10-15-2013 08:54 AM - edited 03-07-2019 04:03 PM
Hello All,
I have several C2960 with IOS 15.0(2)SE4 and DHCP snooping configured
ip dhcp snooping
ip dhcp snooping vlan 1,10-20
When i have a untrusted interface configured with vlan 1, the Thin-Client host receives an IP Address via DHCP with no problem, but if i change the vlan on that Thin-Client host to 10, the host does not receive an IP Address via DHCP and the following error message appears:
%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DH
Any suggestions?
Thanks!
David
10-15-2013 09:03 AM
Hello dfranjoso.
That's a timing issue, because you had the PC connected to vlan 1. The switch learnt the mac address in vlan 1, once you change the interface to access vlan 10, the mac table was still pointing the host's mac address to vlan 1 and therefpre dhcp can provide with an ip address.
Do you have port-security configured as well? if so, then run the command "clear port-security dynamic" and try to reproduce the issue again.
Regards.
Wilson B.
10-15-2013 09:07 AM
By the way I forgot to mention this
With DHCP snooping MAC address verification enabled, DHCP snooping verifies that the source MAC address and the client hardware address match in DHCP packets that are received on untrusted ports. The source MAC address is a Layer 2 field associated with the packet, and the client hardware address is a Layer 3 field in the DHCP packet.
To enable DHCP snooping MAC address verification, perform this task:
This example shows how to disable DHCP snooping MAC address verification:
Router(config)# no ip dhcp snooping verify mac-address
Router(config)# do show ip dhcp snooping | include hwaddr
Verification of hwaddr field is disabled
Router(config)#
This example shows how to enable DHCP snooping MAC address verification:
Router(config)# ip dhcp snooping verify mac-address
Router(config)# do show ip dhcp snooping | include hwaddr
Verification of hwaddr field is enabled
Router(config)#
You can also disable validation with the command.
no ip dhcp snooping verify mac-address
Regards.
Wilson B
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide