Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1111
Views
0
Helpful
3
Replies

SG300 DHCP Snooping and 802.1x no DHCP

Wayne Lentz
Level 1
Level 1

‎09-19-2022 12:04 PM

Hello everyone,

I have a problem with DHCP Snooping and Dot1x, where the phone and computer successfully authenticate but can't get an IP address from DHCP server. Hopefully you can help me get these two features to play nice.

We have DHCP Snooping running on most switches across the board and it's working exactly the way we want. All clients get an IP address in their respective VLANs, and the switches block rogue DHCP servers correctly.

Now I'm trying to implement 802.1x RADIUS authentication to client-facing switchports. This also works exactly the way we want but only if I disable DHCP Snooping. It's as though the two features are not compatible. With either one enabled, desktop, phones, etc all get an IP address. With both enabled...no DHCP.

Would someone mind looking at my config and let me know what I'm missing here? Thank you!

Port GE5 is the one I'm using for testing. It's a trunk port native vlan 999, as a dead end. VLAN1 gets dynamically assigned by RADIUS, and VLAN70 gets dynamically assign by OUI.

Port GE51 uplinks to the main switch. GE52 uplinks to more test switches.

v1.4.11.5 / R800_NIK_1_4_220_026
CLI v1.0
set system mode switch

no cdp run
spanning-tree priority 61440
vlan database
vlan 4,20,25,30,50,60,70,150,200,999
exit
voice vlan id 70
voice vlan state oui-enabled
voice vlan cos 5
voice vlan oui-table add 00085d Mitel6940
voice vlan oui-table add 001049 Shoretel_Mitel
voice vlan oui-table add 08000f Mitel6000
dot1x system-auth-control
dot1x traps authentication quiet
dot1x traps authentication failure 802.1x mac web
dot1x traps authentication success 802.1x mac web

interface gigabitethernet5
no eee enable
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree portfast
spanning-tree bpduguard enable
switchport trunk native vlan 999
voice vlan enable
no macro auto persistent
!
interface gigabitethernet51
ip arp inspection trust
ip dhcp snooping trust
switchport trunk allowed vlan add 4,20,25,30,50,60,70,150,200
no macro auto smartport
!
interface gigabitethernet52
ip arp inspection trust
ip dhcp snooping trust
spanning-tree guard root
switchport trunk allowed vlan add 4,20,25,30,50,60,70,150,200
!
exit

macro auto disabled
no macro auto processing cdp
macro auto processing type ip_phone disabled
macro auto processing type switch disabled
macro auto processing type ap disabled
macro auto built-in parameters ip_phone_desktop $max_hosts 10 $native_vlan 1

ip dhcp snooping
ip dhcp snooping database
ip dhcp snooping database update-freq 3600
ip dhcp snooping vlan 1
ip dhcp snooping vlan 70

Labels:
0 Helpful
3 Replies 3

Jitendra Kumar
Spotlight
Spotlight

‎09-20-2022 12:45 AM

Please check the below article for configuring the DHCP Snooping.  

http://cdn.cnetcontent.com/fd/88/fd88fabe-c9dc-4a5c-a153-8c0554084e41.pdf

Thanks,
Jitendra
0 Helpful

Wayne Lentz
Level 1
Level 1

‎09-20-2022 06:42 AM

Further troubleshooting shows that this issue only affects trunk ports.  Access ports are unaffected.  Looks like this wouldn't even be an issue if these switches could add the voice vlan to an access port.

Enabling/Disabling Opetion82, Mac Verify, and interface trust have no effect on the problem.

To clarify our DHCP situation, this is handled by our edge firewall/router which has an interface and a scope on each vlan.  There is no DHCP relay going on.

Has anyone else out there gotten dot1x and dynamic Voice VLAN assignment (needing the port in trunk mode) working together with DHCP Snooping enabled?

0 Helpful

Wayne Lentz
Level 1
Level 1
In response to Wayne Lentz

‎09-20-2022 08:51 AM

The plot thickens like yesterday's gravy.  I disabled any sort of auto vlan assignment on the switchport and everything works perfectly.

  • #no voice vlan enable
  • #switchport trunk native vlan 1
  • #switchport trunk allowed vlan add 70
  • #no dot1x radius-attributes vlan

I now have it narrowed down to quite a specific set of circumstances.  Only under these conditions does the client fail to get a DHCP assigned IP address.

  • Switchport is in trunk mode
  • Switchport dot1x authentication is enabled
  • Switchport uses dynamically assigned vlans (Radius and/or OUI)
  • DHCP Snooping enabled
0 Helpful
Customers Also Viewed These Support Documents