Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2656
Views
0
Helpful
15
Replies

yet another DHCP Snooping problem

scott.hammond
Level 1
Level 1

‎07-02-2013 07:17 AM - edited ‎03-07-2019 02:11 PM

We have had a rash of problems with rogue DHCP servers of late so its time to bite the bullet and enable snooping. Problem is I cant get it to work.

With it enabled the test phone cant get an IP from the production DHCP server but rather it will only pull one from the "rogue" server that is untrusted.

I have tried every option, every variation, all vlans did nothing, turning off option 82 did nothing, tried using the database, nothing...I just never see bindings.

Please help!

I have a C3560CPD-8PT-S

ip dhcp snooping vlan 154

ip dhcp snooping

!

interface GigabitEthernet0/4 < Cisco phone

switchport access vlan 154

switchport mode access

spanning-tree portfast

ip dhcp snooping limit rate 100

!

interface GigabitEthernet0/8 < cisco 2811 playing the part of the rogue DHCP server

switchport access vlan 154

switchport mode access

spanning-tree portfast

ip dhcp snooping limit rate 100

!

interface GigabitEthernet0/10 < uplink to the Windows DHCP

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,43,154,200,1000

switchport mode trunk

ip dhcp snooping trust

!

interface Vlan1000 < The L3 management interface

ip address 10.60.250.115 255.255.255.0

!

comms_temp_s01#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

154

DHCP snooping is operational on following VLANs:

154

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

   circuit-id default format: vlan-mod-port

   remote-id: 5897.1ed1.2280 (MAC)

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)

-----------------------    -------    ------------    ----------------  

GigabitEthernet0/1         no         no              100      

  Custom circuit-ids:

GigabitEthernet0/2         no         no              100      

  Custom circuit-ids:

GigabitEthernet0/3         no         no              100      

  Custom circuit-ids:

Interface                  Trusted    Allow option    Rate limit (pps)

-----------------------    -------    ------------    ----------------  

GigabitEthernet0/4         no         no              100      

  Custom circuit-ids:

GigabitEthernet0/5         no         no              100      

  Custom circuit-ids:

GigabitEthernet0/6         no         no              100      

  Custom circuit-ids:

GigabitEthernet0/7         no         no              100      

  Custom circuit-ids:

GigabitEthernet0/8         no         no              100      

  Custom circuit-ids:

GigabitEthernet0/10        yes        yes             unlimited

  Custom circuit-ids:

comms_temp_s01#

Labels:
0 Helpful
15 Replies 15

scott.hammond
Level 1
Level 1

‎07-02-2013 09:37 AM

now the question is how do I mark this as answered when I answered my own question ........

0 Helpful
Customers Also Viewed These Support Documents