01-19-2013 08:56 AM - edited 03-07-2019 11:11 AM
Hello,
I am trying to understand the basics of DHCP snooping. I have a just a 3560 switch and a laptop ( to get a DHCP address) and my DSL router which has a DHCP server running. On the switch I have enabled "IP DHCP Snooping" and "IP DHCP Snooping VLAN 1" plugged the laptopand DSL router in and the laptop gets and IP address, should it?
I thought all ports were untrusted by default so the DHCP server should be blocked at offering IP addresses? If I wanted the DHCP server to be allowed to offer IP's I thought I should need to trust the port.
Please shed some light, I at a loss and need to bring this right back to the basics I think.
Kind Regards
01-19-2013 11:21 AM
I have an update, after doing a 'wr erase' and del vlan.dat' and updating the IOS it seems to be working. If the port where my DSL DHCP router is nothing gets an IP address, but I get no alerts in the console to say this is happening, the laptop and PC just fail to get an IP.
1.) How would I ever know a rougue DHCP server was put on our network if nothing is logged?
2.) When I trusted the DHCP server port all started to work, the laptop and PC got IP addresses, but I did then start to get these alerts come in, what are they?
Jan 19 18:40:12.597: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001a.1619.f0f0, MAC sa: 001a.130a.f0f6
3.) If I wanted DHCP snooping on all VLANs do I just need the 'IP DHCP Snooping' command or do I need to specify the all the VLANs?
Thanks
01-19-2013 11:47 AM
Hi andy,
To specify DHCP snooping for vlan say vlan 10
you need this command
ip dhcp snooping vlan 10
Also you need to enable ip dhcp snooping globally.
here is example of my sw output
3550SMIB#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10,20,30
DHCP snooping is operational on following VLANs:
10,20,30
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/20 yes unlimited
thanks
mahesh
01-20-2013 03:19 AM
Hello,
1.) Is there any way to log the fact that a rogue DHCP server has been put on the network?
2.) When I trusted the DHCP server port all started to work, the laptop and PC got IP addresses, but I did then start to get these alerts come in, what are they?
Jan 19 18:40:12.597: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001a.1619.f0f0, MAC sa: 001a.130a.f0f6
3.) Would I use opeion 82 on trunk links only because they may be a downstream DHCP server?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide