Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
0
Helpful
3
Replies

Struggling with the basics of DHCP snooping

Andy White
Level 3
Level 3

‎01-19-2013 08:56 AM - edited ‎03-07-2019 11:11 AM

Hello,

I am trying to understand the basics of DHCP snooping.  I have a just a 3560 switch and a laptop ( to get a DHCP address) and my DSL router which has a DHCP server running.  On the switch I have enabled "IP DHCP Snooping" and "IP DHCP Snooping VLAN 1" plugged the laptopand DSL router in and the laptop gets and IP address, should it?

I thought all ports were untrusted by default so the DHCP server should be blocked at offering IP addresses? If I wanted the DHCP server to be allowed to offer IP's I thought I should need to trust the port.

Please shed some light, I at a loss and need to bring this right back to the basics I think.

Kind Regards

Labels:
0 Helpful
3 Replies 3

Andy White
Level 3
Level 3

‎01-19-2013 11:21 AM

I have an update, after doing a 'wr erase' and del vlan.dat' and updating the IOS it seems to be working.  If the port where my DSL DHCP router is nothing gets an IP address, but I get no alerts in the console to say this is happening, the laptop and PC just fail to get an IP. 

1.) How would I ever know a rougue DHCP server was put on our network if nothing is logged?

2.) When I trusted the DHCP server port all started to work, the laptop and PC got IP addresses, but I did then start to get these alerts come in, what are they?

Jan 19 18:40:12.597: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001a.1619.f0f0, MAC sa: 001a.130a.f0f6

3.) If I wanted DHCP snooping on all VLANs do I just need the 'IP DHCP Snooping' command or do I need to specify the all the VLANs?

Thanks

0 Helpful

mahesh18
Level 6
Level 6
In response to Andy White

‎01-19-2013 11:47 AM

Hi andy,

To specify DHCP snooping for vlan say vlan 10

you need this command

ip dhcp snooping vlan 10 

Also you need to enable ip dhcp snooping globally.

here is example of my sw output

3550SMIB#sh ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

10,20,30

DHCP snooping is operational on following VLANs:

10,20,30

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

   circuit-id format: vlan-mod-port

    remote-id format: MAC

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)

------------------------     -------     ----------------

FastEthernet0/20             yes         unlimited

thanks

mahesh

0 Helpful

Andy White
Level 3
Level 3
In response to mahesh18

‎01-20-2013 03:19 AM

Hello,

1.) Is there any way to log the fact that a rogue DHCP server has been put on the network?

2.) When I trusted the DHCP server port all started to work, the laptop and PC got IP addresses, but I did then start to get these alerts come in, what are they?

Jan 19 18:40:12.597: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001a.1619.f0f0, MAC sa: 001a.130a.f0f6

3.) Would I use opeion 82 on trunk links only because they may be a downstream DHCP server?

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card