Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

DHCP Snooping - over L3 WAN link

Looked over the documentation and most of the DHCP snooping posts here, but have yet to see a scenario such as the one that I'm getting ready to roll out…wanna get it correct the 1st time.

Here's what it looks like…

•Hub / Spoke topology

•Hub and Spoke tied together w/ Gigaman and EIGRP (not extending VLAN's over WAN)

•Gigaman is hooked into a 6500 at the hub location w/ the DHCP servers hanging off of it - directly connected

•Spoke rails will get DHCP from Hub

•DHCP snooping is NOT configured at hub or spoke today

•Want to enable snooping at spoke

spoke-switch (config)# ip dhcp snooping

spoke-switch (config)# ip dhcp snooping vlan x

spoke-switch (config)# ip dhcp snooping information option

spoke-switch (config-if)# ip dhcp snooping trust L2 trunk or DHCP server port

Questions…

1.)I saw a post that mentioned not using the command 'ip dhcp snooping information option' if I use Windows 2003 DHCP server. Is this correct?

2.)Do I need to configure 'ip dhcp snooping trust' over the /30 access port between the HUB and Spoke?

3.)Do I need to configure anything related to DHCP snooping at the hub? I will be dragging this Gigaman WAN connection into a 6500 - the same 6500 that the DHCP server is connected to.

Thank You,

scott

17 REPLIES
New Member

Re: DHCP Snooping - over L3 WAN link

1. That is correct. Use 'no ip dhcp snooping information option'.

2. I don't believe this is true, but I am not 100% positive. You can always configure it and leave it there, since it doesn't matter. All the trust command really does is say 'my DHCP server is upstream from this port, so trust all DHCP packets seen'.

3. Not necessarily. Only if you have end users on your 6500 and you want to have the protection from rogue DHCP servers, or if you are using other security features that rely on DHCP Snooping.

Re: DHCP Snooping - over L3 WAN link

2) any upling, trunk or connection between switches must be configured as a dhcp snooping trust

on both sides in ur case hub and spok ports

3)in the hub u just need to make the port connected to the spok as trusted and the port conncted to the dhcp as trusted too,

good luck

please, if helpful Rate

New Member

Re: DHCP Snooping - over L3 WAN link

Jason/Marwan, thank you for the feedback!

Marwan, do I assume I need to configure the dhcp snooping global commands at the hub location if I'm going to use the trust command on the DHCP server port? Is that correct?

Thank you!

scott

Re: DHCP Snooping - over L3 WAN link

u need to enable it sure on the hub site as well

and trust dhcp server port

and any uplink switch-to-switch links aswell

good luck:)

New Member

Re: DHCP Snooping - over L3 WAN link

You really do not need to configure DHCP snooping at the hub/core if you don't want to. You would only need to do so if you had the threat of rogue DHCP servers to deal with that would be present in the core. And you only trust uplinks that go towards the DHCP servers from the edge switches/spoke, not the other way.

Re: DHCP Snooping - over L3 WAN link

hi JASON

if he dose not enable the dhcp snooping on the server side and do it on ly on the client side

this technology will be done as half of it

the idea of dhcp snooping to untrus all port except dhcp server and uplink connections between switches to avoid any rouge dhcp server

so in this case it should be enabled on the hub/server side as well

thank you

New Member

Re: DHCP Snooping - over L3 WAN link

If the hub is a data center does not have any end user hosts, or threats of rogue DHCP servers, then DHCP snooping does not need to be enabled there. If the hub also has clients like workstations, etc there there is a threat, then by all means use DHCP snooping to mitigate that threat. But to say that DHCP snooping needs to be enabled on every switch in the network to provide protection is false.

Another example is distribution layer switches that provide connectivity to the core for the edge devices. DHCP snooping does not need to be enabled on a distribution switch. The edge switches are doing all work in that case.

New Member

DHCP Snooping - over L3 WAN link

Hi,

Just bringing this topic up again as i have a similar setup in my Network with L3 between the user switch and the distribution/core switch and the real DHCP server hanging off from the Core. But I am having an issue where i cannot stop a rogue DHCP server connected to one of the DHCP client VLAN from giving out IP address leases to clients within the same VLAN.

The DHCP snooping has been enabled globally with the user vlans specified in the DHCP snooping. The users on a different VLAN to the one where a rogue DHCP server is connected in to are able to obtain an IP address lease from the correct 'real' DHCP server with the helper address defined in the L3 interface.

Has anyone come accross the same issue and can shed any light on this please?

Many Thanks,

Philip

New Member

DHCP Snooping - over L3 WAN link

Strange. Are you sure the port where your server is configured as "untrusted" ...?

New Member

DHCP Snooping - over L3 WAN link

Hi,

Yes, the port which the rogue server is connected to is set as untrusted.

