Hey,Well your theory seems to

eXPlosion · ‎08-05-2014

Let's say there is a client router connected on switch port G1/0/6. But command on switch "show mac address table int G1/0/6" shows nothing. Also command "sh ip dhcp snooping binding int G1/0/6" also shows nothing. So i do not see routers mac or ip adress on that port. Then i run the command "no ip verify source port-security" and i see routers mac with "sh mac address table" command but do not see routers ip with "dhcp snooping".

Then in the loggs appears folowing lines:

Aug 1 07:08:18.434 EEST: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi1/0/6

, vlan 376.([0024.a534.55f3/192.168.0.100/001b.0dff.5e00/192.168.0.1/07:08:18

It seems like router got private ip address from rogue dhcp which is on the same vlan.

The question then is why "ip dhcp snooping binding" doesn't show this private ip address 192.168.0.100.

Because it is not in the dhcp snooping database switch doesn't accept packets from this router (because of ip verify source port-security command) and that's why routers mac address isn't also in mac adddress table before i used command "no ip verify source port-security". Am i right?

eXPlosion · ‎08-07-2014

Nobody experienced similar issue?

Rajeev Sharma · ‎08-07-2014

Hey,

Well your theory seems to be right. The IP address wont show up in binding table as it got IP address from rouge DHCP server, but why or how it got IP address from rouge machine while DHCP Snooping running for that vlan.

HTH.

Regards,

RS.

eXPlosion · ‎08-07-2014

well, this switch is cisco but uplink switch has also connections to non cisco switches which doesn't support DHCP snooping. That is how client's router got ip from rogue dhcp server connected to non cisco switch. So the question is then why dhcp snooping binding doesn't show snooping with private ip address 192.168.0.1 on port connected to router.

Rajeev Sharma · ‎08-07-2014

Hey,

As switch running DHCP Snooping never saw DORA packets responsible for obtaining IP address dynamically.

HTH.

Regards,

RS.

eXPlosion · ‎08-07-2014

I'm sorry I don't understand what you said. You mean you never saw dhcp snooping with dynamic ip allocation?

Rajeev Sharma · ‎08-07-2014

Yes, i am talking about 192.168.0.100 address as you mentioned that it came from some other switch which doesn't support snooping.

Regards,
RS.

eXPlosion · ‎08-08-2014

yes, i gues it came from incorectly connected client's router which is connected to switch which doesn't support dhcp snooping. what did you meant by saying "As switch running DHCP Snooping never saw DORA packets responsible for obtaining IP address dynamically."

Rajeev Sharma · ‎08-08-2014

Hey,

DHCP Snooping binding table is created by actively monitoring server packets namely OFFER and ACK packets of DORA (Discover, Offer, Request, Ack) process. So switch running snooping never saw the OFFER and ACK packets never traversed through this switch for router IP address, hence no entry in the binding table.

For DHCP/DORA process , check the follwoing link:

http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/27470-100.html#dhcpmessage

HTH.

Regards,
RS.