DHCP relay on ASA and DHCP snooping on Catalyst problem

I ran into a problem that took me 2 hours to figure out and thought I'd share it :)
I'm running DHCP snooping on my network with Catalyst 2950/2960 switches and routed all VLANs through a 3550. My DHCP server is a Windows 2003.
For objective reasons I decided to route a VLAN through the firewall (ASA 5510). The problem occured while trying to obtain an IP from the DHCP for a device in that VLAN. All I got debugging ASA was (123.456.789.123 is my DHCP server):

dhcpd_forward_request: request from abcd.acbd.dabc forwarded to 123.456.789.123.
DHCPD: setting giaddr to 192.168.0.1.

When debugging DHCP snooping on one of the switches my eye cought this:

31w1d: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format
31w1d: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format

I disabled option 82 on the switch as I didn't need it anyway...

no ip dhcp snooping information option

...and bingo:

dhcpd_forward_request: request from abcd.acbd.dabc forwarded to 123.456.789.123.
dhcp_l3_punt_cb: pkt src 123.456.789.123/17152, dest 192.168.0.1/17152
DHCPD/RA: Punt 123.456.789.123/17152 --> 192.168.0.1/17152 to CP
DHCPRA: Received a BOOTREPLY from interface 1
DHCPRA: relay binding found for client abcd.acbd.dabc.
DHCPRA: Adding rule to allow client to respond using offered address 192.168.0.53
DHCPRA: forwarding reply to client abcd.acbd.dabc.
DHCPRA: relay binding found for client abcd.acbd.dabc.

Maybe I'll edit later the article including the explanation but I can't do it now as I have a lot of work ahead of me today.
Cheers!

Comments

3 Responses to " DHCP relay on ASA and DHCP snooping on Catalyst problem "

Anonymous said... March 30, 2009 at 5:05 PM

Great post.
I managed to save several hours. This function is enabled by default and needs to be disables when you relay DHCP request towards a server located in another VLAN (for example with IP helper-address)

Anonymous said... April 28, 2009 at 4:02 PM

Hello,

i got the same problem and trying to find out how to let ASA pass the DHCP messages with option 82.

Does someone know the command, or how to enable it on ASA devices? (..and not disabling the "ip dhcp information option" :)

Anonymous said... December 17, 2013 at 5:59 PM

ciscoasa(config-if)# dhcprelay information trusted :)

Post a Comment

Follow by Email

Sponsored Links

Labels