cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
10
Helpful
4
Replies

DHCP snooping blocks all dhcp traffic

harm.prins
Beginner
Beginner

Hello,

 

I'm struggling with DHCP snooping, and I can't find any helpful information on the internet. So i hope someone here can help.

I'm configuring DHCP snooping, and (as far as i know), I've configured it according to the manual. But now my DHCP won't work anymore (DHCP request failed on end devices). When I disable DHCP snooping, everything works again.

 

Context: This all takes place in Packet Traces, on a 2960 switch

 

My config looks like this (all fastethernet ports are end devices, g0/1 is connected to the DHCP server via some other switches):

 

Building configuration...

Current configuration : 2970 bytes
!
version 15.0
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Sw-Zw-Office-1
!
!
!
!
!
ip dhcp snooping vlan 10,20,50,100,150
ip dhcp snooping
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface FastEthernet0/1
 switchport access vlan 10
 ip dhcp snooping limit rate 10
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky 
 switchport port-security mac-address sticky 0060.3E05.7998
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/2
 switchport access vlan 10
 ip dhcp snooping limit rate 10
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky 
 switchport port-security mac-address sticky 0002.16BD.2461
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/3
 switchport access vlan 20
 ip dhcp snooping limit rate 10
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky 
 switchport port-security mac-address sticky 0090.215B.1C3D
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/4
 switchport access vlan 20
 ip dhcp snooping limit rate 10
 switchport mode access
 switchport voice vlan 150
 switchport port-security
 switchport port-security maximum 3
 switchport port-security mac-address sticky 
 switchport port-security mac-address sticky 0001.C7C1.6B70
 switchport port-security mac-address sticky 0005.5E95.C343
 spanning-tree portfast
 spanning-tree bpduguard enable
 mls qos trust cos
!
interface FastEthernet0/5
 switchport access vlan 10
 ip dhcp snooping limit rate 10
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky 
 switchport port-security mac-address sticky 0060.5C17.69BC
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/6
 shutdown
!
interface FastEthernet0/7
 shutdown
!
interface FastEthernet0/8
 shutdown
!
interface FastEthernet0/9
 shutdown
!
interface FastEthernet0/10
 shutdown
!
interface FastEthernet0/11
 shutdown
!
interface FastEthernet0/12
 shutdown
!
interface FastEthernet0/13
 shutdown
!
interface FastEthernet0/14
 shutdown
!
interface FastEthernet0/15
 shutdown
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
 shutdown
!
interface FastEthernet0/23
 shutdown
!
interface FastEthernet0/24
 shutdown
!
interface GigabitEthernet0/1
 switchport trunk native vlan 100
 switchport trunk allowed vlan 10,20,50,100,150
 ip dhcp snooping trust
 switchport mode trunk
!
interface GigabitEthernet0/2
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
!
!
!
line con 0
!
line vty 0 4
 login
line vty 5 15
 login
!
!
!
!
end
1 Accepted Solution

Accepted Solutions

paul driver
VIP Expert VIP Expert
VIP Expert

Hello

Appy the following and test again:

no ip dhcp snooping information option 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

4 Replies 4

MHM Cisco World
Advisor
Advisor

follow

paul driver
VIP Expert VIP Expert
VIP Expert

Hello

Appy the following and test again:

no ip dhcp snooping information option 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Yeah that works! But why?

 

Thanks!

Hello

It all to do with a feature called option 82 which is enabled by default when dhcp snooping is enabled  this feature sends this option 82 towards the dhcp server and if the server dosent support it - it will not respond with an offer to the client - So you can tell the switch with snooping enabled not send dhcp discovery messages with this option so the dhcp server that doesn’t support it will reply with an offer 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers