DHCP snooping : dropped packets

Unanswered Question
Feb 7th, 2008
User Badges:


I configured DHCP snooping on our Catalyst 2950 & 2960 series switches.

The feature is running for about 2 weeks and everything seems to be working fine but the "show ip dhcp snooping stat" command shows that a high percentage the DHCP packets are being dropped by the switches.

An example : Router -> Switch1 -> Switch2 (sw-jeroen2)

The switches connected to the router have the following DHCP snooping configuration.

"ip dhcp snooping vlan 39

no ip dhcp snooping information option

ip dhcp snooping"

All trunk (uplink) ports are configured as trusted ports.

There is no specific DHCP snooping configuration on the router.

I disconnected a host on sw-jeroen2 fa0/1 that allready received an IP-address and the binding in the dhcp snooping binding table was made correctly.

At reconnect to the same port the host requests its old IP-address.

I ran a debug on the switch, attachement : debug.txt

The issue :

The switch always seems to drop the first DHCP ACKs from the DHCP server.

“can't find output interface for dhcp reply. the message is dropped”

Why is that? The switch already learned the MAC address on fa0/1 from the DHCP REQUEST. Why does it not forward the DHCP ACK from the server to the client?

Consequence of this is that the first replies from the DHCP server never arrive a the client port.

What can I do about it?

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smalkeric Wed, 02/13/2008 - 11:26
User Badges:
  • Silver, 250 points or more

DHCP snooping is enabled on a global level on a per vlan basis. So every access-port in that vlan, once you turn it on

globally will be subjected to the DHCP snooping protocol. There are a couple of things to keep in mind to make sure this works correctly. First every port that might possible receive an offer from one of your four DHCP servers you need to trust. Because if we receiver an offer on a port that is untrusted a DHCP snooping switch will drop that packet.

One more thing to remember is that by default a dhcp snooping switch will add an option 82 header to all DHCP packets before it relays the frame on to the server. A lot of DHCP server will not accept packets will that extra bit of information in the frame.


This Discussion