Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
576
Views
0
Helpful
4
Replies

question about catalyst 2960s dhcp snooping

jackson.ku
Level 3
Level 3

ā€Ž07-26-2013 02:41 AM - edited ā€Ž03-07-2019 02:36 PM

Hi,

The network dirgram  is :

dhcp client - ( SW1 port 1 ) - SW1 - ( SW1 port 2 ) - SW2 - dhcp server

The SW1 is Catalyst 2960S switch ( WS-C2960S-48TD-L ) with universal image ( c2960s-universalk9-mz.122-55.SE7 ).

We tried to enable the dhcp snooping feature. If the SW1 port 1 configure to untrust port and SW1 port 2 configure to trust port, the dhcp client can get IP address from dhcp server immediately. If both SW1 port 1 & port 2 configure to untrust port, the dhcp client still can get the IP address after 1 minute. ( it seems not correct!! )

Please help to identify the problem.

The switch configuration is :

ip dhcp snooping vlan 1

no ip dhcp snooping verify mac-address

ip dhcp snooping

interface GigabitEthernet1/0/1

spanning-tree portfast

!

interface GigabitEthernet1/0/2

spanning-tree portfast

.......

Best Regards,

Labels:
0 Helpful
4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

ā€Ž07-26-2013 03:12 AM

Hello Jackson,

This is interesting. Have you tried to completely deconfigure the DHCP client, i.e. perform ipconfig /release if it is running under Windows, and only then tried to acquire the IP address? There is a slight possibility that the client uses unicast IP communication with the DHCP server after it knows who the DHCP server is, somehow bypassing DHCP Snooping protection (although very improbable!)

Anyway, please configure the Gi1/0/1 and Gi1/0/2 ports with switchport mode access - currently, they are in dynamic mode.

Best regards,

Peter

0 Helpful

jackson.ku
Level 3
Level 3
In response to Peter Paluch

ā€Ž07-26-2013 03:26 AM

Hi,

We disconnect / reconnect the dhcp client LAN cable to release / renew IP address.

Best Regards,

0 Helpful

jackson.ku
Level 3
Level 3
In response to Peter Paluch

ā€Ž07-26-2013 04:47 AM

Hi,

I tried to run ipconfig /release, then the dhcp client can not get IP address if both dhcp server and client are connect to untrust port. Why it don't work when I disconnect / reconnect the dhcp client LAN cable?

Best Regards,

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Peter Paluch

ā€Ž07-26-2013 05:37 AM

Hi Peter,

There is a slight possibility that the client uses unicast IP  communication with the DHCP server after it knows who the DHCP server  is, somehow bypassing DHCP Snooping protection (although very  improbable!)

Can you explain further, the DHCP snooping process was blocking server-side messages on untrusted ports so how can the client type of communication( broadcast or unicast) could influence this ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents