Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1323
Views
0
Helpful
2
Replies

DHCP Snooping Question

Go to solution
Jim Blake
Level 1
Level 1

‎09-05-2017 12:19 PM - edited ‎03-10-2019 12:53 AM

I have a network with a collapsed core/distribution layer and an access layer. If I connect a PC with DHCP client enabled onto the collapsed core, it gets a lease, so I know my DHCP server, helper addresses, etc are all working OK.

 

If I connect a trunk between Core/distribution and access, and configure an access port correctly, as expected I get a lease, so that proves the acces switch and the trunk.

 

OK, now the weird part. If I set up DHCP snooping on the access switch ONLY, trust the port on the access switch that supports the trunk, then I still get a lease, but if I move the trunk to another port, correctly configured, but without DHCP trust, I STILL get a lease, when I expexted to get none...

 

Config details:

Core/Dist switch: no DHCP snooping config at all

access switch:

! Global Config

!
ip dhcp snooping vlan 10
ip dhcp snooping
!

! Per Port configuration

!
interface GigabitEthernet0/1

description ##correctly configured trunk port - should support DHCP##
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport trunk allowed vlan 10,20
 switchport mode trunk
 ip dhcp snooping trust
!
interface GigabitEthernet0/2

 

description ##correctly configured access port - should support DHCP##


 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/3

description ## incorrectly configured trunk port - should NOT support DHCP##
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport trunk allowed vlan 10,20
 switchport mode trunk
!

What am I doing wrong? the setup seems to comply with all requirements, but DHCP snooping is not blocking DHCP info from the wrongly-configured trunk port

 

Thanks

 

Jim

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎09-06-2017 05:05 AM

 

 - Debugging acquired DHCP leases can be confusing ; devices tend to revert to previous settings if no reply is received from the DHCP server ; so check the dhcp server's logs too as to re-verify wether a new dhcp request was received or not.

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

0 Helpful
2 Replies 2

Go to solution
marce1000
VIP
VIP

‎09-06-2017 05:05 AM

 

 - Debugging acquired DHCP leases can be confusing ; devices tend to revert to previous settings if no reply is received from the DHCP server ; so check the dhcp server's logs too as to re-verify wether a new dhcp request was received or not.

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Jim Blake
Level 1
Level 1
In response to marce1000

‎09-06-2017 12:12 PM

Hey Marce

 

Thanks for spotting my newbie error, you got it in one!

The PC was reusing its earlier leased address...a change of test sequence and the behaviour was as expected.

Just shows, there's no fool like and old fool!

 

Jim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents