Extreme Networks

Alexandr_P · ‎08-28-2015

Hello, colleagues!

I need to insert option 82 information in dhcp-packets.
Try bootprelay - all work fine.

Trying dhcp-snooping - switch don't insert option 82 information.

My config:
enable ip-security dhcp-snooping vlan v74_Users port 16 violation-action none
enable ip-security dhcp-snooping vlan v74_Users port 20 violation-action none
enable ip-security dhcp-snooping vlan v74_Users port 21 violation-action none
enable ip-security dhcp-snooping vlan v74_Users port 26 violation-action none
enable ip-security dhcp-snooping vlan v74_Users port 27 violation-action none
configure trusted-ports 26 trust-for dhcp-server
configure ip-security dhcp-snooping information option
configure ip-security dhcp-snooping information check
configure ip-security dhcp-snooping information circuit-id vlan-information v74 vlan v74_Users
configure ip-security dhcp-snooping information circuit-id vlan-information v75 vlan v75_Users2
configure ip-security dhcp-bindings storage write-interval 1440
configure ip-security dhcp-bindings storage filename bind.txt.xsf
enable ip-security dhcp-bindings restoration

User_Guide say:
When DHCP relay is configured in a DHCP snooping environment, the relay agent IP address should be configured as the trusted server.

“configure trusted-servers {vlan} add server trust-for dhcp-server”

Should I add IP-address of DHCP-server or/and configure Extreme's switch as trusted-server? But I have "configure trusted-ports 26 trust-for dhcp-server"

Any ideas?

Thank you!

Mel78__CISSP__E · ‎08-28-2015

Yes you are right.

Do note.

Note

When this feature is enabled, all DHCP traffic must be forwarded in slowpath only, which means that this feature functions only in the context of IP Security and only on interfaces where DHCP snooping is enabled in enforcement (violation-action of ?drop‘) mode. In other words, with DHCP snooping not configured with a violation-action of ?none‘ (which is pure monitoring mode).

Which means

enable ip-security dhcp-snooping vlan v74_Users port 16 violation-action drop
enable ip-security dhcp-snooping vlan v74_Users port 20 violation-action drop
enable ip-security dhcp-snooping vlan v74_Users port 21 violation-action drop
enable ip-security dhcp-snooping vlan v74_Users port 26 violation-action drop
enable ip-security dhcp-snooping vlan v74_Users port 27 violation-action drop

Mel78__CISSP__E · ‎08-28-2015

Pardon me if I am wrong. You mean You want to insert DHCP option 82 inside the DHCP request from the endpoint devices itself ?

That is not possible. No switches can do that. The DHCP option 82 request always comes from the endpoint devices.

You can have a look at DHCP Relay info.

http://documentation.extremenetworks.com/exos/EXOS_All/Security/r_configuring-the-dhcp-relay-agent-o...

Extreme Networks

dhcp-snooping, switch don't insert option 82 information

dhcp-snooping, switch don't insert option 82 information