ip dhcp snooping with local dhcp pools

CraigChapman · ‎10-04-2017

Good evening, I have setup local pools with ip dhcp snooping before with no issues. However I have recently invested in a WS-C3650-48TS Issue I have when enabling ip dhcp snooping the binding status sits at selecting.

IP address        Client-ID/                               Lease expiration        Type       State      Interface
                      Hardware address/
                      User name
10.108.50.51    0100.0acd.2815.cb       Oct 04 2017 06:52 PM    Automatic Selecting Vlan50

As the L3 switch isnt on a selected interface I cant set the trust on the interface as its hosted locally, as soon as I remove ip dhcp snooping all is well again. can anyone help?

!
ip routing
!
ip domain-name ips-sw01.sedomain.local
ip dhcp binding cleanup interval 60
ip dhcp snooping vlan 10,20,30,40,50,60,70
no ip dhcp snooping information option
ip dhcp snooping
ip dhcp excluded-address 10.108.20.1 10.108.20.50
ip dhcp excluded-address 10.108.20.240 10.108.20.254
ip dhcp excluded-address 10.108.30.1 10.108.30.50
ip dhcp excluded-address 10.108.30.240 10.108.30.254
ip dhcp excluded-address 10.108.40.1 10.108.40.50
ip dhcp excluded-address 10.108.40.240 10.108.40.254
ip dhcp excluded-address 10.108.50.1 10.108.50.50
ip dhcp excluded-address 10.108.50.240 10.108.50.254
ip dhcp excluded-address 10.108.70.1 10.108.70.50
ip dhcp excluded-address 10.108.70.240 10.108.70.254
!
ip dhcp pool vlan_20
network 10.108.20.0 255.255.255.0
dns-server 10.108.20.254 8.8.8.8
default-router 10.108.20.254
lease 0 10
!
ip dhcp pool vlan_30
network 10.108.30.0 255.255.255.0
dns-server 10.108.30.254 8.8.8.8
default-router 10.108.30.254
lease 0 10
!
ip dhcp pool vlan_40
network 10.108.40.0 255.255.255.0
dns-server 10.108.40.254 8.8.8.8
default-router 10.108.40.254
lease 0 10
!
ip dhcp pool vlan_70
network 10.108.70.0 255.255.255.0
dns-server 10.108.70.254 8.8.8.8
default-router 10.108.70.254
lease 0 10
!
ip dhcp pool vlan_50
network 10.108.50.0 255.255.255.0
dns-server 10.108.50.254 8.8.8.8
default-router 10.108.50.254
lease 0 10
!
!
login block-for 300 attempts 5 within 100
login on-failure log
login on-success log
qos queue-softmax-multiplier 100
vtp mode off
!

errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause storm-control
diagnostic bootup level minimal

spanning-tree mode pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1,10,20,30,40,50,60,70 priority 16384
hw-switch switch 1 logging onboard message level 3

PC connect to Gig 1

interface GigabitEthernet1/0/1
description ** VLAN50 **
switchport access vlan 50
switchport mode access
switchport port-security maximum 5
switchport port-security violation restrict
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security
load-interval 30
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action trap
no cdp enable
spanning-tree portfast

VLAN details:

interface Vlan50
ip address 10.108.50.254 255.255.255.0 secondary
ip address 10.108.50.15 255.255.255.0
!

As you can see the switch goes to give out a lease but it never becomes active.

Any idea's?

Kind regards,

Craig

Julio E. Moisa · ‎10-04-2017

Hi,

Usually the DHCP scopes are created on the distribution or core switches and the dhcp snooping deployed on the access switches only. Is this switch being used for Core and access as well?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

CraigChapman · ‎10-04-2017

It is indeed being used for both, on the 2960x it seems to be ok but on the C3650 I just can't get it to play ball.

also spotted this,

#show ip dhcp snooping statistics
Packets Forwarded                                     = 138
Packets Dropped                                       = 151
Packets Dropped From untrusted ports                  = 151

Julio E. Moisa · ‎10-04-2017

Hi

I see, DHCP Snooping is used to protect your LAN from external or not authorized DHCP server, I think is not required DHCP snooping on the same switch where the scopes and gateways are created, the switch should handle the DHCP packets with the client devices directly.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

CraigChapman · ‎10-04-2017

Ahh ok interesting, we use to run the DHCP on a server but we had the odd issue where users would plug in there own AP's to try and add there phones to the network (naughty end users) but of course people would plug in found BT hubs from home with a DHCP server enabled and of course caused lots off issues.

Obviously we dont allow users to do such a thing but unfortunalty every now and then this has happened.

DHCP is now hosted from the switch and has worked perfectly, do you think in this scenario with the DHCP running from the switch all will be ok?

Kind regards,

Craig.

CraigChapman · ‎10-05-2017

I have now tested this and it seems even if DHCP is running from the switch a rogue device can still take over the DHCP scope.