cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
247
Views
0
Helpful
3
Replies

DHCP relay works across VLANs unless I enable DHCP snooping

donaldm314
Level 1
Level 1

I have two VLANs, 10 and 40, with external ISC-DHCP servers in VLAN 10. I am successfully relaying DHCP across VLANs: a PC in VLAN 40 can request a DHCP lease, receive the offer, and accept the IP. My working configuration includes:

ip dhcp relay address 10.10.0.17
ip dhcp relay address 10.10.0.18
ip dhcp relay enable
! 
interface vlan 10
 name Engineering 
 ip address 10.10.0.6 255.255.255.0 
 ip dhcp relay enable 
!
interface vlan 40
 name Family 
 ip address 10.40.0.6 255.255.255.0 
 ip dhcp relay enable 
!

To enable IP DHCP snooping, I did the following:

interface GigabitEthernet24
 ip dhcp snooping trust 
!
interface GigabitEthernet25
 ip dhcp snooping trust 
!
ip dhcp snooping
ip dhcp snooping vlan 10 
ip dhcp snooping vlan 40 

Where the two DHCP servers are on gi24 and gi25. As soon as this configuration is applied, the same PC in VLAN 40 can no longer receive a DHCP lease. On the ISC-DHCP server I see:

2024-10-14T12:52:31.680159-06:00 pi00 dhcpd[171061]: DHCPDISCOVER from d4:5d:64:b5:bb:e7 via 10.40.0.6
2024-10-14T12:52:31.681405-06:00 pi00 dhcpd[171061]: DHCPOFFER on 10.40.0.13 to d4:5d:64:b5:bb:e7 via 10.40.0.6
2024-10-14T12:52:47.160553-06:00 pi00 dhcpd[171061]: DHCPDISCOVER from d4:5d:64:b5:bb:e7 via 10.40.0.6
2024-10-14T12:52:47.161200-06:00 pi00 dhcpd[171061]: DHCPOFFER on 10.40.0.13 to d4:5d:64:b5:bb:e7 via 10.40.0.6

To get the PC talking to my DHCP servers again, I issue:

no ip dhcp snooping

Then the PC almost immediately receives the DHCPOFFER and responds with DHCPREQUEST.

What configuration am I missing that would enable DHCP relay and DHCP snooping?

3 Replies 3

@donaldm314 

 Put the interface where the PC is connected also as trust.

donaldm314
Level 1
Level 1

The PC is a DHCP client, I thought 'ip dhcp snooping trust' should only be applied to ports connected to a DHCP server.

Not sure where you are running this but I was running a Lab in GNS3 another day I had to add on the client side to work. I believe it worth a test.