Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DHCP snooping not working on 2960s ver 15.0(1)SE3

Hi Forum

I have made a very simple test setup to check that a rogue DHCP is not allowed to pass out DHCP addresses to clients.

I am using a linksys router, which acts as the rogue DHCP server. An IOS router connected to the uplink port acts as the trusted DHCP server.

All traffic is taking place on vlan 171.

The switch is configured with the following global commands:

ip dhcp snooping vlan 171

ip dhcp snooping database flash:dhcptest

ip dhcp snooping database write-delay 30

ip dhcp snooping database timeout 5

ip dhcp snooping

and the uplink interface is configured with:

interface GigabitEthernet1/0/28

switchport trunk native vlan 10

switchport mode trunk

ip dhcp snooping trust

all user ports are configured as:

interface GigabitEthernet1/0/1

switchport access vlan 171

switchport mode access

spanning-tree portfast

The linksys router placed on port 1/0/12 can still offer DHCP information to a client on port 1/0/1. IP addresses are randomly taken from either the IOS router or the Linksys router.

This is not correct, the IP DHCP snooping should have strangled the linksys routers capability to assign IP addresse !!

What is going on in this software release?

Anyone like to comment?

Regards

Peter

6 REPLIES
Cisco Employee

DHCP snooping not working on 2960s ver 15.0(1)SE3

New Member

Re: DHCP snooping not working on 2960s ver 15.0(1)SE3

Strange enough, can you post show ip dhcp snooping and show ip dhcp snooping binding?

Sent from Cisco Technical Support iPhone App

New Member

Re: DHCP snooping not working on 2960s ver 15.0(1)SE3

Hi Xie Yao

Show ip dhcp snooping binding is empty ...

TestSW1#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

171

DHCP snooping is operational on following VLANs:

171

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

   circuit-id default format: vlan-mod-port

   remote-id: 7010.5c99.b400 (MAC)

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)

-----------------------    -------    ------------    ----------------  

GigabitEthernet1/0/28      yes        yes             unlimited

  Custom circuit-ids:

TestSW1#

And the other command:

TestSW1#show ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

Total number of bindings: 0

TestSW1#

Regards

Peter

New Member

Re: DHCP snooping not working on 2960s ver 15.0(1)SE3

Hi Xie Yao

All traffic is going on VLAN 171, and the IOS DHCP server is attached via a trunk to GI 1/0/28. The rogue Linksys DHCP server is also on VLAN 171.

The strange thing is that the ip dhcp snooping database is not populated with any information.

Regards

Peter

New Member

DHCP snooping not working on 2960s ver 15.0(1)SE3

since all your devices are cisco devices, not sure if this helps but you can have a check if dhcp option is enabled:

sh run | i snoop

ip dhcp snooping vlan 174,300,450

ip dhcp snooping

ip dhcp snooping information option allow-untrusted

ip dhcp snooping information option allow-untrusted

if information option allow-untrusted is enabled then dhcp server may be able to offer IP address depends the device you are using.

Hall of Fame Super Gold

Re: DHCP snooping not working on 2960s ver 15.0(1)SE3

DO NOT, under any circumstances, use IOS versoin 15.0(2)SE3.

Stick to either 12.2(55)SE8 or 15.0(2)SE4.

518
Views
0
Helpful
6
Replies