problem with enabling dhcp snooping on 1 vlan

Przemyslaw Konitz · ‎11-25-2011

hi all,

I got some problem with enabling dhcp snooping on 4500 (cat4500e-lanbasek9-mz.122-54.SG.bin)

the topology is as below:

dhcp snooping enabled only on CORE (with interface trusted to dhcp server)

the problem is that I put these 2 commnads

ip dhcp snooping

ip dhcp snooping vlan 1

but it is not enabled on any vlan

SW-CORE#sh ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

none

DHCP snooping is operational on following VLANs:

none

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port

remote-id: 1cdf.0ffe.1600 (MAC)

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)

--------------------- ------- ------------ ----------------

GigabitEthernet6/48 yes yes unlimited

Custom circuit-ids:

On B1 if I turn it on there is a "1" in the section "

DHCP snooping is configured on following VLANs:" but on core no.

As you can see I did put the trusted on the interface in the direction to the dhcp.

First I thought it can be a problem with option 82, I've read a lot about the issues with that, but the problem would be explicable if the client did receive IP address, but it does.

Right now I have no access to the devices so deep troubleshooting is limited so any raw suggestions?

regards

Przemek

Reza Sharifi · ‎11-25-2011

Hi,

In addition to configuring it under the interface, you also need to enable it globally

have a look at this example:

Switch(config)#ip dhcp snooping vlan 1

Switch(config)#do sh ip dh snoo

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

1

DHCP snooping is operational on following VLANs:

1

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port

remote-id: 001b.5400.3380 (MAC)

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)

----------------------- ------- ------------ ----------------

GigabitEthernet1/0/1 yes yes unlimited

Custom circuit-ids:

Switch(config)#

HTH

Przemyslaw Konitz · ‎11-25-2011

hi,

thx for reply,

I wasn't clear enaugh - I know that it must be enabled and I did put these 2 commands globally in the first place, but still I got none in the place where vlans are mentioned. Show run indicated that it is enabled globally and in the vlan, but show ip dhcp snooping as pasted previously.

I tried it on 2960 (B1) and its ok (right now its disabled if that matters), the problem is only with 4500 what is realy frustrating.

I forgot to add that somehow dhcp snooping was working as expected that when I change the interface to which the B2 switch is connected (the one with dhcp server) to the untrusted, the station couldn't get the IP address. So it seams that only binding table is not being build and that it shows it is enabled on none vlans.

Binding table is essential here cause I want to use DAI so please help

regards

Przemek

Przemyslaw Konitz · ‎11-26-2011

ok its working

after disabling it and enabling in the same manner it started to work. Don't know why it didnt in the first place.

regards