Re: DHCP Snooping dropping DHCP Discovery massage

The_Road · ‎04-03-2020

Hi, i'm using Packet Tracer and i configured DHCP snooping on the switch catalyst 2960.

switch configuration:

ip dhcp snooping vlan 10,20

no ip dhcp snooping information option

ip dhcp snooping

i have two PC's connect to the switch PC1 on VLAN 10 and PC2 on VLAN 20

from the switch there is one trunk connection to a router on a stick (cisco 2911)

i configured the interface between the switch to the router as a trust port

sw(config-if)#ip dhcp snooping trust

the router is the DHCP server and the PC's both are DHCP Clients, when they ask for DHCP address the switch drop the DHCP Discovery packet

i see on the packet tracer simulation this reason:

"DHCP Snooping: The switch receives a DHCP DISCOVER message on an untrusted port. The device is not configured with a functional and trusted port. The device drops the packet."

why the switch drop DHCP discovery packet?

I know that the DHCP snooping doesn't drop "client to server" packet, maybe i'm mistake...

how can i fix it expect from configure the PC's ports a trust port (this is lose the concept of the DHCP snooping)

i also attach a file of the packet tracer.

thank for reference

parviz · ‎04-03-2020

Hi,

add this command to router globally or to the interface facing to switch:

globally: ip dhcp relay information trusted all

interface: ip dhcp relay information trusted

the result is the same.

The_Road · ‎05-20-2020

i tried used those commands but still didnt worked.

paul driver · ‎05-20-2020

Hello
You need to have the vlan active before enabling snooping for that specific vlan.
Disable snooping for vlan 10,20, disable/renable hosts let them obtain ip addressing
Then activate snooping for those vlans, Any new new hosts joining after this for those vlans should obtain alocation with snooping enabled, do this for each new dhcp vlan you add to your network.

Switch
conf t
no ip dhcp snooping information option
ip dhcp snooping
no ip dhcp snooping vlan 10,20

int range x/x -x
description access-port to dhcp host
shut
no shut

ip dhcp snooping vlan 10,20

int range x/x -x
description access-port to dhcp host
shut
no shut

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

The_Road · ‎05-23-2020

Hi

i tried it, before i activated DHCP snooping i let the hosts on the network to get an IP address through DHCP and by that let the VLAN be activate by some DHCP traffic but after when i using DHCP snooping and then let the hosts to DHCP Discovery again, it still doesn't worked - the sw drop the frame because DHCP snooping.

After some different attempts i notice that when i set the trunk link between the sw to the router as an access link suddenly from some reason the sw doesnt drop the frame for DHCP Discovery, but of course it's not proper to set the link to be access mode.

paul driver · ‎05-24-2020

Hello

Just noticed your using Packet Tracer not a live network - PT is known for lots of anomalies - so its possible aPT issue.

Please post the file PT anyway for review.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

bigfrog · ‎05-26-2020

I have this same issue with the switch the PC is directly connected to discarding the DHCP Discover packet with that same error:

"DHCP Snooping: The switch receives a DHCP DISCOVER message on an untrusted port. The device is not configured with a functional and trusted port. The device drops the packet."

The error plainly states that the issue is because the port is untrusted, so I made the port trusted and it works! But that's not really how it's supposed to work in the real world, is it? Is Cisco intentionally trying to get us to fail??? Lol. :(

In my simulation I have three ports on vlan 10 with three PC's connected each set to get their ip info via DHCP. But making that single port trusted made all three ports work. The DHCP snooping bindings and database became populated. :/

jharrah28 · ‎06-28-2020

I am also having the issue where my access switch is dropping incoming DHCP Discovery messages. My configuration is a bit different than the one described by the original poster. I have three PCs connecting to an access switch (SW1), with each pc in a different VLAN. The access switch then connects to a ROAS. The DHCP server is connecting another switch (SW2).

I have trusted the port connecting to the ROAS and the port-channel that connects SW1 and Sw2. DHCP snooping is enabled on SW1.

From my understanding, only ports connecting to other network devices or the DHCP server itself should be trusted. I was able to get a PC to successfully complete the DHCP DORA process, but that was after trusting its port on the switch. Isn't DHCP snooping supposed to forward DISCOVERY messages while blocking server type messages (Offer, Ack) for untrusted ports? Why would my access port need to be trusted?

My packet tracer file for this exercise is attached as a .zip if someone is curious.

DavideDias08122 · ‎06-29-2020

The same is happening with my configuration. The configuration of my switch is in the text file & when the end-hosts do a DHCP Request through the interfaces FastEthernet 0/3-5 (3 hosts) the switch always drop the packets.

I really think it is a bug of the Packet-Tracer because I did other lab but now without the VLANs configuration & the DHCP Snooping worked properly.