Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8922
Views
15
Helpful
6
Replies

Is DHCP Snooping not working?

Go to solution
jeetkulkarni
Level 1
Level 1

‎05-15-2017 06:23 PM - edited ‎03-08-2019 10:35 AM

We have some 3560s in our environment.

Currently we had set an interface with configuration like below

interface FastEthernet0/26
 switchport access vlan 110
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 1019
 switchport port-security maximum 10
 switchport port-security
 switchport port-security aging time 5
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 spanning-tree portfast

Our global configuration for DHCP snooping is -

ip dhcp snooping vlan 110,105,505


Currently office space is shared, we had someone plug in some ip phone to this switch on above port and other clients in the network started getting ip addresses from their network. Their network vlan was 60. Are we doing anything wrong?

Right now we have removed the device but how can we prevent not happening again?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rolf Fischer
Level 9
Level 9
In response to jeetkulkarni

‎05-18-2017 12:19 AM

The first line of 'show ip dhcp snooping' is often overlooked:

Switch DHCP snooping is disabled
DHCP snooping is configured on following VLANs:
110,105,505

You have defined a VLAN range, but the feature itself needs to be enabled as well.

Julio has already showed you how to enable it. The order is important too: before enabling dhcp snooping on a switch you shoud first configure the trusted ports (all the uplinks/trunks and also the edgeports directly connected to dhcp servers) and additional features. This is, by the way, the reason why the feature itselfs needs to be explicitly enabled: you can prepare all the necessary configuration first and enable it when everything is ready.

The second show command I asked for can be very useful once you have enabled dhcp snooping on the switch.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Suresh Vinayagam Subramanian
Cisco Employee
Cisco Employee

‎05-15-2017 09:23 PM

Could you please check your uplink from this switch ?

Is it trunk or access port ?

DHCP server allocate the ip address based on the source request  . I guess, there is some misconfiguration and that resulted your dhcp received request from source of vlan 60 .

Go to solution
Rolf Fischer
Level 9
Level 9

‎05-16-2017 12:59 AM

Our global configuration for DHCP snooping is -

ip dhcp snooping vlan 110,105,505

Is dhcp snooping enabled on that switch? Could you please post the outputs of

  • show ip dhcp snooping
  • show ip dhcp snooping statistics detail

Go to solution
jeetkulkarni
Level 1
Level 1
In response to Rolf Fischer

‎05-16-2017 07:55 PM

The command output is below:

Switch DHCP snooping is disabled
DHCP snooping is configured on following VLANs:
110,105,505
DHCP snooping is operational on following VLANs:
110,105,505
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 0017.59f7.1300 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
GigabitEthernet0/x         yes        yes             unlimited
  Custom circuit-ids:

NZAKL1NET2#show ip dhcp snooping statistics detail
 Packets Processed by DHCP Snooping                    = 0
 Packets Dropped Because
   IDB not known                                       = 0
   Queue full                                          = 0
   Interface is in errdisabled                         = 0
   Rate limit exceeded                                 = 0
   Received on untrusted ports                         = 0
   Nonzero giaddr                                      = 0
   Source mac not equal to chaddr                      = 0
   No binding entry                                    = 0
   Insertion of opt82 fail                             = 0
   Unknown packet                                      = 0
   Interface Down                                      = 0
   Unknown output interface                            = 0
   Misdirected Packets                                 = 0
   Packets with Invalid Size                           = 0
   Packets with Invalid Option                         = 0

The issue happened as HP phone was plugged to the wrong network and the piggyback network to be plugged with a desktop/client was plugged back into our network.

0 Helpful

Go to solution
Rolf Fischer
Level 9
Level 9
In response to jeetkulkarni

‎05-18-2017 12:19 AM

The first line of 'show ip dhcp snooping' is often overlooked:

Switch DHCP snooping is disabled
DHCP snooping is configured on following VLANs:
110,105,505

You have defined a VLAN range, but the feature itself needs to be enabled as well.

Julio has already showed you how to enable it. The order is important too: before enabling dhcp snooping on a switch you shoud first configure the trusted ports (all the uplinks/trunks and also the edgeports directly connected to dhcp servers) and additional features. This is, by the way, the reason why the feature itselfs needs to be explicitly enabled: you can prepare all the necessary configuration first and enable it when everything is ready.

The second show command I asked for can be very useful once you have enabled dhcp snooping on the switch.

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP

‎05-16-2017 04:06 AM

Hi

Your configuration could be:

ip dhcp snooping
ip dhcp snooping vlan 105,110,505,1019 (the DHCP snooping will applied just to these vlans)
no ip dhcp snooping information option

interface FastEthernet0/26
 switchport access vlan 110
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 1019
 switchport port-security maximum 10
 switchport port-security
 switchport port-security aging time 5
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 spanning-tree portfast
ip dhcp snooping limit rate 20

interface g1/1/1
description TRUNK
ip dhcp snooping trust

* I recommend configure DHCP snooping on the access switches only. Also the ip dhcp snooping trust must be on the Trunk interfaces only. 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Go to solution
sebastian-burci
Level 1
Level 1
In response to Julio E. Moisa

‎02-02-2019 07:06 PM

Also all the other L2 trunks that carries traffic of same vlan's need to be configured with >  ip dhcp snooping trust

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card