08-24-2019 06:26 AM
Could you please help, after this configuration, many users couldn't have connection
Note:
I have 2 switches in cascade, and I did the same config on both switches
-------- Config ----------------------
Access-Switch(config)#
ip dhcp snooping vlan 2-3
no ip dhcp snooping information option
ip dhcp snooping
ip dhcp-server x.x.x.25
Access-Switch(config-if)# uplink interface to DHCP Server
ip dhcp snooping trust
--------- Show ------------------------
Access-Switch#sh ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)
Access-Switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
2-3
DHCP snooping is operational on following VLANs:
2-3
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 6899.cd57.3080 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet0/2 yes yes unlimited
Custom circuit-ids:
Access-Switch#sh ip dhcp snooping st
Packets Forwarded = 2185
Packets Dropped = 118
Packets Dropped From untrusted ports = 0
Access-Switch#sh ip dhcp snooping st de
Packets Processed by DHCP Snooping = 2306
Packets Dropped Because
IDB not known = 0
Queue full = 0
Interface is in errdisabled = 0
Rate limit exceeded = 0
Received on untrusted ports = 0
Nonzero giaddr = 0
Source mac not equal to chaddr = 8
No binding entry = 0
Insertion of opt82 fail = 0
Unknown packet = 0
Interface Down = 0
Unknown output interface = 8
Misdirected Packets = 51
Packets with Invalid Size = 0
Packets with Invalid Option = 0
Access-Switch#
Access-Switch#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ---------- ----------
10:92:66:41:AA:2E x.x.x.79 80712 dhcp-snooping 2 FastEther net0/8
94:0E:6B:B1:AA:E7 x.x.x.44 78833 dhcp-snooping 2 FastEther net0/3
00:34:DA:42:AA:86 x.x.x.149 82903 dhcp-snooping 2 FastEther net0/8
D0:87:E2:91:AA:87 x.x.x.158 57924 dhcp-snooping 2 FastEther net0/3
AC:B5:7D:80:AA:19 x.x.x.51 22329 dhcp-snooping 2 FastEther net0/15
Access-Switch#sh ip dhcp snooping database
Agent URL :
Write delay Timer : 300 seconds
Abort Timer : 300 seconds
Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running
Last Succeded Time : None
Last Failed Time : None
Last Failed Reason : No failure recorded.
Total Attempts : 0 Startup Failures : 0
Successful Transfers : 0 Failed Transfers : 0
Successful Reads : 0 Failed Reads : 0
Successful Writes : 0 Failed Writes : 0
Media Failures : 0
08-24-2019 09:34 AM
Hello Sadek9493,
have a look at the following related thread
https://community.cisco.com/t5/switching/dhcp-snooping-misdirected-packets/td-p/3020017
misdirected packets are packets that should have been punt (ed) to the main CPU = process switched for example for the presence of IP options like router alert and so on.
They are dropped as a form of protection of the main cpu from possible DoS attacks.
In your case they are just a few and should not be causing the issues.
Be aware that if you have WIFI users and you have a WLC you need to trust the port the WLC too, because it changes an internal field in DHCP request the gi_address and this causes DHCP snooping to drop client DHCP requests coming via the WLC.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide