I'm running into kind of a weird one -- wondering if anyone has ever seen
this before, or has a better idea of how to accomplish this?
I have an ASR920 that I want to use to aggregate customer traffic. Mainly
for (bridged) dsl and fiber customers.
Normally (on the older cisco stuff we're replacing) I'd enable dhcp relay
on the routed interface, and then enable dhcp snooping on the vlan to make
sure no one can attempt to be the dhcp server for the network (it's
happened before).
DHCP relay is working fine, but I can't seem to get DHCP snooping to work
right. Normally in a layer-2 scenario I'd enable 'ip dhcp snooping trust'
on the upstream interface, but it doesn't seem to work on a layer-3
interface.
For example (simplified)
ip dhcp snooping bridge-domain 100
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
interface BDI100
description Subscribers
ip dhcp relay source-interface BDI100
ip address xxxx
ip helper-address yyyy
interface TenGigabitEthernet0/0/11
description Feed
ip address 10.10.0.10 255.255.255.252
mpls ip
I can't add the dhcp trust command to the feed, it won't accept the
command. In this example, the subs on bdi100 cannot get ip addresses, and
no requests are sent to the DHCP relay server. If I disable snooping, dhcp
relay works fine. All the docs for the ASR920 show that the dhcp trust
command should be on the interface leading to the dhcp server, which is how
we've always done it. Though that was on a layer 2 interface.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
this before, or has a better idea of how to accomplish this?
I have an ASR920 that I want to use to aggregate customer traffic. Mainly
for (bridged) dsl and fiber customers.
Normally (on the older cisco stuff we're replacing) I'd enable dhcp relay
on the routed interface, and then enable dhcp snooping on the vlan to make
sure no one can attempt to be the dhcp server for the network (it's
happened before).
DHCP relay is working fine, but I can't seem to get DHCP snooping to work
right. Normally in a layer-2 scenario I'd enable 'ip dhcp snooping trust'
on the upstream interface, but it doesn't seem to work on a layer-3
interface.
For example (simplified)
ip dhcp snooping bridge-domain 100
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
interface BDI100
description Subscribers
ip dhcp relay source-interface BDI100
ip address xxxx
ip helper-address yyyy
interface TenGigabitEthernet0/0/11
description Feed
ip address 10.10.0.10 255.255.255.252
mpls ip
I can't add the dhcp trust command to the feed, it won't accept the
command. In this example, the subs on bdi100 cannot get ip addresses, and
no requests are sent to the DHCP relay server. If I disable snooping, dhcp
relay works fine. All the docs for the ASR920 show that the dhcp trust
command should be on the interface leading to the dhcp server, which is how
we've always done it. Though that was on a layer 2 interface.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/