Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Wireless clients connected to AP could not get IP address while DHCP Snooping enabled?


In my company, we have a WS-C2960-24TT-L model switch (Core Switch), a WS-C2960-24PC-L model switch (PoE switch), a 2921 model router, a DHCP server and 2x1142 Model Access Points. The PCs and IP Phones at the location is connected to PoE switch. Router has a fast ethernet module that the Access Points have connected. All of the router, PoE switch and DHCP server is connected the Core Switch.

This topology was working well until we activated DHCP Snooping feature at the Core Switch. Actually, even if we activated DHCP snooping, PCs and IP Phones continued to get their IP addresses from DHCP Server. However the wireless clients, which have been getting their IP addresses from DHCP Server before, could not get any IP adresses from the server. The only trust ports at the Core switch is DHCP Server's ports and all of the other ports are at untrusted state. I made some research on the internet but I could not any information that gives the solution. Do  you know what is the reason for that and what is the solution?



Wireless clients connected to AP could not get IP address while

At a guess, as the WLC acts as a DHCP proxy you're going to need to trust the ports going into the WLC as it's effectively acting as a DHCP server, although it is querying the real DHCP server.



Re: Wireless clients connected to AP could not get IP address wh

Keep in mind though while dhcp proxy is enabled on a wlc the dynamic interface the wireless client lands on is who request the dhcp address on behalf of the wireless client.

Sent from Cisco Technical Support iPad App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Wireless clients connected to AP could not get IP address while

Actually there is no WLC in that location. The access point, which wireless clients are connected, connects to router's interface (Fast Ethernet Module). Router has another interface (G0/0) that connects the core switch. In our topology, router's vlan interface is DHCP relay for the wireless subnet. So I don't think it is about the WLC because the WLC is at a remote location.

The router has a Zone Based Firewall and some configuration about it. At first I thought the problem could be about Zone Based firewall. However, than I thought that there were no problem before the DHCP snooping enabled. So, I think the problem shold be about the Core switch that the switch somehow preventing the wireless clients to get their IP addresses after DHCP Snooping enabled. While doing this the switch does not generate any logs. 

Re: Wireless clients connected to AP could not get IP address wh

After I wrote the last comment I used to command "ip dhcp snooping trust" at the core switch for the router port and this is probably the solution. However, the reason of using that command is not as mooncat said. In our case, the router is a dhcp relay and it fills the GIADDR field for any DHCP request in wireless client vlan. When the switch took that packet it generates that log,

%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: (Mac address of Router's interface which is connected to switch)

A DHCP Snooping enabled switch should not receive a DHCP packet with an address of different than in the GIADDR field from its untrusted port. So I think the problem is solved.

Thank you for your interest.