Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
863
Views
0
Helpful
2
Replies

dhcp snooping not working (solved)

bavo
Level 1
Level 1

‎07-31-2014 12:13 AM - edited ‎03-07-2019 08:13 PM

Hi,

I have an question.

I`m testing the DHCP snooping in my test environment. Before i implement it in the production network.

My setup:

2 c3560 linked with a trunk TS01<->TS02  (TS=TestSwitch:-)

A DHCP server router (Cisco RV180) is connected on port 10 on TS01

Both switches has been configured as follow:

ip dhcp snooping

ip dhcp snooping vlan 1-2048

port 10 on TS01 is configured with the "ip dhcp snooping trust".

all ports are configured in VLAN 110

If i connect a laptop on port 40, i receive a ip address from the dhcp server (as expected).

If i configure a router for DHCP, and connect it to port 15 (in the same vlan as the other DHCP) The port is not switching in the err-disable state as i should expected.

When i disable port 10 (the good DHCP) and renew the IP of the laptop i receive an IP of the "Rogue" DHCP server. witch is not configured with the "trust" rule..

A`m i missing something?

I`m using the c3560-ipservicesk9 version

Labels:
0 Helpful
2 Replies 2

bavo
Level 1
Level 1

‎07-31-2014 01:28 AM

Ok, after 6 hour testing so far.

After a cashing thing i discover that when i disable port 10 (the good DHCP) i did not receive a ip address from the rogue router (port 15). But the port is not in err-disable state.

When i configure "ip dhcp snooping trust" on port 15 (The rogue DHCP) i`m able to receive a IP address.

Conclusion So far
i could say the the DHCP snooping holds the DORA packets. but it is not transition the port into error-disable state nor logs the action..
So i`m looking into the violation actions.

0 Helpful

bavo
Level 1
Level 1
In response to bavo

‎08-04-2014 12:27 AM

In the last few days i`m looking for the reason wy the port is not set to err-disable state when a rogue DHCP server is connected to the switch when the  switch is configured for "ip dhcp snooping".

I found out that the port is holding the DORA packets of the rogue DHCP server. But the port will never put in the err-disable state. Never was. not even a log message. It was never build for that protocol.

This is a flaw in the documentation of the DHCP snooping. I think the should be in the docss. May be it will be in the future.

 

Case closed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card