07-10-2013 04:02 AM - edited 03-07-2019 02:19 PM
Hi Forum
I have made a very simple test setup to check that a rogue DHCP is not allowed to pass out DHCP addresses to clients.
I am using a linksys router, which acts as the rogue DHCP server. An IOS router connected to the uplink port acts as the trusted DHCP server.
All traffic is taking place on vlan 171.
The switch is configured with the following global commands:
ip dhcp snooping vlan 171
ip dhcp snooping database flash:dhcptest
ip dhcp snooping database write-delay 30
ip dhcp snooping database timeout 5
ip dhcp snooping
and the uplink interface is configured with:
interface GigabitEthernet1/0/28
switchport trunk native vlan 10
switchport mode trunk
ip dhcp snooping trust
all user ports are configured as:
interface GigabitEthernet1/0/1
switchport access vlan 171
switchport mode access
spanning-tree portfast
The linksys router placed on port 1/0/12 can still offer DHCP information to a client on port 1/0/1. IP addresses are randomly taken from either the IOS router or the Linksys router.
This is not correct, the IP DHCP snooping should have strangled the linksys routers capability to assign IP addresse !!
What is going on in this software release?
Anyone like to comment?
Regards
Peter
07-10-2013 06:14 AM
07-10-2013 09:43 AM
Strange enough, can you post show ip dhcp snooping and show ip dhcp snooping binding?
Sent from Cisco Technical Support iPhone App
07-11-2013 01:16 AM
Hi Xie Yao
Show ip dhcp snooping binding is empty ...
TestSW1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
171
DHCP snooping is operational on following VLANs:
171
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 7010.5c99.b400 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet1/0/28 yes yes unlimited
Custom circuit-ids:
TestSW1#
And the other command:
TestSW1#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0
TestSW1#
Regards
Peter
07-11-2013 01:19 AM
Hi Xie Yao
All traffic is going on VLAN 171, and the IOS DHCP server is attached via a trunk to GI 1/0/28. The rogue Linksys DHCP server is also on VLAN 171.
The strange thing is that the ip dhcp snooping database is not populated with any information.
Regards
Peter
07-11-2013 01:27 AM
since all your devices are cisco devices, not sure if this helps but you can have a check if dhcp option is enabled:
sh run | i snoop
ip dhcp snooping vlan 174,300,450
ip dhcp snooping
ip dhcp snooping information option allow-untrusted
ip dhcp snooping information option allow-untrusted
if information option allow-untrusted is enabled then dhcp server may be able to offer IP address depends the device you are using.
07-11-2013 01:33 AM
DO NOT, under any circumstances, use IOS versoin 15.0(2)SE3.
Stick to either 12.2(55)SE8 or 15.0(2)SE4.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide