02-19-2008 07:57 PM - edited 03-09-2019 08:08 PM
Hello,
I have a PC and DHCP server each plugged into a 3550 switch. They are on vlan 13, server on fa0/14, PC on fa0/1.
I enable DHCP snooping on vlan 13 in global config mode. When I plug in the PC to get an address, it gets the address. I thought the switch was supposed to block DHCP packets on untrusted ports? Am I mistaken?
Next I enabled the server port as "trusted". I use a different NIC on the PC to plug in....I got an IP address but it did not show up in the binding database...
Am I missing something on how this is supposed to work?
Thanks,
Bryan
02-19-2008 08:57 PM
DHCP-Snooping disallows DHCP "Server" traffic. It allows DHCP "Client" traffic (like DHCP-Request, DHCP-Discover, DHCP-Release, etc.).
A trusted port disables snooping on a port which is a member of a VLAN enabled for Snooping.
Hope this helps,
02-20-2008 07:11 AM
Right but dhcp snooping is on and the server port is "untrusted". Shouldn't this block the DHCPOFFER?
And if the port is trusted, shouldn't it show up in the binding database?
02-20-2008 07:29 AM
DHCP-Client messages (Discover, Request, etc.) could originate from any port. DHCP-client messages are only sent to trusted ports.
Typically on an access switch in a LAN, only the 2 uplinks on the switch will be trusted ports.
I don't think a client plugged into a trusted port will have an entry in the binding table.
I'm wondering how/if your offer is getting through. Is your server echoing option-82? What code rev and what switch are we talking here?
02-20-2008 10:40 AM
Thanks for the replies,
the switch is running 12.2(25) I believe. I'll get the exact version when I get home this afternoon. the client port is always untrusted in my lab, i just toggle the server port between trusted and untrusted.
I'm not sure about option 82 - I'll do a capture and post the results. Not sure where that comes in to play so I will have to do some more research.
-Bryan
02-20-2008 04:29 PM
I did some more research and it looks like I made a mistake when enabling dhcp snooping. I have to enable two commands:
ip dhcp snooping
ip dhcp snooping vlan #
I may have just used the vlan # command yesterday.
I started over today (i didnt save my config so I dont know exactly how I screwed up yesterday) and now it works great.
thanks again,
bryan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide