Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2502
Views
0
Helpful
7
Replies

DHCP snooping enabled - switch dropping DISCOVER or REQUEST messages on untrusted port

Go to solution
Ivan Mamka
Level 1
Level 1

‎12-01-2020 10:49 AM

Hello,

 

I'm into basics of DHCP snooping. I've enabled it on the switch with following:

(config) ip dhcp snooping

(config) ip dhcp snooping vlan 1

 

Now, on Fa0/2 I have DHCP server connected, on Fa0/1 I have a client. By default all ports are untrusted. As per documentation, untrusted ports should allow DHCP DISCOVER & REQUEST messages. But (in PacketTracer) when client sending DHCP DISCOVER message to the LAN, switch drops it. If I configure port as trusted, then it forwards it to the server port Fa0/2.

 

Any thoughts why DHCP snooping dropping DHCP discover/request messages on untrusted ports?

 

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to Ivan Mamka

‎12-01-2020 01:54 PM

Hello,

 

I just tested this on a real switch. With DHCP snooping enabled, and no trusted port, all packets are dropped. With one trusted port, the DHCP packets are flooded to the entire Vlan but only accepted on the trusted port. I guess that matches your findings.

 

The 3560 in Packet Tracer does not work as expected, I am pretty sure it is a quirk in Packet Tracer. 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-01-2020 11:00 AM

it should work as expected, i am not a PT user -

 

check below video ;

 

https://www.youtube.com/watch?v=v7oabLXoVyA

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Ivan Mamka
Level 1
Level 1
In response to balaji.bandi

‎12-01-2020 01:08 PM

Hey Balaji,

 

Second video was helpfull: https://www.youtube.com/watch?v=u3EmleryJ9A

on 5:00 he had the same thing - DHCP requests were dropping immediately if there is not one trusted port configured on switch. Solved with configuring one trusted port. Thanks!

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎12-01-2020 11:00 AM

Hello,

 

probably a quirk in Packet Tracer. Can you post the zipped project (.pkt) file ?

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎12-01-2020 11:08 AM

Actually, I just tested this on a 3560 switch in Packet Tracer, it works as documented. Untrusted ports are able to send/receive discover/request messages, and IP addresses are assigned to hosts on untrusted ports.

0 Helpful

Go to solution
Ivan Mamka
Level 1
Level 1
In response to Georg Pauwen

‎12-01-2020 01:06 PM

Hey Georg,

 

Attaching a PT file. So on 2960 switches(or on all), if there is none at all trusted ports configured, then DHCP request packets are dropped immediately, but if there is even one trusted port, those DHCP requests are flooded to all switch operational ports, and replies are allowed only from trusted ports.

 

And in attached PT project, I couldn't make it working DHCP snooping for switch 3560

dhcp-snooping-Dynamic-ARP-inspection-DAI.zip
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Ivan Mamka

‎12-01-2020 01:54 PM

Hello,

 

I just tested this on a real switch. With DHCP snooping enabled, and no trusted port, all packets are dropped. With one trusted port, the DHCP packets are flooded to the entire Vlan but only accepted on the trusted port. I guess that matches your findings.

 

The 3560 in Packet Tracer does not work as expected, I am pretty sure it is a quirk in Packet Tracer. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-01-2020 11:26 AM

diable option 82 and try again

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card