Solved: Re: DHCP snooping with port-security

glogloglik · ‎08-07-2019

Hello,

we are trying to configure our 2960 (C2960-LANBASEK9-M, Version 12.2(50)SE4) with DHCP snooping on ports, the configuration on ASW is:

ip dhcp snooping 
ip dhcp snooping vlan 2,3
ip dhcp snooping information option allow-untrusted

interfaces which connect users:

interface FastEthernet0/2
  switchport access vlan 2
  switchport mode access
  switchport port-security maximum 4
  switchport port-security
  authentication event fail action authorize vlan 3
  authentication event no-response action authorize vlan 3
  authentication port-control auto
  dot1x pae authenticator

Plus the trunk port is set as trusted port.

I am not using any routing, DHCP server is connected via the VLAN all the way to the access switches (for both VLANs), so I believe the information option allow-untrusted is unnecessary. But it does not work either way.

Debug:

%AUTHMGR-5-SUCCESS: Authorization succeeded for client (xxxx.xxxx.xxxx) on Interface Fa0/2
DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/2 for pak. Was not set
DHCPSNOOP(hlfm_packet_filter_or_learn): packet with mac xxxx.xxxx.xxxx vlan 2 on interface Fa0/2 is not known by port security, dropped
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/2 for pak. Was not set
DHCPSNOOP(hlfm_packet_filter_or_learn): packet with mac xxxx.xxxx.xxxx vlan 2 on interface Fa0/2 is not known by port security, dropped

And the DHCPSNOOP messages repeat over and over and that is all.

However when I set switchport port-security mac-address sticky or turn port-security off altogether, it works just as expected. I really do not know what the issue is because I have seen it work with port-security before.