Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

DHCP snooping : dropped packets


I configured DHCP snooping on our Catalyst 2950 & 2960 series switches.

The feature is running for about 2 weeks and everything seems to be working fine but the "show ip dhcp snooping stat" command shows that a high percentage the DHCP packets are being dropped by the switches.

An example : Router -> Switch1 -> Switch2 (sw-jeroen2)

The switches connected to the router have the following DHCP snooping configuration.

"ip dhcp snooping vlan 39

no ip dhcp snooping information option

ip dhcp snooping"

All trunk (uplink) ports are configured as trusted ports.

There is no specific DHCP snooping configuration on the router.

I disconnected a host on sw-jeroen2 fa0/1 that allready received an IP-address and the binding in the dhcp snooping binding table was made correctly.

At reconnect to the same port the host requests its old IP-address.

I ran a debug on the switch, attachement : debug.txt

The issue :

The switch always seems to drop the first DHCP ACKs from the DHCP server.

“can't find output interface for dhcp reply. the message is dropped”

Why is that? The switch already learned the MAC address on fa0/1 from the DHCP REQUEST. Why does it not forward the DHCP ACK from the server to the client?

Consequence of this is that the first replies from the DHCP server never arrive a the client port.

What can I do about it?

Thanks in advance.


Re: DHCP snooping : dropped packets

DHCP snooping is enabled on a global level on a per vlan basis. So every access-port in that vlan, once you turn it on

globally will be subjected to the DHCP snooping protocol. There are a couple of things to keep in mind to make sure this works correctly. First every port that might possible receive an offer from one of your four DHCP servers you need to trust. Because if we receiver an offer on a port that is untrusted a DHCP snooping switch will drop that packet.

One more thing to remember is that by default a dhcp snooping switch will add an option 82 header to all DHCP packets before it relays the frame on to the server. A lot of DHCP server will not accept packets will that extra bit of information in the frame.