Solved: DHCP snooping

omer shtivi · ‎06-01-2016

Hello everyone!

Today we implemented DHCP snooping on a 2960-X with version 15.0(2a)EX5.

When we implemented the feature we noticed a weird behavior.

We preformed testing and noticed when the client send a DHCP request the server at the un-trusted port never received the DHCP request.

Is it how the feature suppose to work? because what I remembered is only the DHCP offer are filtered.

Thanks!

christopher jardine · ‎06-01-2016

Sorry about the confusion.

If you have a DHCP server on an Untrusted port it shouldn't receive a Discover or a Request.

"This proves that client PC is sending DHCP discovery msg, but switch not forward it to anywhere.This is normal behavior of this feature where it will not forward DHCP broadcast messages to any ports unless you configure them as trusted ports"

View solution in original post

christopher jardine · ‎06-01-2016

Do you have a router between the Client and the DHCP Server?

Do you have all of the Trunk Ports leading from the DHCP to the Client switch set as trusted ports?

From my knowledge Clients on Untrusted ports should be able to send DHCP Discover, and DHCP Request packets. DHCP Trusted ports should be the only ports able to send DHCP Offers, and DHCP ACK packets.

If you have a Router in between the Client and the Server you might want to look at Option 82.

Does that help?

omer shtivi · ‎06-01-2016

Hi Cristopher,

Thank you for your answer but you didn't understood my question.

We connected a DHCP server to untrusted port and didn't received the DHCP request packet, we needed to know this is the correct behavior because from what I remember the DHCP snooping only filter DHCP offer from untrusted ports.

After searching a little bit in the internet it's look like the correct behavior.

https://mrncciew.com/2012/12/27/understanding-dhcp-snooping/

Thanks,

christopher jardine · ‎06-01-2016

Sorry about the confusion.

If you have a DHCP server on an Untrusted port it shouldn't receive a Discover or a Request.

"This proves that client PC is sending DHCP discovery msg, but switch not forward it to anywhere.This is normal behavior of this feature where it will not forward DHCP broadcast messages to any ports unless you configure them as trusted ports"

paul driver · ‎06-01-2016

Hello

Yes you are correct , DHCP snooping by default will negate any dhcp server messages on a untrusted port that its receives ( OFFER, ACK, NAK, LEASEQUERY), are dropped.

DHCP server message is received on an untrusted port (OFFER, ACK, NAK, LEASEQUERY), it is dropped.
        This prevents unauthorized DHCP servers from sending packets into the network.

    DHCP client message (DISCOVER, REQUEST, DECLINE, INFORM, RELEASE) is received on an untrusted port and the source MAC address of the frame does not match the chaddr (client hardware address)
field inside the message body, it is dropped.

        This prevents a client from sending messages claiming a different MAC address than the one truly owned by the client.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul