Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DHCP Snooping Trouble

Hi All,

I am practicing on a home lab to attain my CCNP Switch.  My home lab is comprised of a couple of 3550 switches.  I tried to configure DHCP snooping without any luck.  I am running IOS ver. 12.2(25) SEA.  I program the feature as it states on the official certification guide along with other Cisco configs.

1.  Enable the feature globally:  S1(config)# ip dhcp snooping

2.  Define the vlan:  S1(config)# ip dhcp vlan XX

3.  Define trusted ports if any

 

I plug in a DHCP server and a client to two untrusted ports in the same vlan that is programmed above and they are able to connect and exchange packets without an interruption.  I am expecting the DHCP port from the DHCP server to be err-disabled due to a violation...but it is not happening.  AM I Missing something or do my switches dont work?  Any help is much appreciated.

 

Regards,

 

Eddie

Everyone's tags (1)
5 REPLIES
VIP Purple

please post the relevant

please post the relevant config of your switch to see if there is anything wrong. Also the output of the "sh ip dhcp snooping" command.

 

If possible I would also upgrade the switch to 12.2.44-SE6ED.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thanks for replying Karsten.

Thanks for replying Karsten.  Unfortunately I cannot get my hands on IOS12.2.44-SE6ED but I got C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(40)SE.  It looks like all the commands are there.  Below is my running-config.  Its just a lab, so I am just trying to get this feature to work, so it is minimally configured.

Current configuration : 2850 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname S2
!
!
no aaa new-model
ip subnet-zero
!
ip dhcp snooping vlan 10
ip dhcp snooping database flash:DHCPSnoopDB
ip dhcp snooping
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport mode access
 spanning-tree portfast
 ip dhcp snooping trust
!
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/4
 switchport access vlan 10
 switchport mode access
 switchport port-security
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/7
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/8
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/9
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/10
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/11
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 500
 switchport port-security
 spanning-tree portfast
!
interface FastEthernet0/12
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast

I just put ports 1-12 in VLAN 10, connected a "trusted" DHCP server to port 1 and connected a couple of laptops to a couple other ports in VLAN 10.  I then connected a rogue dhcp server in one of the "untrusted" ports and the port did not shutdown/err-disable or increment dropped packets as per the "show ip dhcp snooping statistics detail".  

Any thoughts?

VIP Purple

The config looks fine. But if

The config looks fine. But if I remember right, then the violation-default is *not* to shutdown or errdisable the port. By default the offending traffic should be droppen. Look in your log for "DHCP_SNOOPING"-messages, which should have severity level 5 by default.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

I did a debug on dhcp

I did a debug on dhcp snooping packets and was not seeing any DHCP Offer messages from my "untrusted" port with rogue DHCP server.  I did a packet capture on the rogue port/dhcp server and when untrusted there was no activity on that port even if it is the only DHCP server in the segment.  I then made the port "trusted" and I was able to see active DHCP messages.  If I go see the "ip dhcp snooping stats" it does not show any dropped packets from "untrusted" ports.  

New Member

I forgot the sh ip dhcp

I forgot the sh ip dhcp snooping output.  Here it is.  Thanks.

 

S2# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/1              yes         unlimited
S2#

63
Views
0
Helpful
5
Replies