Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1347
Views
0
Helpful
2
Replies

DHCP Snooping Issue when changing host vlan

dfranjoso
Level 1
Level 1

‎10-15-2013 08:54 AM - edited ‎03-07-2019 04:03 PM

Hello All,

I have several C2960 with IOS 15.0(2)SE4 and DHCP snooping configured           

ip dhcp snooping

ip dhcp snooping vlan 1,10-20

When i have a untrusted interface configured with vlan 1, the Thin-Client host receives an IP Address via DHCP with no problem, but if i change the vlan on that Thin-Client host to 10, the host does not receive an IP Address via DHCP and the following error message appears:

%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DH

Any suggestions?

Thanks!

David     

Labels:
0 Helpful
2 Replies 2

Wilson Bonilla
Level 3
Level 3

‎10-15-2013 09:03 AM

Hello dfranjoso.

That's  a timing issue, because you had the PC connected to vlan 1. The switch learnt the mac address in vlan 1, once you change the interface to access vlan 10, the mac table was still pointing the host's mac address to vlan 1 and therefpre dhcp can provide with an ip address.

Do you have port-security configured as well? if so, then run the command "clear port-security dynamic" and try to reproduce the issue again.

Regards.

Wilson B.


0 Helpful

Wilson Bonilla
Level 3
Level 3
In response to Wilson Bonilla

‎10-15-2013 09:07 AM

By the way I forgot to mention this

Enabling DHCP Snooping MAC Address Verification

With DHCP snooping MAC address verification enabled, DHCP snooping verifies that the source MAC address and the client hardware address match in DHCP packets that are received on untrusted ports. The source MAC address is a Layer 2 field associated with the packet, and the client hardware address is a Layer 3 field in the DHCP packet.

To enable DHCP snooping MAC address verification, perform this task:

Command

Purpose

Step 1

Router(config)# ip dhcp snooping verify mac-address

Enables DHCP snooping MAC address verification.

Router(config)# no ip dhcp snooping verify mac-address

Disables DHCP snooping MAC address verification.

Step 2

Router(config)# do show ip dhcp snooping | include hwaddr

Verifies the configuration.

This example shows how to disable DHCP snooping MAC address verification:

Router(config)# no ip dhcp snooping verify mac-address

Router(config)# do show ip dhcp snooping | include hwaddr

Verification of hwaddr field is disabled

Router(config)#

This example shows how to enable DHCP snooping MAC address verification:

Router(config)# ip dhcp snooping verify mac-address

Router(config)# do show ip dhcp snooping | include hwaddr

Verification of hwaddr field is enabled

Router(config)#

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html#wp1099635

You can also disable validation with the command.

no ip dhcp snooping verify mac-address

Regards.

Wilson B

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card