DHCP Discover packets leaking thru on access interface?

KoenD · ‎10-06-2023

Some oddity I encountered today.

I installed and ran WireShark on a Windows server that is connected to a WS-C2950G-48-EI port.
The port is in access mode with a VLANx other than VLAN1.

Scattered across the LAN are multiple CBS350's.
All our switches are in a separate management VLANy.

So as I was starting to troubleshoot some DHCP stuff using WireShark, all of a sudden I noticed DHCP Discover messages coming in from those CBS350's. Upon which the server, running DHCP, sent offers. No further communication between the two.
So just two frames/packets per discover and that for each CBS350; repeated every 12 seconds.

Looking into the frames, the host name (option 12) revealed the sources, i.e. the CBS350's in our network.

Looking deeper, the origination MAC addresses are the ones from the CBS350's VLAN 1 interface.
VLAN 1 however is not used in our network, but was left configured default on the CBS350, hence apparently trying DHCP requests every 12 seconds.
I can easily stop those VLAN 1 interfaces from requesting IP via DHCP by setting the interface to no ip address dhcp.

BUT, how is it possible that VLAN 1 DHCP Discovers are captured on an access port in a totally different VLAN?

Anyone have a clue?

Regards
Koen

KoenD · ‎10-06-2023

I think I have figured out.

Somewhere in our network a VLAN 1 access port is physically hooked into a access port withn the server's VLANx.

On for the hunt of those ports.

paul driver · ‎10-13-2023

Hello
Enable dhcp snopping on all l2 access switches - only trusting the uplinks towards your dhcp server

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul