dhcp snooping configure

mrsystemengineer · ‎08-21-2011

Dear all,

I configure below dhcp snooping to restrict any rouge dhcp server in my lan network.

See the daigram of network and below configuration.

CoreSwitch:- (Act as Dhcp server)

ip dhcp snooping

CoreSwitch(config)# ip dhcp snooping vlan 10,11,12,13

CoreSwitch(config)# ip dhcp snooping information option

Edge or User connected Switch:-

ip dhcp snooping

Switch1(config)# ip dhcp snooping vlan 10,11,12,13

Switch1(config)# ip dhcp snooping information option

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip dhcp snooping trust

ip dhcp snooping

Switch2(config)# ip dhcp snooping vlan 10,11,12,13

Switch2(config)# ip dhcp snooping information option

Switch2(config)# interface gigabitethernet0/1

Switch2(config-if)# ip dhcp snooping trust

            i was configure but when i put one rogue dhcp server still users getting ip address from rogue dhcp. CAn any one help

me to restrict rouge dhcp server.

See the diagram please.

Mohamed Sobair · ‎08-21-2011

Hello,

this shouldnt happen, your config Looks Ok, if you perhaps show where you place the Roque DHCP server and in which vlan assigned port on the Switch.

any untrusted Interfaces shouldnt be permited to releae DHCP Server packets to the clients when DHCP snooping configured.

when a client recieves a roque address, would you post the output of the following:

1- shut the port of the client

2- perform (debug ip dhcp snooping packets and debup ip dhcp snooping events.

3- un shut the client port

post the out put of these commands while placing the roque DHCP server in the Network.

Regards,

Mohamed

mrsystemengineer · ‎08-22-2011

Please see the show ip dhcp snooping command

BlocbB_SW1#show ip dhcp snooping
Switch DHCP snooping is disabled
DHCP snooping is configured on following VLANs:
4,7,37,50
DHCP snooping is operational on following VLANs:
4,7,37,50
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
GigabitEthernet0/1           yes         unlimited
GigabitEthernet0/2           yes         unlimited
GigabitEthernet0/3           yes         unlimited
GigabitEthernet0/4           yes         unlimited

Fabio Francisco · ‎08-21-2011

Hey mate,

try setting up this:

int gig x/x/x switchport port-security

in global conf mode

errdisable recovery cause dhcp-rate-limit

errdisable recovery interval X

HTH

Cheers,

Fabio

chris.macleod · ‎08-22-2011

Hi,

Have you enabled dhcp snooping using the

Switch1(config)#ip dhcp snooping

command?

I can see you have ip dhcp snooping in bold in your post but unsure if this is just a heading due to the lack of the global config prompt. You need the above command as well has the "ip dhcp snooping vlan" command to enable snooping on the specified vlans.

Thanks

Chris

mrsystemengineer · ‎08-22-2011

Dear Chris,

I did not enable ip dhcp snooping command. I have to enable this command on which switch. I was try to enable on edge (user switch) and user does not get ip address i mean dhcp will not work and again i was remove ip dhcp snooping command from config mode.

On core switch i did not enable ip dhcp snooping in config mode. Just i was used vlans as before

#

CoreSwitch(config)# ip dhcp snooping vlan 10,11,12,13

#

CoreSwitch(config)# ip dhcp snooping information option

On edge switch:

#

Switch1(config)# ip dhcp snooping vlan 10,11,12,13

#

Switch1(config)# ip dhcp snooping information option

Switch(config)# interface gigabitethernet0/1

chris.macleod · ‎08-22-2011

On the edge switches

ip dhcp snooping

ip dhcp snooping vlan 10,11,12,13

ip dhcp snooping information option

On edge switch uplinks

ip dhcp snooping trust

If your Core switch ports are confined to the server room I would leave snooping off. Without the ip dhcp snooping command dhcp snooping is not enabled.

If you need dhcp snooping on your core switch, did you set ip dhcp snooping trust on both ends of the link? Not sure if this is required or not but may be why you stopped getting dhcp addresses when you enabled snooping earlier.

Thanks

chris

mrsystemengineer · ‎08-22-2011

Hi Chris,

On core i did not enable ip dhcp snooping in Global mode, just i was done ip dhcp snooping on vlans.

On edge i was enable ip dhcp snooping on Global mode and vlans. Other things on edge switches is that the interface (Trunk interface) which is connected to core switch i was done as trust interfaces. When i was done this my dhcp will not work and users did not get ip address. Then i was removed ip dhcp snooping from global mode.

Let me know shall i have to do ip dhcp snoopnig in global mode on both core adn edge switches. then i have to add vlan on both switches or on edge switch.

Core switch acting as dhcp server.

mrsystemengineer · ‎08-22-2011

Dear Mohammed,

See the debug result.

BlockB_SW2#terminal mon

BlockB_SW2#terminal monitor

BlockB_SW2#

Aug 22 14:53:09: DHCP_SNOOPING: checking expired snoop binding entries

BlockB_SW2#

Aug 22 14:55:09: DHCP_SNOOPING: checking expired snoop binding entries

BlockB_SW2#

BlockB_SW2#terminal mon

BlockB_SW2#terminal monitor

BlockB_SW2#

Aug 22 14:53:09: DHCP_SNOOPING: checking expired snoop binding entries

BlockB_SW2#

Aug 22 14:55:09: DHCP_SNOOPING: checking expired snoop binding entries

BlockB_SW2#

mrsystemengineer · ‎08-22-2011

Dear Mohammed,

see the below debug after shutdown port and unshutdown port

BlocbB_SW1(config-if)#e

Aug 22 15:00:57: %LINK-5-CHANGED: Interface FastEthernet0/27, changed state to administratively down

Aug 22 15:00:58: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/27, changed state to downxit

BlocbB_SW1(config)#

Aug 22 15:00:59: %ILPOWER-7-DETECT: Interface Fa0/27: Power Device detected: IEEE PD

Aug 22 15:01:00: %ILPOWER-5-POWER_GRANTED: Interface Fa0/27: Power grantedexit

BlocbB_SW1#

Aug 22 15:01:00: %LINK-3-UPDOWN: Interface FastEthernet0/27, changed state to down

BlocbB_SW1#

Aug 22 15:01:02: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.1.20.48)

BlocbB_SW1#

BlocbB_SW1#wr

Building configuration...

[OK]

BlocbB_SW1#

Aug 22 15:01:06: %LINK-3-UPDOWN: Interface FastEthernet0/27, changed state to up

Aug 22 15:01:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/27, changed state to up

Aug 22 15:02:06: DHCP_SNOOPING: checking expired snoop binding entries

BlocbB_SW1#

BlocbB_SW1(config-if)#e

Aug 22 15:00:57: %LINK-5-CHANGED: Interface FastEthernet0/27, changed state to administratively down

Aug 22 15:00:58: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/27, changed state to downxit

BlocbB_SW1(config)#

Aug 22 15:00:59: %ILPOWER-7-DETECT: Interface Fa0/27: Power Device detected: IEEE PD

Aug 22 15:01:00: %ILPOWER-5-POWER_GRANTED: Interface Fa0/27: Power grantedexit

BlocbB_SW1#

Aug 22 15:01:00: %LINK-3-UPDOWN: Interface FastEthernet0/27, changed state to down

BlocbB_SW1#

Aug 22 15:01:02: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.1.20.48)

BlocbB_SW1#

BlocbB_SW1#wr

Building configuration...

[OK]

BlocbB_SW1#

Aug 22 15:01:06: %LINK-3-UPDOWN: Interface FastEthernet0/27, changed state to up

Aug 22 15:01:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/27, changed state to up

Aug 22 15:02:06: DHCP_SNOOPING: checking expired snoop binding entries

BlocbB_SW1#

Mohamed Sobair · ‎08-22-2011

chris is correct, you should have this command enabled globally first.

Please enable DHCP Snooping Globally on all Switches (Core and Edge) with the command:

ip dhcp snooping

check if the clients are still recieving roque DHCP packets or not.

Regards,

Mohamed

mrsystemengineer · ‎08-22-2011

Thanks mohammed,

I will try to enable on both switches, but when i was enable on edge switch users did not get ip address from dhcp.

immediatey i was removed from global command (ip dhcp snooping).

Mohamed Sobair · ‎08-22-2011

Do you have this command enabled on all client/host interfaces on the Switch:

spanning-tree portfast

Regards,

Mohamed

mrsystemengineer · ‎08-23-2011

yes spanning-tree porfast enable on all user connected switch ports.

interface FastEthernet0/6

description B27

switchport access vlan 7

switchport voice vlan 4

spanning-tree portfast

!

interface FastEthernet0/7

description B04

switchport access vlan 37

switchport voice vlan 4

snmp trap mac-notification change added

spanning-tree portfast

interface FastEthernet0/6

description B27

switchport access vlan 7

switchport voice vlan 4

spanning-tree portfast

!

interface FastEthernet0/7

description B04

switchport access vlan 37

switchport voice vlan 4

snmp trap mac-notification change added

spanning-tree portfast

chris.macleod · ‎08-26-2011

You have Vlan 37 and voice vlan 4 here but in your dhcp snooping config above you don't list these vlans. Why?