Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
5
Replies

DHCP Snooping not working

dodgerfan78
Level 1
Level 1

‎02-19-2008 07:57 PM - edited ‎03-09-2019 08:08 PM

Hello,

I have a PC and DHCP server each plugged into a 3550 switch. They are on vlan 13, server on fa0/14, PC on fa0/1.

I enable DHCP snooping on vlan 13 in global config mode. When I plug in the PC to get an address, it gets the address. I thought the switch was supposed to block DHCP packets on untrusted ports? Am I mistaken?

Next I enabled the server port as "trusted". I use a different NIC on the PC to plug in....I got an IP address but it did not show up in the binding database...

Am I missing something on how this is supposed to work?

Thanks,

Bryan

Labels:
0 Helpful
5 Replies 5

jafrazie
Cisco Employee
Cisco Employee

‎02-19-2008 08:57 PM

DHCP-Snooping disallows DHCP "Server" traffic. It allows DHCP "Client" traffic (like DHCP-Request, DHCP-Discover, DHCP-Release, etc.).

A trusted port disables snooping on a port which is a member of a VLAN enabled for Snooping.

Hope this helps,

0 Helpful

dodgerfan78
Level 1
Level 1
In response to jafrazie

‎02-20-2008 07:11 AM

Right but dhcp snooping is on and the server port is "untrusted". Shouldn't this block the DHCPOFFER?

And if the port is trusted, shouldn't it show up in the binding database?

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to dodgerfan78

‎02-20-2008 07:29 AM

DHCP-Client messages (Discover, Request, etc.) could originate from any port. DHCP-client messages are only sent to trusted ports.

Typically on an access switch in a LAN, only the 2 uplinks on the switch will be trusted ports.

I don't think a client plugged into a trusted port will have an entry in the binding table.

I'm wondering how/if your offer is getting through. Is your server echoing option-82? What code rev and what switch are we talking here?

0 Helpful

dodgerfan78
Level 1
Level 1
In response to jafrazie

‎02-20-2008 10:40 AM

Thanks for the replies,

the switch is running 12.2(25) I believe. I'll get the exact version when I get home this afternoon. the client port is always untrusted in my lab, i just toggle the server port between trusted and untrusted.

I'm not sure about option 82 - I'll do a capture and post the results. Not sure where that comes in to play so I will have to do some more research.

-Bryan

0 Helpful

dodgerfan78
Level 1
Level 1
In response to dodgerfan78

‎02-20-2008 04:29 PM

I did some more research and it looks like I made a mistake when enabling dhcp snooping. I have to enable two commands:

ip dhcp snooping

ip dhcp snooping vlan #

I may have just used the vlan # command yesterday.

I started over today (i didnt save my config so I dont know exactly how I screwed up yesterday) and now it works great.

thanks again,

bryan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents