snooping and ASA

Hello. We are implementing DHCP Snooping, and everything works fine except for the vlan thar are behind a Firewall. Disabling DHCP Snooping, all host on differents VLAN receive IP from DHCP Server, but with this feature enabled VLAN behind the firewall does not recieve IP from DHCP Server

Another question will be (according to the graph) wich ports must be set as "Trusted"? The por 1 in SW1 in wich the DHCP Server is connected for sure, but in SW2 for example, should be the Trunk Port1 trusted too?

SW: Catalyst 3750 (12.2(35)SE5)
FW: ASA 5520 8.0(4)

Thanks in advance and best regards

 User generated image
Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image
Hi,

YOu need to enable all vlan DHCP snnoping, and you need to enable on all DHCP servers_
so:

PORT1
PORT3
Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image
And you need to add heper address on the firewall VLAN2 interface to DHCP server!
Avatar of gan_nazer
gan_nazer

ASKER

Thanks ikalmar, I'll try "trusting" in Port3 that was the only that we didn't. What about SW2 Port1, should be trusted to for assign IPs to host in that switch?
Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image
yep on SW1 you need to config to trusted port!
Avatar of gan_nazer
gan_nazer

ASKER

It doesn't work behind the firewall, even for vlan 1 when i change the SW1 port 1 (DHCP Server) as untrusted, the host does not recieve IP (I think that is ok), but VLAN 2 (behind firewall) still receiving IP, that does not make sense for me...
ASKER CERTIFIED SOLUTION
Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gan_nazer
gan_nazer

ASKER

We will focused just in SW1 for the moment, I configured DHCP Relay in FW intrface connected to VLAN2 with the IP of DHCP Server, it works without DHCP Snooping feature enabled
SOLUTION
Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Qlemo
Qlemo
Flag of Germany image
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.