×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DHCP Snooping Issue when changing host vlan

Unanswered Question
Oct 15th, 2013
User Badges:

Hello All,


I have several C2960 with IOS 15.0(2)SE4 and DHCP snooping configured           


ip dhcp snooping

ip dhcp snooping vlan 1,10-20


When i have a untrusted interface configured with vlan 1, the Thin-Client host receives an IP Address via DHCP with no problem, but if i change the vlan on that Thin-Client host to 10, the host does not receive an IP Address via DHCP and the following error message appears:


%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DH



Any suggestions?


Thanks!


David     

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Wilson Bonilla Tue, 10/15/2013 - 09:03
User Badges:
  • Silver, 250 points or more

Hello dfranjoso.


That's  a timing issue, because you had the PC connected to vlan 1. The switch learnt the mac address in vlan 1, once you change the interface to access vlan 10, the mac table was still pointing the host's mac address to vlan 1 and therefpre dhcp can provide with an ip address.


Do you have port-security configured as well? if so, then run the command "clear port-security dynamic" and try to reproduce the issue again.


Regards.

Wilson B.




Wilson Bonilla Tue, 10/15/2013 - 09:07
User Badges:
  • Silver, 250 points or more

By the way I forgot to mention this

Enabling DHCP Snooping MAC Address Verification

With DHCP snooping MAC address verification enabled, DHCP snooping verifies that the source MAC address and the client hardware address match in DHCP packets that are received on untrusted ports. The source MAC address is a Layer 2 field associated with the packet, and the client hardware address is a Layer 3 field in the DHCP packet.

To enable DHCP snooping MAC address verification, perform this task:


Command


Purpose

Step 1

Router(config)# ip dhcp snooping verify mac-address

Enables DHCP snooping MAC address verification.

Router(config)# no ip dhcp snooping verify mac-address

Disables DHCP snooping MAC address verification.

Step 2

Router(config)# do show ip dhcp snooping | include hwaddr

Verifies the configuration.




This example shows how to disable DHCP snooping MAC address verification:

Router(config)# no ip dhcp snooping verify mac-address

Router(config)# do show ip dhcp snooping | include hwaddr

Verification of hwaddr field is disabled

Router(config)#


This example shows how to enable DHCP snooping MAC address verification:

Router(config)# ip dhcp snooping verify mac-address

Router(config)# do show ip dhcp snooping | include hwaddr

Verification of hwaddr field is enabled


Router(config)#


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html#wp1099635


You can also disable validation with the command.

no ip dhcp snooping verify mac-address


Regards.

Wilson B

Actions

This Discussion