03-15-2014 08:11 PM - edited 03-10-2019 09:32 PM
Hi All,
I am practicing on a home lab to attain my CCNP Switch. My home lab is comprised of a couple of 3550 switches. I tried to configure DHCP snooping without any luck. I am running IOS ver. 12.2(25) SEA. I program the feature as it states on the official certification guide along with other Cisco configs.
1. Enable the feature globally: S1(config)# ip dhcp snooping
2. Define the vlan: S1(config)# ip dhcp vlan XX
3. Define trusted ports if any
I plug in a DHCP server and a client to two untrusted ports in the same vlan that is programmed above and they are able to connect and exchange packets without an interruption. I am expecting the DHCP port from the DHCP server to be err-disabled due to a violation...but it is not happening. AM I Missing something or do my switches dont work? Any help is much appreciated.
Regards,
Eddie
03-16-2014 06:39 AM
please post the relevant config of your switch to see if there is anything wrong. Also the output of the "sh ip dhcp snooping" command.
If possible I would also upgrade the switch to 12.2.44-SE6ED.
03-16-2014 11:17 AM
Thanks for replying Karsten. Unfortunately I cannot get my hands on IOS12.2.44-SE6ED but I got C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(40)SE. It looks like all the commands are there. Below is my running-config. Its just a lab, so I am just trying to get this feature to work, so it is minimally configured.
Current configuration : 2850 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname S2
!
!
no aaa new-model
ip subnet-zero
!
ip dhcp snooping vlan 10
ip dhcp snooping database flash:DHCPSnoopDB
ip dhcp snooping
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 10
switchport mode access
switchport port-security maximum 500
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 10
switchport mode access
spanning-tree portfast
I just put ports 1-12 in VLAN 10, connected a "trusted" DHCP server to port 1 and connected a couple of laptops to a couple other ports in VLAN 10. I then connected a rogue dhcp server in one of the "untrusted" ports and the port did not shutdown/err-disable or increment dropped packets as per the "show ip dhcp snooping statistics detail".
Any thoughts?
03-16-2014 12:24 PM
The config looks fine. But if I remember right, then the violation-default is *not* to shutdown or errdisable the port. By default the offending traffic should be droppen. Look in your log for "DHCP_SNOOPING"-messages, which should have severity level 5 by default.
03-16-2014 02:17 PM
I did a debug on dhcp snooping packets and was not seeing any DHCP Offer messages from my "untrusted" port with rogue DHCP server. I did a packet capture on the rogue port/dhcp server and when untrusted there was no activity on that port even if it is the only DHCP server in the segment. I then made the port "trusted" and I was able to see active DHCP messages. If I go see the "ip dhcp snooping stats" it does not show any dropped packets from "untrusted" ports.
03-16-2014 11:19 AM
I forgot the sh ip dhcp snooping output. Here it is. Thanks.
S2# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 yes unlimited
S2#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide