cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6125
Views
10
Helpful
7
Replies

DHCP Snooping not logging violation events to log or dropped packets to statistics

ds_warwick
Level 1
Level 1

I'm currently testing out DHCP Snooping.

I've set up a lab environment consisting of a standalone Catalyst 3750X 15.0(2)SE7 switch uplinked to a Catalyst 3560 15.0(2)SE7 switch that has my legitimate DHCP server plugged into it. I've made the uplink interface trusted (ip dhcp snooping trusted).

The global configuration on my 3750 also contains ip dhcp snooping and ip dhcp snooping vlan 300

 

I've plugged a "rogue" DHCP server directly into the Catalyst 3750X switch.

DHCP Snooping is working as expected and clearly dropping the DHCP packets from the rogue source and only allowing the DHCP packets from the legitimate DHCP server that is uplinked.

The problem I have is that nothing is logged to the log file. I have my logging levels set to "debugging" but I never see any entries for the dropped packets and the output of show ip dhcp snooping statistics does not list any packets as dropped.

The rogue packets are definitely being dropped by the switch because they never appear in Wireshark. They do appear if I disable DHCP Snooping - which is the expected behaviour. My concern is that if I ever need to troubleshoot, there are no logs telling me that packets were dropped and therefore no way of finding the MAC address of the rogue server.

====

Documenation I read says that I should see either of these two events when the switch drops a packet - but I don't see either of them in my logs.

Feb 23 13:52:46.273 EST: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPOFFER, MAC sa: dead.beef.cafe

Feb 24 09:03:06.394 EST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPRELEASE, chaddr: beef.dead.cafe, MAC sa: dead.beef.cafe

 

 

So the question is; Am I missing something from the configuration to enable these log messages?

 

7 Replies 7

Andrew.C11
Level 1
Level 1

Hi DS_warwick 


does anything show up when you run these two commands?
show ip-security dhcp-snooping entries

show ip-security dhcp-snooping violations
 

Thanks for replying.

Unfortunately these commands do not work on the version of IOS that I am running - 15.0(2)SE7.

I had a theory that the issue may be related to Syslog/Traps, as I have some live switches that are running on the network in a production environment and some of those are logging the events. The only difference is that they are logging to Syslog instead of the local log.

I tried copying the config from one of those switches onto my test switch, but hasn't really made any difference.

====

I've since updated this post. The problem seems to be something related to switch hardware or model.

 

 

 

Hi all, I have the same problem on a WS-C2960-24TC-L running 12.2(55)SE10.

Yesterday similar issue on a WS-C2960X-48LPS-L running 15.0(2)EX5.

 

I add another problem: on WS-C2960-24TC-L suddenly i could not receive ip address even if dhcp server port was trusted. Problem was solved with a reload.

Same problem on WS-C2960X-48LPS-L, now with dhcp snooping disabled, both client and dhcp server connected to it, I don't receive address.

Problem is that WS-C2960X-48LPS-L is in production environment and I can't reload it during working hours.

swi35_r1#sh ip dhcp snooping
Switch DHCP snooping is disabled
DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id default format: vlan-mod-port
   remote-id: 5ca4.8aa8.8e00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is disabled
Verification of giaddr field is disabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------

Have you ever had this issue?

ds_warwick
Level 1
Level 1

We have a few different switch models in our environment. The switches that are generating the DHCP Snooping log entries are 3750E-24TD or 3750E-48TD.

If it is another model, such as 3750X, 3750E-24PD or 3750E-48PD - then it does not generate the log entries. Regardless of if the software version and configuration is identical.

This problem would appear to be hardware version or model related.

Symptoms seem very similar to the CSCus47009 bug.

Symptom:
2960x does not increment the "Received on untrusted ports" counter, even when receiving DHCP server messages on an untrusted port.
 

 

ds_warwick or anybody,

I have a Cisco 3750E-24TD running 12.2(55)SE10 and I have ip dhcp snooping enabled. However, I am not getting any DHCP Snooping messages when a rogue DHCP Server tries to respond Discover.  Help!

Turning on debug ip dhcp snooping packet and debug ip dhcp snooping events, I do see the following message:  

DHCP_SNOOPING_SW: bridge packet output port is null, packet is dropped.  

What IOS are you running to get the following Syslog alerts:

%DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT:

%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL

T.J. 

When I originally posted this we were running 15.0(2)SE7 and we were *NOT* seeing those violation messages in logs.

Since then we upgraded to 15.0(2)SE8 and we can see the messages in the log file.

It would appear at first glance that some versions of IOS report the violations to the log file and some do not. This is probably unintentional.

ds_warwick,

Thanks for the IOS!

I will load it and see what happens!

T.J.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco