cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
91
Views
0
Helpful
1
Replies
Beginner

DHCP Snooping Configured but NOT working

Hi All

I've configured DHCP snooping on the access layer switches as follow:

 

ip dhcp snooping vlan 1-50,52-59,61-4094
ip dhcp snooping database flash:dhcp\bindings.txt
ip dhcp snooping

 

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1-50,52-59,61-4094
DHCP snooping is operational on following VLANs:
1,10-15,17-21,23,27,31-35,40-42,52-56,65,80,85,91,110,120,125,300
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: e840.4097.f880 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet0/1 yes yes unlimited
Custom circuit-ids:
GigabitEthernet0/2 yes yes unlimited
Custom circuit-ids:
Port-channel26 yes yes unlimited
Custom circuit-ids:

 

and the output shows correctly;

 

MCG-P-04#sh ip dhcp sno binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
2C:F4:C5:F1:1A:51 172.16.32.55 509095 dhcp-snooping 52 FastEthernet0/32
00:1B:4F:26:17:DD 172.16.32.83 427702 dhcp-snooping 52 FastEthernet0/40
24:D9:21:3F:24:E5 172.16.32.37 581973 dhcp-snooping 52 FastEthernet0/26
E4:54:E8:8D:C2:C4 10.198.4.32 26570 dhcp-snooping 10 FastEthernet0/27
A4:78:86:B8:C2:EC 172.16.32.33 479787 dhcp-snooping 52 FastEthernet0/31
00:1B:4F:26:18:39 172.16.32.116 478550 dhcp-snooping 52 FastEthernet0/12
00:50:B6:71:98:8B 10.198.4.204 65898 dhcp-snooping 14 FastEthernet0/9
EC:F4:BB:25:A7:CA 10.198.4.25 19743 dhcp-snooping 10 FastEthernet0/29
48:F8:B3:3B:F3:B8 10.198.4.36 26464 dhcp-snooping 10 FastEthernet0/25
2C:F4:C5:F0:16:87 172.16.32.60 498501 dhcp-snooping 52 FastEthernet0/29
A4:78:86:B8:C1:17 172.16.32.71 495957 dhcp-snooping 52 FastEthernet0/19

However the highlighted entry above is a wireless router someone brought to work and is basically sharing internet to a group of persons.

the interface is configured as follow;

 

interface FastEthernet0/25
switchport access vlan 10
switchport mode access
switchport voice vlan 52
switchport priority extend trust
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust cos
spanning-tree portfast
spanning-tree bpduguard enable
end

 

what did i do wrong? i need to close the security loophole asap!

 

1 REPLY 1
Highlighted
VIP Advisor

Re: DHCP Snooping Configured but NOT working

Hi there,

DHCP snooping will only prevent the untrusted edge ports from sending DHCP offers. It want stop other devices on the subnet using 10.198.4.36 as a gateway which is what may be happening.

 

A short term fix would be to configure an outbound ACL on Fa0/25 dropping all IP traffic which is not destined to 10.198.4.0/24 (I am assuming the subnet is a /24). This will prevent it from being used as a gateway.

The long term fix would be to remove the device entirely.

 

cheers,

Seb.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards