I am practicing on a home lab to attain my CCNP Switch. My home lab is comprised of a couple of 3550 switches. I tried to configure DHCP snooping without any luck. I am running IOS ver. 12.2(25) SEA. I program the feature as it states on the official certification guide along with other Cisco configs.
1. Enable the feature globally: S1(config)# ip dhcp snooping
2. Define the vlan: S1(config)# ip dhcp vlan XX
3. Define trusted ports if any
I plug in a DHCP server and a client to two untrusted ports in the same vlan that is programmed above and they are able to connect and exchange packets without an interruption. I am expecting the DHCP port from the DHCP server to be err-disabled due to a violation...but it is not happening. AM I Missing something or do my switches dont work? Any help is much appreciated.
Thanks for replying Karsten. Unfortunately I cannot get my hands on IOS12.2.44-SE6ED but I got C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(40)SE. It looks like all the commands are there. Below is my running-config. Its just a lab, so I am just trying to get this feature to work, so it is minimally configured.
I just put ports 1-12 in VLAN 10, connected a "trusted" DHCP server to port 1 and connected a couple of laptops to a couple other ports in VLAN 10. I then connected a rogue dhcp server in one of the "untrusted" ports and the port did not shutdown/err-disable or increment dropped packets as per the "show ip dhcp snooping statistics detail".
The config looks fine. But if I remember right, then the violation-default is *not* to shutdown or errdisable the port. By default the offending traffic should be droppen. Look in your log for "DHCP_SNOOPING"-messages, which should have severity level 5 by default.
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
I did a debug on dhcp snooping packets and was not seeing any DHCP Offer messages from my "untrusted" port with rogue DHCP server. I did a packet capture on the rogue port/dhcp server and when untrusted there was no activity on that port even if it is the only DHCP server in the segment. I then made the port "trusted" and I was able to see active DHCP messages. If I go see the "ip dhcp snooping stats" it does not show any dropped packets from "untrusted" ports.
I forgot the sh ip dhcp snooping output. Here it is. Thanks.
S2# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 DHCP snooping is operational on following VLANs: 10 DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled circuit-id format: vlan-mod-port remote-id format: MAC Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...