Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6494
Views
0
Helpful
5
Replies

DHCP Snooping problems

Go to solution
Renne Stuart
Level 1
Level 1

‎07-09-2013 03:05 AM - edited ‎03-04-2019 08:24 PM

Hi

I am looking at a way to stop rogue DHCP servers effecting a LAN on one of our customers sites and believe DHCP Snooping is the way forward!

I have a test switch 2960 with the following spec

Switch   Ports  Model              SW Version              SW Image           

------   -----  -----              ----------              ----------         

*    1   50     WS-C2960-48TC-L    12.2(25)SEE3            C2960-LANBASE-M

I have enabled port 1 as a trusted (DCHP server) port and ports 2 - 24 as untrusted (client) and no matter where i put the DHCP server (Draytek Router) my client gets an IP address. Should the port that i connect the DHCP server to (ie port 22) not be shut down when it responds from a DHCP request from client PC in port 7?

My config is below:

Switch#sh run
Building configuration...

Current configuration : 4520 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
no aaa new-model
ip subnet-zero
!
ip dhcp snooping vlan 1,10
no ip dhcp snooping information option
ip dhcp snooping
no ip domain-lookup
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!        
interface FastEthernet0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/11
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/12
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/13
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/14
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/15
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/16
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/17
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/18
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/19
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/20
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/21
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/22
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5

I have also attached the debug from when i attach the dhcp router to an untrusted port and the pc does a ipconfig/renew.

Any ideas greatly appreciated.

Labels:
15363757-DHCP Snooping not working.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to Renne Stuart

‎07-12-2013 05:52 AM

clear ip dhcp snooping binding will reset the database.

yes, there is no log entry, it just stops giving out IP address via DHCP.

If your problem is solved, please rate this thread as such.

Regards,

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎07-09-2013 08:45 AM

Per the documentation:

"

When a switch receives a packet on an untrusted  interface and the interface belongs to a VLAN in which DHCP snooping is  enabled, the switch compares the source MAC address and the DHCP client  hardware address. If the addresses match (the default), the switch  forwards the packet. If the addresses do not match, the switch drops the  packet. "

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/15.0_2_se/configuration/guide/swdhcp82.html#wp1058243

The switch has the MAC address and DHCP Client hardware address from your DHCP server when you had it on a trusted port so it forwards the packet even when placed on untrusted ports after the fact. You need to clear the DHCP Snooping database and try again.

0 Helpful

Go to solution
Renne Stuart
Level 1
Level 1

‎07-09-2013 02:25 PM

Thanks for the explanation this clears things up, I will try this in my lab tomorrow and let you know the outcome


Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Renne Stuart
Level 1
Level 1

‎07-12-2013 03:01 AM

After doing the command clear ip dhcp snooping binding this worked, thanks. Not sure about the database command as this does not seem to do anything or even when I do a show IP dhcp snooping database does it show anything.

I was expecting the port to shut down or see some kind of log when carrying out a show command but nothing!

It just stopped it giving out dhcp, is this how it should function?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to Renne Stuart

‎07-12-2013 05:52 AM

clear ip dhcp snooping binding will reset the database.

yes, there is no log entry, it just stops giving out IP address via DHCP.

If your problem is solved, please rate this thread as such.

Regards,

0 Helpful

Go to solution
Natsagdorj Tumendemberel
Level 1
Level 1

‎05-14-2014 11:53 PM

I have same problem so I have tried fix that above guide but problem not fixed. I have created interface vlan 4009 on my remote switch and configured ip address dhcp on this vlan. DHCP addressing working when I remove ip dhcp snooping vlan 4009 however it's not working when add this command.

Any help would be greatly appreciated,

Regards,

 
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card