Link to home
Start Free TrialLog in
Avatar of Alexander Fritzsche
Alexander Fritzsche

asked on

DHCP Snooping on 2960-L destroying PXE-boot

Hi, we have DHCP snooping enabled, and ASA doing DHCP-Relay. Between 2960-L and ASA is another switch doing snooping.

Anyway we have this 2960-L as access switch trunked at 4500. When not using dhcp snooping on access, all is working fine.
DHCP-Discover, DHCP-Offer from DHCP Server and PXE-Server, DHCP-Request from Client to PXE-Server for more information regarding PXE and the DHCP-ACK from PXE-Server with all the needed information(boot file name).

however when using ip dhcp snooping on 2960-L, the important last DHCP-ACK packets from the PXE-Server are not showing up at the client interface anymore. so the Client misses the PXE-boot important information for tftp, times out and does a DHCP-Release to restart the operation...

As i said, all is working fine with only disabling dhcp snooping on access switch.
IOS already changed from 15.2-5 to 15.2-6
Avatar of Predrag Jovic
Predrag Jovic
Flag of Poland image

Have you configured ALL ports in direction of DHCP server on all switches that has dhcp snooping enabled as dhcp snooping trusted ports?
interface gi1/0/1
 ip dhcp snooping trust
If you have a Layer 2 switch you need to apply the dhcp snooping to that specific vlan and have a trusted port as @Predrag stated above.

Here is a config Ex:

Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 1,2

Switch(config)#interface  range f0/1 - 10
Switch(config-if-range)#switchport access vlan 2
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#spanning-tree portfast
Switch(config-if-range)#ip dhcp snooping trust
Switch(config-if-range)#exit

Switch(config)#interface GigabitEthernet0/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk allowed vlan all
Switch(config-if)#end
Not all port should be trusted port. Only ports in direction of DHCP server, but all ports on all switches in direction to dhcp server. Marking all ports as trusted is the same as turning  dhcp snooping off. Typically trunk port point in direction of DHCP server (if server is not connected to the seame switch), so trunk port should be marked as trusted, not the access ports (except for access port to which server is attached).
@Predrag
Not all port should be trusted port.
I Know bro, as I was making a comment based on your command syntax

Interface gi1/0/1
 ip dhcp snooping trust


Besides once you have apply DHCP snooping globally the person will need to only allow one port to be the trusted one permitting the Vlans.
@Hemil
I was referring to above configuration. All access ports are configured as trusted, but typically that's not the case (except in the case that all ports have DHCP servers attached). ;)
Oh my bad xD
Avatar of Alexander Fritzsche
Alexander Fritzsche

ASKER

Hi again,

its just this Switch. It seems like a very bad design from Cisco for this model.

The Config is perfect and tested with trusted, option 82 yes and not, gleaning...
Its just not working with this model.
I did wireshark on this dhcp packets and its just the ACK back from PXE-Server is dropped, its just not there and i dont know why.
I mean this all is RFC standard, not? Options and tftp boot file name in DHCP Ack is nothing special.
Also there is no segmentation or dropping because of MTU size.
It seems like these L-Switches are just very poorly designed.
I will ask at Cisco's personally and may post another comment here.

Thanks for your help.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.