DHCP request from multiple switches for the same device

[rdehaan]

Dear all,

I have a problem that not only the switch containing the device forwards a DHCP request to DHCP server but all switches containing the same Vlan. Is there a way to restrict the IP helper only forwarding DHCP requests for the devices connected directly to the switch ?

Regards,

Roel de Haan.

[cedric1]

hello

Could your explain in more details your issue, I don't understand it.

In french if you want

Cedric

[rdehaan]

We have multiple switches in our network that share the same VLan's and all have an ip helper configured.
The problem is that all switches sharing the same VLAN forwarding the DHCP request from a PC and not only the switch who where the pc is connected.

DHCP log looks like:
received DHCP request from switch_1 for PC_01 .......
received DHCP request from switch_2 for PC_01 .......
received DHCP request from switch_3 for PC_01 .......

Although the switches do share the same VLAN, the IP range given by the DHCP server are different for each switch.
Is there a way to configure the switches so that only the switch where the PC connected to forwards the DHCP request?

Roel.

[benny]

Switch-> ip helper per-vlan only
Switch-> ip helper address ip_address vlan vlan_id

If all three switches receive the DHCP DISCOVER from the same L2 segment you can only play with Option-82 to identify which request is the good one (Modifying the forward delay could be another option).

-benny

[rdehaan]

Tomorow I will look to Option-82.
The ip helder is already configured as per vlan only.
I do not think that modifying the forward delay wil help here because the DHCP server is not in the same subnet/Vlan.


Roel.

[benny]

I believe that your network setup is not ok. You shouldn't do the relay at the access but at the distribution or core area.

-benny

[rdehaan]

Benny,

Your conclusion could be right. But then I have a bigger problem .
We have a 9700 coreswitch where 33 stacks of 6400/6850 are connected to. Some of the stacks are outside our building and can only communicate with untagged data frames to the coreswitch. For now this is not a problem because the communication between the coreswitch and the stacks are based on routing.

We like to change the local routing part to bring all Vlans to the core switch and let him handle all traffic and the rules applied to it. You will find most Vlans on multiple stacks.

This make me have two question’s

1: In case of removing the “ip helper” rules on the stacks and place them on coreswich, is there a way to know from which stack the DHCP request was coming from? So the DHCP server can provide an IP address from the right IP range? ( Example VLan = 10.100.0.0/16, first floor gets 10.100.1.XX and second floor gets 10.100.2.XX)

2 Can a 6400 stack tunnel tagged traffic over untagged traffic to the 6700 coreswitch?
Regards,
Roel.

[cedric1]

Hello

Option 82 is a solution to test.

So for routing you have mutliple IP interface on the same vlan on the switch-router ?

Any way I suggest to use a policy rule via ACL.

Drop all client udp request port 68 on link between 6400.

Look Documentation for config.

This will solve the issue.

But anyway, your desing is not perfect (history reason certainly) but better to have One vlan with on subnet.

Question 2 : peer link between switch ne to be same config 802.1Q to 802.1Q or untageed to untagged.

But you can inject source vlan 10 untagged to vlan 20 untagged (but bad desin )


Regards

Cedric

[cedric1]

hello

To block dhcp traffic on port interconnect between 6400 you can use

ip helper dhcp-snooping port slot1/port1[-port1a] {block | client-only | trust}

and put port in block mode

cedric

[rdehaan]

Thank you foor your help. Blocking DHCP traffic from leaving the switch seems the way for now.

I like to setup my LAN so that only the coreswitch will couple the Vlans and do al the acl rules and routing. I will use static and dynamic DHCP but the dynamic range is fixed to a floor/branch. Is this the right way to do ?

network.jpg