cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12717
Views
5
Helpful
8
Replies

DHCP snooping error

nawas
Level 4
Level 4

I'm seeing the following error

Nov 4 09:33:29.390:%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPINFORM, chaddr: 000e.9bac.xxxx, MAC sa: 001a.6bd4.xxxx

Cisco explaination on this error is:

The DHCP snooping feature attempted MAC address validation and the check failed. There may be a malicious host trying to carry out a denial of service attack on the DHCP server. The packet will be dropped.

I have noticed that this message is appearing for several ports on my switch where pcs are connected. I didn't see anything other than DHCP request coming out from these hosts but not sure why the validation would. Can someone point me to direction what I should be done to fix this?

Thanks

8 Replies 8

tcordier
Level 1
Level 1

From what I understand from DHCP snooping it compares the client (PC) hardware address on that port (chaddr) with the MAC address of the sender of the DHCP packet. In your case the client hardware address is 000e.9bac.xxxx but the DHCP packet has been sent with MAC source address 001a.6bd4.xxxx. Is there no hub connected to the ports? Do you recognize 001a.6bd4.xxxx?

- Thomas

cisco_lad2004
Level 5
Level 5

DHCP_SNOOPING-5

Error Message DHCP_SNOOPING-5-DHCP_SNOOPING_FAKE_INTERFACE: [char] drop message

with mismatched source interface the binding is not updated message type: [char]

MAC sa: [mac-addr]

Explanation The DHCP snooping feature has detected a host trying to carry out a denial of service attack on another host in the network. The packet will be dropped.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: [char] drop message

because the chaddr doesn't match source mac message type: [char] chaddr:

[mac-addr] MAC sa: [mac-addr]

Explanation The DHCP snooping feature attempted MAC address validation and the check failed. There may be a malicious host trying to carry out a denial of service attack on the DHCP server. The packet will be dropped.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/system/messages/emsg.html

HTH

Sam

You can suppress the checking with "no ip dhcp snooping verify mac-address".

I have seen the frequency of these messages increase with newer versions of IOS.

Check your mac addresses and see what adapters they correspond to. We saw DHCP renew's from the wireless exiting out the wired connection. The users had both NICs active.

We've seen this too, and I've been trying to find out what the logic behind this is.

To me requesting a DHCP lease for a wireless adapter over a wired connection is wrong. Is there any legitimate reason why an OS would do this, or is it just broken and we need to get MS to fix?

I'm glad you brought this up, I'm looking for the answer for this too. I have seen both wired mac address and wireless mac address when a dhcp request goes out via wired mac, Microsoft definitely need to fix this but there should be a way in the Cisco IOS to ignore wireless mac as it does in the CatOS or older IOS. I have these errors only in the newer IOS.

To add to the confusion, we just managed to hunt one of these machines down. Turns out it was a brand new iMac with both Airport and Ethernet enabled, so this doesn't appear to be just a Microsoft thing. Turning Airport off seemed to resolve the issue.

Macs seem to have a lot of issues in regards to network security if left in their default configuration with multiple interfaces. If anyone has advice on how to deal with the issues listed at this link, I'd welcome them!

http://www.net.princeton.edu/mac/network-config-x/caveats.html#ip-weakend

A previous poster was correct in that this problem occurs when a given device such as a laptop has two network interfaces active and one tries to renew its DHCP address by using the other. An example would be a laptop with wired and wireless interfaces were the wireless interface sends its DHCP renewal thru the wired ip address.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco