cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1780
Views
0
Helpful
6
Replies

DHCP snooping not working on 2960s ver 15.0(1)SE3

plillelund
Level 1
Level 1

Hi Forum

I have made a very simple test setup to check that a rogue DHCP is not allowed to pass out DHCP addresses to clients.

I am using a linksys router, which acts as the rogue DHCP server. An IOS router connected to the uplink port acts as the trusted DHCP server.

All traffic is taking place on vlan 171.

The switch is configured with the following global commands:

ip dhcp snooping vlan 171

ip dhcp snooping database flash:dhcptest

ip dhcp snooping database write-delay 30

ip dhcp snooping database timeout 5

ip dhcp snooping

and the uplink interface is configured with:

interface GigabitEthernet1/0/28

switchport trunk native vlan 10

switchport mode trunk

ip dhcp snooping trust

all user ports are configured as:

interface GigabitEthernet1/0/1

switchport access vlan 171

switchport mode access

spanning-tree portfast

The linksys router placed on port 1/0/12 can still offer DHCP information to a client on port 1/0/1. IP addresses are randomly taken from either the IOS router or the Linksys router.

This is not correct, the IP DHCP snooping should have strangled the linksys routers capability to assign IP addresse !!

What is going on in this software release?

Anyone like to comment?

Regards

Peter

6 Replies 6

InayathUlla Sharieff
Cisco Employee
Cisco Employee

XIE YAO
Level 1
Level 1

Strange enough, can you post show ip dhcp snooping and show ip dhcp snooping binding?

Sent from Cisco Technical Support iPhone App

Hi Xie Yao

Show ip dhcp snooping binding is empty ...

TestSW1#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

171

DHCP snooping is operational on following VLANs:

171

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

   circuit-id default format: vlan-mod-port

   remote-id: 7010.5c99.b400 (MAC)

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)

-----------------------    -------    ------------    ----------------  

GigabitEthernet1/0/28      yes        yes             unlimited

  Custom circuit-ids:

TestSW1#

And the other command:

TestSW1#show ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

Total number of bindings: 0

TestSW1#

Regards

Peter

Hi Xie Yao

All traffic is going on VLAN 171, and the IOS DHCP server is attached via a trunk to GI 1/0/28. The rogue Linksys DHCP server is also on VLAN 171.

The strange thing is that the ip dhcp snooping database is not populated with any information.

Regards

Peter

since all your devices are cisco devices, not sure if this helps but you can have a check if dhcp option is enabled:

sh run | i snoop

ip dhcp snooping vlan 174,300,450

ip dhcp snooping

ip dhcp snooping information option allow-untrusted

ip dhcp snooping information option allow-untrusted

if information option allow-untrusted is enabled then dhcp server may be able to offer IP address depends the device you are using.

Leo Laohoo
Hall of Fame
Hall of Fame

DO NOT, under any circumstances, use IOS versoin 15.0(2)SE3.

Stick to either 12.2(55)SE8 or 15.0(2)SE4.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: