Misdirected Packets_DHCP Snooping with switches in cascade

Sadek9493 · ‎08-24-2019

Could you please help, after this configuration, many users couldn't have connection

Note:

I have 2 switches in cascade, and I did the same config on both switches

-------- Config ----------------------
Access-Switch(config)#
ip dhcp snooping vlan 2-3
no ip dhcp snooping information option
ip dhcp snooping
ip dhcp-server x.x.x.25

Access-Switch(config-if)# uplink interface to DHCP Server
ip dhcp snooping trust

--------- Show ------------------------
Access-Switch#sh ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)

Access-Switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
2-3
DHCP snooping is operational on following VLANs:
2-3
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 6899.cd57.3080 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet0/2 yes yes unlimited
Custom circuit-ids:

Access-Switch#sh ip dhcp snooping st
Packets Forwarded = 2185
Packets Dropped = 118
Packets Dropped From untrusted ports = 0

Access-Switch#sh ip dhcp snooping st de
Packets Processed by DHCP Snooping = 2306
Packets Dropped Because
IDB not known = 0
Queue full = 0
Interface is in errdisabled = 0
Rate limit exceeded = 0
Received on untrusted ports = 0
Nonzero giaddr = 0
Source mac not equal to chaddr = 8
No binding entry = 0
Insertion of opt82 fail = 0
Unknown packet = 0
Interface Down = 0
Unknown output interface = 8
Misdirected Packets = 51
Packets with Invalid Size = 0
Packets with Invalid Option = 0
Access-Switch#

Access-Switch#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ---------- ----------
10:92:66:41:AA:2E x.x.x.79 80712 dhcp-snooping 2 FastEther net0/8
94:0E:6B:B1:AA:E7 x.x.x.44 78833 dhcp-snooping 2 FastEther net0/3
00:34:DA:42:AA:86 x.x.x.149 82903 dhcp-snooping 2 FastEther net0/8
D0:87:E2:91:AA:87 x.x.x.158 57924 dhcp-snooping 2 FastEther net0/3
AC:B5:7D:80:AA:19 x.x.x.51 22329 dhcp-snooping 2 FastEther net0/15

Access-Switch#sh ip dhcp snooping database
Agent URL :
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeded Time : None
Last Failed Time : None
Last Failed Reason : No failure recorded.

Total Attempts : 0 Startup Failures : 0
Successful Transfers : 0 Failed Transfers : 0
Successful Reads : 0 Failed Reads : 0
Successful Writes : 0 Failed Writes : 0
Media Failures : 0

Giuseppe Larosa · ‎08-24-2019

Hello Sadek9493,

have a look at the following related thread

https://community.cisco.com/t5/switching/dhcp-snooping-misdirected-packets/td-p/3020017

misdirected packets are packets that should have been punt (ed) to the main CPU = process switched for example for the presence of IP options like router alert and so on.

They are dropped as a form of protection of the main cpu from possible DoS attacks.

In your case they are just a few and should not be causing the issues.

Be aware that if you have WIFI users and you have a WLC you need to trust the port the WLC too, because it changes an internal field in DHCP request the gi_address and this causes DHCP snooping to drop client DHCP requests coming via the WLC.

Hope to help

Giuseppe