cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2122
Views
0
Helpful
17
Replies

DHCP Snooping - over L3 WAN link

scottlivingston
Level 1
Level 1

Looked over the documentation and most of the DHCP snooping posts here, but have yet to see a scenario such as the one that I'm getting ready to roll out…wanna get it correct the 1st time.

Here's what it looks like…

•Hub / Spoke topology

•Hub and Spoke tied together w/ Gigaman and EIGRP (not extending VLAN's over WAN)

•Gigaman is hooked into a 6500 at the hub location w/ the DHCP servers hanging off of it - directly connected

•Spoke rails will get DHCP from Hub

•DHCP snooping is NOT configured at hub or spoke today

•Want to enable snooping at spoke

spoke-switch (config)# ip dhcp snooping

spoke-switch (config)# ip dhcp snooping vlan x

spoke-switch (config)# ip dhcp snooping information option

spoke-switch (config-if)# ip dhcp snooping trust L2 trunk or DHCP server port

Questions…

1.)I saw a post that mentioned not using the command 'ip dhcp snooping information option' if I use Windows 2003 DHCP server. Is this correct?

2.)Do I need to configure 'ip dhcp snooping trust' over the /30 access port between the HUB and Spoke?

3.)Do I need to configure anything related to DHCP snooping at the hub? I will be dragging this Gigaman WAN connection into a 6500 - the same 6500 that the DHCP server is connected to.

Thank You,

scott

17 Replies 17

schmij01
Level 1
Level 1

1. That is correct. Use 'no ip dhcp snooping information option'.

2. I don't believe this is true, but I am not 100% positive. You can always configure it and leave it there, since it doesn't matter. All the trust command really does is say 'my DHCP server is upstream from this port, so trust all DHCP packets seen'.

3. Not necessarily. Only if you have end users on your 6500 and you want to have the protection from rogue DHCP servers, or if you are using other security features that rely on DHCP Snooping.

Marwan ALshawi
VIP Alumni
VIP Alumni

2) any upling, trunk or connection between switches must be configured as a dhcp snooping trust

on both sides in ur case hub and spok ports

3)in the hub u just need to make the port connected to the spok as trusted and the port conncted to the dhcp as trusted too,

good luck

please, if helpful Rate

Jason/Marwan, thank you for the feedback!

Marwan, do I assume I need to configure the dhcp snooping global commands at the hub location if I'm going to use the trust command on the DHCP server port? Is that correct?

Thank you!

scott

u need to enable it sure on the hub site as well

and trust dhcp server port

and any uplink switch-to-switch links aswell

good luck:)

You really do not need to configure DHCP snooping at the hub/core if you don't want to. You would only need to do so if you had the threat of rogue DHCP servers to deal with that would be present in the core. And you only trust uplinks that go towards the DHCP servers from the edge switches/spoke, not the other way.

hi JASON

if he dose not enable the dhcp snooping on the server side and do it on ly on the client side

this technology will be done as half of it

the idea of dhcp snooping to untrus all port except dhcp server and uplink connections between switches to avoid any rouge dhcp server

so in this case it should be enabled on the hub/server side as well

thank you

If the hub is a data center does not have any end user hosts, or threats of rogue DHCP servers, then DHCP snooping does not need to be enabled there. If the hub also has clients like workstations, etc there there is a threat, then by all means use DHCP snooping to mitigate that threat. But to say that DHCP snooping needs to be enabled on every switch in the network to provide protection is false.

Another example is distribution layer switches that provide connectivity to the core for the edge devices. DHCP snooping does not need to be enabled on a distribution switch. The edge switches are doing all work in that case.

Hi,

Just bringing this topic up again as i have a similar setup in my Network with L3 between the user switch and the distribution/core switch and the real DHCP server hanging off from the Core. But I am having an issue where i cannot stop a rogue DHCP server connected to one of the DHCP client VLAN from giving out IP address leases to clients within the same VLAN.

The DHCP snooping has been enabled globally with the user vlans specified in the DHCP snooping. The users on a different VLAN to the one where a rogue DHCP server is connected in to are able to obtain an IP address lease from the correct 'real' DHCP server with the helper address defined in the L3 interface.

Has anyone come accross the same issue and can shed any light on this please?

Many Thanks,

Philip

Strange. Are you sure the port where your server is configured as "untrusted" ...?

Hi,

Yes, the port which the rogue server is connected to is set as untrusted.

Here is the configuration of the port it is connected to:

interface FastEthernet1/0/43

description DHCP Subnet 1

switchport access vlan 11

switchport mode access

switchport port-security maximum 3

switchport port-security aging time 1440

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

no snmp trap link-status

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping limit rate 100

end

Did you try debug commands to see what happens?

For example:

debug ip dhcp snooping events

debug ip dhcp packets

Here is the output below.

The rogue dhcp server is on port fa1/0/43 and is sending out dhcpinform packets in the range of 192.168.1.x

There's nothing in the logs showing the dhcp snooping stopping the dhcp packets from this port. The first dhcpinform packets you can see is at  Jun 08:51:57.756 from the rogue device.

Jun 12 08:51:57.756 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 192.168.1.2, DHCP ciaddr: 192.168.1.2, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:51:57.756 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:51:57.756 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:51:57.756 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:51:57.756 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:51:57.756 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/22)

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Fa1/0/22, MAC da: ffff.ffff.ffff, MAC sa: 4487.fc49.da80, IP da: 255.255.255.255, IP sa: 10.241.68.141, DHCP ciaddr: 10.241.68.141, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 4487.fc49.da80

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x18 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:16.689 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:52:16.689 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Vl11, MAC da: 4487.fc49.da80, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.141, IP sa: 10.241.68.66, DHCP ciaddr: 10.241.68.141, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.241.68.129, DHCP chaddr: 4487.fc49.da80

Jun 12 08:52:16.689 UTC: DHCP_SNOOPING: intercepted DHCPACK with no DHCPOPT_LEASE_TIME option field, packet is still forwarded but no snooping binding update is performed.

Jun 12 08:52:16.697 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/22.

Jun 12 08:52:25.958 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:25.958 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:25.958 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:25.958 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Vl11, MAC da: e411.5b38.0257, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.154, IP sa: 10.241.68.129, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.241.68.154, DHCP siaddr: 10.241.68.66, DHCP giaddr: 10.241.68.129, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/43.

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:25.975 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:52:25.975 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Vl11, MAC da: e411.5b38.0257, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.154, IP sa: 10.241.68.129, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.241.68.154, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.241.68.129, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:25.975 UTC: DHCP_SNOOPING: add binding on port FastEthernet1/0/43.

Jun 12 08:52:25.975 UTC: DHCP_SNOOPING: added entry to table (index 90)

Jun 12 08:52:25.975 UTC: DHCP_SNOOPING: dump binding entry: Mac=E4:11:5B:38:02:57 Ip=10.241.68.154 Lease=86400     ld Type=dhcp-snooping Vlan=11 If=FastEthernet1/0/43

Jun 12 08:52:25.975 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/43.

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPRELEASE, input interface: Fa1/0/43, MAC da: 0022.beed.0ec3, MAC sa: e411.5b38.0257, IP da: 10.241.68.66, IP sa: 10.241.68.154, DHCP ciaddr: 10.241.68.154, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING: delete binding from port FastEthernet1/0/43.

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING: dump binding entry: Mac=E4:11:5B:38:02:57 Ip=10.241.68.154 Lease=86392     ld Type=dhcp-snooping Vlan=11 If=FastEthernet1/0/43

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:33.634 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: 0022.BEED.0EC3, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:33.634 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:47.081 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:52:47.081 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Vl11, MAC da: e411.5b38.0257, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.154, IP sa: 10.241.68.129, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.241.68.154, DHCP siaddr: 10.241.68.66, DHCP giaddr: 10.241.68.129, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:47.081 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/43.

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Vl11, MAC da: e411.5b38.0257, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.154, IP sa: 10.241.68.129, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.241.68.154, DHCP siaddr: 10.241.68.66, DHCP giaddr: 10.241.68.129, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/43.

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Vl11, MAC da: e411.5b38.0257, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.154, IP sa: 10.241.68.129, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.241.68.154, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.241.68.129, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING: add binding on port FastEthernet1/0/43.

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING: added entry to table (index 90)

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING: dump binding entry: Mac=E4:11:5B:38:02:57 Ip=10.241.68.154 Lease=86400     ld Type=dhcp-snooping Vlan=11 If=FastEthernet1/0/43

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/43.

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPRELEASE, input interface: Fa1/0/43, MAC da: 0022.beed.0ec3, MAC sa: e411.5b38.0257, IP da: 10.241.68.66, IP sa: 10.241.68.154, DHCP ciaddr: 10.241.68.154, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING: delete binding from port FastEthernet1/0/43.

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING: dump binding entry: Mac=E4:11:5B:38:02:57 Ip=10.241.68.154 Lease=86393     ld Type=dhcp-snooping Vlan=11 If=FastEthernet1/0/43

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: 0022.BEED.0EC3, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:53:07.859 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:53:07.859 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:53:07.868 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:53:07.868 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:53:07.868 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:53:07.868 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:53:07.868 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:53:10.586 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:53:10.586 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Vl11, MAC da: e411.5b38.0257, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.154, IP sa: 10.241.68.129, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.241.68.154, DHCP siaddr: 10.241.68.66, DHCP giaddr: 10.241.68.129, DHCP chaddr: e411.5b38.0257

Jun 12 08:53:10.586 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/43.

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 192.168.1.2, DHCP ciaddr: 192.168.1.2, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

There is a DHCP client connected to the port F1/0/43 (we can see DHCP REQUEST packet on it) ....

Because  this rogue dhcp device is connected to a DHCP client VLAN, it will also act as a client in sending out a DHCP request to the DHCP server hence the requests you see. The problem i am facing is trying to stop this machine from sending out DHCP requests to users on the same VLAN as itself...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco