cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5956
Views
0
Helpful
1
Replies

DHCP Offer on untrusted port log message - What port?

Warren Sullivan
Level 1
Level 1

Hi Guys,

 

We have enabled DHCP Snooping on around 30 2960X switch stacks and this morning i was presented with the following log....first one!

 

Mar 14 15:54:06.383 AEST: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPOFFER, MAC sa: ecf4.bb52.2334

My question is, how do i determine what port this message was generated on? The log message itself gives no hint as to the source......weird!

 

CLV-HO-LIB-LG-SW-01#sh ip dhcp snooping statistics detail 
 Packets Processed by DHCP Snooping                    = 1475876
 Packets Dropped Because 
   IDB not known                                       = 0
   Queue full                                          = 0
   Interface is in errdisabled                         = 0
   Rate limit exceeded                                 = 0
   Received on untrusted ports                         = 7
   Nonzero giaddr                                      = 0
   Source mac not equal to chaddr                      = 0
   No binding entry                                    = 0
   Insertion of opt82 fail                             = 0
   Unknown packet                                      = 0
   Interface Down                                      = 0
   Unknown output interface                            = 3779
   Misdirected Packets                                 = 27601
   Packets with Invalid Size                           = 0
   Packets with Invalid Option                         = 0
CLV-HO-LIB-LG-SW-01#
CLV-HO-LIB-LG-SW-01#sh ip dhcp snooping database detail 
Agent URL : flash:dhcp-snooping.db
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeded Time : 09:03:04 AEST Fri Mar 16 2018
Last Failed Time : None
Last Failed Reason : No failure recorded.

Total Attempts       :     2785   Startup Failures :        0
Successful Transfers :     2785   Failed Transfers :        0
Successful Reads     :        1   Failed Reads     :        0
Successful Writes    :     2784   Failed Writes    :        0
Media Failures       :        0

First successful access: Read

Last ignored bindings counters :
Binding Collisions    :       67   Expired leases    :        0
Invalid interfaces    :        0   Unsupported vlans :        0
Parse failures        :        0
Last Ignored Time : 21:50:35 AEST Tue Jan 9 2018

Total ignored bindings counters:
Binding Collisions    :       67   Expired leases    :        0
Invalid interfaces    :        0   Unsupported vlans :        0
Parse failures        :        0

CLV-HO-LIB-LG-SW-01#
CLV-HO-LIB-LG-SW-01#sh ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
48:4D:7E:D6:75:E1   10.10.120.87     1304362     dhcp-snooping   120   GigabitEthernet1/0/24
00:04:F2:FE:C9:BD   10.11.120.27     1281307     dhcp-snooping   620   GigabitEthernet2/0/1
84:7B:EB:E9:02:CD   10.10.120.26     697596      dhcp-snooping   120   GigabitEthernet1/0/22
00:04:F2:AA:AC:17   10.11.120.16     1355849     dhcp-snooping   620   GigabitEthernet2/0/28
84:7B:EB:55:E6:4E   10.10.120.71     1214026     dhcp-snooping   120   GigabitEthernet1/0/27
AC:A3:1E:C0:DE:A6   192.168.56.97    80776       dhcp-snooping   56    GigabitEthernet2/0/44
34:E6:D7:67:0C:F8   10.10.120.77     1130098     dhcp-snooping   120   GigabitEthernet2/0/22
00:04:F2:FE:14:BF   10.11.120.44     888258      dhcp-snooping   620   GigabitEthernet2/0/33
00:04:F2:AA:B1:ED   10.11.120.10     1188379     dhcp-snooping   620   GigabitEthernet3/0/34
00:04:F2:AB:7C:21   10.11.120.39     1060103     dhcp-snooping   620   GigabitEthernet3/0/15
14:B3:1F:2C:FD:86   10.10.120.81     1323304     dhcp-snooping   120   GigabitEthernet2/0/28
64:00:6A:50:19:42   10.10.120.86     19507       dhcp-snooping   120   GigabitEthernet3/0/17
48:4D:7E:D8:92:1C   10.10.120.18     1037599     dhcp-snooping   120   GigabitEthernet3/0/19
64:00:6A:86:7E:44   10.10.120.61     888259      dhcp-snooping   120   GigabitEthernet3/0/16
00:04:F2:AA:AD:17   10.11.120.72     1217698     dhcp-snooping   620   GigabitEthernet1/0/22
00:04:F2:74:25:C3   10.11.120.56     911630      dhcp-snooping   620   GigabitEthernet2/0/31
34:E6:D7:08:56:8E   10.10.120.34     695864      dhcp-snooping   120   GigabitEthernet3/0/34
A4:4C:C8:7A:54:05   10.10.120.43     1210706     dhcp-snooping   120   GigabitEthernet3/0/33
48:4D:7E:D6:D5:D5   10.10.120.49     1115110     dhcp-snooping   120   GigabitEthernet1/0/40
48:4D:7E:D8:A1:BF   10.10.120.99     171280      dhcp-snooping   120   GigabitEthernet2/0/9
B8:2A:72:FF:19:05   10.10.120.38     1056951     dhcp-snooping   120   GigabitEthernet2/0/22
68:27:37:17:1C:1B   10.10.120.68     1377226     dhcp-snooping   120   GigabitEthernet2/0/37
18:03:73:E7:B2:FF   10.10.120.20     1031147     dhcp-snooping   120   GigabitEthernet2/0/7
44:A8:42:FD:67:98   10.10.120.88     89386       dhcp-snooping   120   GigabitEthernet2/0/30
48:4D:7E:D8:2A:A3   10.10.120.32     1236341     dhcp-snooping   120   GigabitEthernet2/0/5
00:04:F2:AA:B3:41   10.11.120.36     1201920     dhcp-snooping   620   GigabitEthernet3/0/26
EC:F4:BB:52:23:34   10.10.120.84     1321778     dhcp-snooping   120   GigabitEthernet2/0/22
48:4D:7E:D8:8C:93   10.10.120.70     1052463     dhcp-snooping   120   GigabitEthernet3/0/4
18:66:DA:37:DA:07   10.10.120.23     1378715     dhcp-snooping   120   GigabitEthernet3/0/7
48:4D:7E:D6:6F:47   10.10.120.4      1031960     dhcp-snooping   120   GigabitEthernet1/0/31
00:04:F2:AA:AB:6D   10.11.120.8      1243209     dhcp-snooping   620   GigabitEthernet3/0/28
48:4D:7E:D6:71:02   10.10.120.19     1382139     dhcp-snooping   120   GigabitEthernet1/0/2
18:66:DA:37:E3:51   10.10.120.1      808291      dhcp-snooping   120   GigabitEthernet3/0/36
00:04:F2:AA:AB:43   10.11.120.21     905486      dhcp-snooping   620   GigabitEthernet2/0/5
AC:A3:1E:C0:E6:C0   192.168.56.6     54920       dhcp-snooping   56    GigabitEthernet1/0/46
00:04:F2:AA:AB:8A   10.11.120.24     1335447     dhcp-snooping   620   GigabitEthernet1/0/4
EC:F4:BB:6B:82:D2   10.10.120.90     1141336     dhcp-snooping   120   GigabitEthernet2/0/22
18:03:73:E7:6D:22   10.10.120.65     1379634     dhcp-snooping   120   GigabitEthernet2/0/38
AC:A3:1E:C0:E6:BE   192.168.56.8     70490       dhcp-snooping   56    GigabitEthernet3/0/44
68:27:37:17:1C:72   10.10.120.80     1377282     dhcp-snooping   120   GigabitEthernet2/0/39
00:04:F2:74:24:7C   10.11.120.46     1123002     dhcp-snooping   620   GigabitEthernet3/0/25
18:66:DA:37:D3:FA   10.10.120.45     1294640     dhcp-snooping   120   GigabitEthernet3/0/26
68:27:37:17:1C:1C   10.10.120.82     1378101     dhcp-snooping   120   GigabitEthernet2/0/41
48:4D:7E:D8:2A:96   10.10.120.56     1039156     dhcp-snooping   120   GigabitEthernet3/0/19
18:DB:F2:63:54:E4   10.10.120.102    17302       dhcp-snooping   120   GigabitEthernet2/0/18
00:04:F2:74:1A:A2   10.11.120.48     1155940     dhcp-snooping   620   GigabitEthernet3/0/16
48:4D:7E:D8:A1:D6   10.10.120.11     1322759     dhcp-snooping   120   GigabitEthernet2/0/21
00:04:F2:AA:B3:9C   10.11.120.15     802752      dhcp-snooping   620   GigabitEthernet1/0/5
18:66:DA:37:E7:D6   10.10.120.40     1382040     dhcp-snooping   120   GigabitEthernet3/0/29
00:04:F2:74:25:2B   10.11.120.32     1228584     dhcp-snooping   620   GigabitEthernet2/0/8
00:04:F2:AB:40:3D   10.11.120.14     1116936     dhcp-snooping   620   GigabitEthernet1/0/9
84:7B:EB:E9:78:47   10.10.120.7      1379160     dhcp-snooping   120   GigabitEthernet3/0/27
34:E6:D7:07:D4:A4   10.10.120.41     193648      dhcp-snooping   120   GigabitEthernet1/0/30
44:A8:42:FC:B5:BE   10.10.120.57     1379475     dhcp-snooping   120   GigabitEthernet2/0/2
00:04:F2:AA:AA:6B   10.11.120.19     1079082     dhcp-snooping   620   GigabitEthernet3/0/27
18:66:DA:37:E6:15   10.10.120.37     1377478     dhcp-snooping   120   GigabitEthernet1/0/3
64:00:6A:89:B6:54   10.10.120.69     1054124     dhcp-snooping   120   GigabitEthernet1/0/18
48:4D:7E:D8:4C:C8   10.10.120.97     1313108     dhcp-snooping   120   GigabitEthernet2/0/30
64:00:6A:8E:18:D6   10.10.120.46     1381110     dhcp-snooping   120   GigabitEthernet2/0/24
00:04:F2:AB:44:54   10.11.120.11     1039847     dhcp-snooping   620   GigabitEthernet1/0/29
18:66:DA:37:E6:E6   10.10.120.62     785783      dhcp-snooping   120   GigabitEthernet2/0/28
00:04:F2:AA:B3:59   10.11.120.31     1349449     dhcp-snooping   620   GigabitEthernet3/0/7
14:B3:1F:04:DB:5B   10.10.120.10     1210611     dhcp-snooping   120   GigabitEthernet3/0/33
18:66:DA:24:5F:FC   10.10.120.52     1041502     dhcp-snooping   120   GigabitEthernet2/0/30
18:66:DA:08:09:48   10.10.120.100    1382025     dhcp-snooping   120   GigabitEthernet2/0/30
FC:45:96:68:4F:2C   10.10.120.35     1376264     dhcp-snooping   120   GigabitEthernet1/0/35
18:66:DA:37:E5:AC   10.10.120.2      1375742     dhcp-snooping   120   GigabitEthernet2/0/14
00:04:F2:AB:7C:1D   10.11.120.30     1124755     dhcp-snooping   620   GigabitEthernet3/0/11
00:04:F2:AA:B1:7D   10.11.120.12     1299766     dhcp-snooping   620   GigabitEthernet3/0/29
18:66:DA:08:DE:A9   10.10.120.78     1058715     dhcp-snooping   120   GigabitEthernet3/0/19
D4:BE:D9:9E:2C:CA   10.10.120.200    1074512     dhcp-snooping   120   GigabitEthernet2/0/13
48:4D:7E:D8:9F:CB   10.10.120.83     865426      dhcp-snooping   120   GigabitEthernet3/0/47
EC:F4:BB:6B:82:D6   10.10.120.91     1227320     dhcp-snooping   120   GigabitEthernet2/0/22
34:E6:D7:07:CF:13   10.10.120.67     1121543     dhcp-snooping   120   GigabitEthernet3/0/22
F8:CA:B8:32:E9:72   10.10.120.47     1381960     dhcp-snooping   120   GigabitEthernet2/0/8
D0:67:E5:51:A1:A1   10.10.120.59     701471      dhcp-snooping   120   GigabitEthernet3/0/10
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
64:00:6A:67:CA:82   10.10.120.76     1379993     dhcp-snooping   120   GigabitEthernet1/0/9
8C:EC:4B:E6:9E:FE   10.10.120.98     1318018     dhcp-snooping   120   GigabitEthernet1/0/28
00:04:F2:AA:AA:E6   10.11.120.40     1035266     dhcp-snooping   620   GigabitEthernet1/0/17
84:7B:EB:E9:7E:BE   10.10.120.93     1211002     dhcp-snooping   120   GigabitEthernet1/0/4
98:90:96:DE:98:30   10.10.120.120    1375804     dhcp-snooping   120   GigabitEthernet1/0/29
D4:BE:D9:9E:54:5D   10.10.120.94     1046145     dhcp-snooping   120   GigabitEthernet3/0/9
00:26:73:9A:83:64   10.10.16.1       631246      dhcp-snooping   16    GigabitEthernet2/0/47
18:66:DA:15:A9:DE   10.10.120.55     1294954     dhcp-snooping   120   GigabitEthernet3/0/30
18:66:DA:14:DB:F5   10.10.120.89     1127234     dhcp-snooping   120   GigabitEthernet1/0/24
84:7B:EB:E9:06:40   10.10.120.50     699499      dhcp-snooping   120   GigabitEthernet1/0/26
00:04:F2:AB:42:1C   10.11.120.25     1335137     dhcp-snooping   620   GigabitEthernet2/0/18
00:04:F2:AA:AA:EC   10.11.120.13     808254      dhcp-snooping   620   GigabitEthernet1/0/40
D4:BE:D9:A5:A3:C0   10.10.120.96     1224571     dhcp-snooping   120   GigabitEthernet3/0/19
00:04:F2:AB:40:2E   10.11.120.6      838669      dhcp-snooping   620   GigabitEthernet2/0/7
18:66:DA:37:DE:0B   10.10.120.22     1377909     dhcp-snooping   120   GigabitEthernet1/0/17
78:2B:CB:B6:E3:DC   10.10.120.39     1311775     dhcp-snooping   120   GigabitEthernet2/0/27
84:7B:EB:E9:06:71   10.10.120.3      1213768     dhcp-snooping   120   GigabitEthernet3/0/11
18:66:DA:07:6B:3B   10.10.120.58     1074618     dhcp-snooping   120   GigabitEthernet2/0/1
00:04:F2:FE:5A:09   10.11.120.51     795495      dhcp-snooping   620   GigabitEthernet2/0/25
2C:23:3A:18:1F:80   192.168.111.129  54078       dhcp-snooping   304   GigabitEthernet1/0/44
48:4D:7E:D6:D2:3A   10.10.120.72     693904      dhcp-snooping   120   GigabitEthernet1/0/32
D4:BE:D9:9E:7F:82   10.10.120.42     889394      dhcp-snooping   120   GigabitEthernet3/0/31
00:04:F2:AB:40:20   10.11.120.29     837201      dhcp-snooping   620   GigabitEthernet3/0/23
48:4D:7E:D6:D3:9D   10.10.120.85     1120524     dhcp-snooping   120   GigabitEthernet2/0/20
D4:BE:D9:9E:55:3E   10.10.120.79     992654      dhcp-snooping   120   GigabitEthernet3/0/8
00:04:F2:AA:AA:13   10.11.120.38     1358751     dhcp-snooping   620   GigabitEthernet3/0/14
C8:08:E9:B7:DF:95   10.10.120.53     527822      dhcp-snooping   120   GigabitEthernet1/0/36
48:4D:7E:D6:6E:8C   10.10.120.5      1036773     dhcp-snooping   120   GigabitEthernet3/0/19
AC:A3:1E:C0:E7:3E   192.168.56.101   46102       dhcp-snooping   56    GigabitEthernet1/0/43
00:04:F2:64:E0:4C   10.11.120.42     862203      dhcp-snooping   620   GigabitEthernet2/0/24
9C:EB:E8:0B:16:83   10.10.120.73     1057823     dhcp-snooping   120   GigabitEthernet1/0/28
18:66:DA:14:BA:AB   10.10.120.66     1291521     dhcp-snooping   120   GigabitEthernet3/0/3
18:66:DA:37:D2:DB   10.10.120.64     1380828     dhcp-snooping   120   GigabitEthernet3/0/23
00:04:F2:AA:AB:F0   10.11.120.33     1197293     dhcp-snooping   620   GigabitEthernet1/0/35
00:04:F2:AA:AC:78   10.11.120.9      1224528     dhcp-snooping   620   GigabitEthernet3/0/36
48:4D:7E:D6:72:D4   10.10.120.63     1294328     dhcp-snooping   120   GigabitEthernet3/0/15
74:E6:E2:DD:CA:9B   10.10.120.92     1210565     dhcp-snooping   120   GigabitEthernet2/0/30
48:4D:7E:D8:8C:77   10.10.120.28     1074290     dhcp-snooping   120   GigabitEthernet2/0/10
00:04:F2:AB:7C:26   10.11.120.5      887717      dhcp-snooping   620   GigabitEthernet2/0/14
64:00:6A:8E:1C:FE   10.10.120.75     1380154     dhcp-snooping   120   GigabitEthernet3/0/21
00:04:F2:AD:C0:72   10.11.120.2      1161703     dhcp-snooping   620   GigabitEthernet1/0/3
00:04:F2:B2:94:BF   10.11.120.3      1044150     dhcp-snooping   620   GigabitEthernet2/0/3
00:04:F2:74:19:16   10.11.120.22     996886      dhcp-snooping   620   GigabitEthernet2/0/38
00:04:F2:74:20:F2   10.11.120.26     1191344     dhcp-snooping   620   GigabitEthernet1/0/27
18:66:DA:38:10:30   10.10.120.48     1379678     dhcp-snooping   120   GigabitEthernet1/0/5
34:E6:D7:07:CE:C5   10.10.120.60     450233      dhcp-snooping   120   GigabitEthernet3/0/25
00:04:F2:AA:B2:19   10.11.120.43     1291216     dhcp-snooping   620   GigabitEthernet3/0/10
00:04:F2:AA:B2:18   10.11.120.23     1064535     dhcp-snooping   620   GigabitEthernet3/0/3
48:4D:7E:D8:27:AD   10.10.120.44     1379622     dhcp-snooping   120   GigabitEthernet3/0/28
48:4D:7E:D6:75:F2   10.10.120.17     1206462     dhcp-snooping   120   GigabitEthernet3/0/14
00:04:F2:AB:40:D5   10.11.120.7      814536      dhcp-snooping   620   GigabitEthernet2/0/2
74:E6:E2:DD:D2:23   10.10.120.95     1296171     dhcp-snooping   120   GigabitEthernet2/0/30
00:04:F2:AB:43:55   10.11.120.34     1171782     dhcp-snooping   620   GigabitEthernet3/0/30
00:04:F2:AB:7E:4A   10.11.120.18     928789      dhcp-snooping   620   GigabitEthernet3/0/21
84:7B:EB:E9:78:BF   10.10.120.8      1073938     dhcp-snooping   120   GigabitEthernet2/0/31
00:04:F2:AA:AA:24   10.11.120.17     817949      dhcp-snooping   620   GigabitEthernet2/0/21
Total number of bindings: 132

CLV-HO-LIB-LG-SW-01# 

 

Thanks in advance

 

1 Reply 1

Rolf Fischer
Level 9
Level 9

Hello,

if you can't find the reported source address in the mac address table, you could run a

"debug ip dhcp snooping ecf4.bb52.2334".

Output example:

DHCP_SNOOPING: process new DHCP packet,
message type: DHCPOFFER,
input interface: Gi0/1,
MAC da: 0017.0887.ad5b,
MAC sa: 0009.b613.8701,
IP da: 192.168.71.61,
IP sa: 192.168.71.252,
DHCP ciaddr: 0.0.0.0,
DHCP yiaddr: 192.168.71.61,
DHCP siaddr: 192.168.53,
DHCP giaddr: 192.168.71.252,
DHCP chaddr: 0017.0887.ad5b

 

However, in this case you have a binding entry for the mac address which showes you the interface as well:

CLV-HO-LIB-LG-SW-01#show ip dhcp snooping binding [ecf4.bb52.2334]
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
EC:F4:BB:52:23:34   10.10.120.84     1321778     dhcp-snooping   120   GigabitEthernet2/0/22

 

I believe the DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT syslog message normally showes the interface as well, might be a quirk of that IOS or platform...

 

HTH

Rolf

Review Cisco Networking for a $25 gift card