Here is the configuration of the port it is connected to:

interface FastEthernet1/0/43

description DHCP Subnet 1

switchport access vlan 11

switchport mode access

switchport port-security maximum 3

switchport port-security aging time 1440

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

no snmp trap link-status

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping limit rate 100

end

New Member

DHCP Snooping - over L3 WAN link

Did you try debug commands to see what happens?

For example:

debug ip dhcp snooping events

debug ip dhcp packets

New Member

DHCP Snooping - over L3 WAN link

Here is the output below.

The rogue dhcp server is on port fa1/0/43 and is sending out dhcpinform packets in the range of 192.168.1.x

There's nothing in the logs showing the dhcp snooping stopping the dhcp packets from this port. The first dhcpinform packets you can see is at  Jun 08:51:57.756 from the rogue device.

Jun 12 08:51:57.756 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 192.168.1.2, DHCP ciaddr: 192.168.1.2, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:51:57.756 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:51:57.756 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:51:57.756 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:51:57.756 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:51:57.756 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/22)

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Fa1/0/22, MAC da: ffff.ffff.ffff, MAC sa: 4487.fc49.da80, IP da: 255.255.255.255, IP sa: 10.241.68.141, DHCP ciaddr: 10.241.68.141, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 4487.fc49.da80

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x18 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:16.680 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:16.689 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:52:16.689 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Vl11, MAC da: 4487.fc49.da80, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.141, IP sa: 10.241.68.66, DHCP ciaddr: 10.241.68.141, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.241.68.129, DHCP chaddr: 4487.fc49.da80

Jun 12 08:52:16.689 UTC: DHCP_SNOOPING: intercepted DHCPACK with no DHCPOPT_LEASE_TIME option field, packet is still forwarded but no snooping binding update is performed.

Jun 12 08:52:16.697 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/22.

Jun 12 08:52:25.958 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:25.958 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:25.958 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:25.958 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Vl11, MAC da: e411.5b38.0257, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.154, IP sa: 10.241.68.129, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.241.68.154, DHCP siaddr: 10.241.68.66, DHCP giaddr: 10.241.68.129, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/43.

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:25.966 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:25.975 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:52:25.975 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Vl11, MAC da: e411.5b38.0257, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.154, IP sa: 10.241.68.129, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.241.68.154, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.241.68.129, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:25.975 UTC: DHCP_SNOOPING: add binding on port FastEthernet1/0/43.

Jun 12 08:52:25.975 UTC: DHCP_SNOOPING: added entry to table (index 90)

Jun 12 08:52:25.975 UTC: DHCP_SNOOPING: dump binding entry: Mac=E4:11:5B:38:02:57 Ip=10.241.68.154 Lease=86400     ld Type=dhcp-snooping Vlan=11 If=FastEthernet1/0/43

Jun 12 08:52:25.975 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/43.

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPRELEASE, input interface: Fa1/0/43, MAC da: 0022.beed.0ec3, MAC sa: e411.5b38.0257, IP da: 10.241.68.66, IP sa: 10.241.68.154, DHCP ciaddr: 10.241.68.154, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING: delete binding from port FastEthernet1/0/43.

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING: dump binding entry: Mac=E4:11:5B:38:02:57 Ip=10.241.68.154 Lease=86392     ld Type=dhcp-snooping Vlan=11 If=FastEthernet1/0/43

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:33.625 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:33.634 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: 0022.BEED.0EC3, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:33.634 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:44.262 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:44.279 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:47.081 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:52:47.081 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Vl11, MAC da: e411.5b38.0257, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.154, IP sa: 10.241.68.129, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.241.68.154, DHCP siaddr: 10.241.68.66, DHCP giaddr: 10.241.68.129, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:47.081 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/43.

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Vl11, MAC da: e411.5b38.0257, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.154, IP sa: 10.241.68.129, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.241.68.154, DHCP siaddr: 10.241.68.66, DHCP giaddr: 10.241.68.129, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/43.

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:52.844 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Vl11, MAC da: e411.5b38.0257, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.154, IP sa: 10.241.68.129, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.241.68.154, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.241.68.129, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING: add binding on port FastEthernet1/0/43.

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING: added entry to table (index 90)

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING: dump binding entry: Mac=E4:11:5B:38:02:57 Ip=10.241.68.154 Lease=86400     ld Type=dhcp-snooping Vlan=11 If=FastEthernet1/0/43

Jun 12 08:52:52.852 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/43.

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPRELEASE, input interface: Fa1/0/43, MAC da: 0022.beed.0ec3, MAC sa: e411.5b38.0257, IP da: 10.241.68.66, IP sa: 10.241.68.154, DHCP ciaddr: 10.241.68.154, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING: delete binding from port FastEthernet1/0/43.

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING: dump binding entry: Mac=E4:11:5B:38:02:57 Ip=10.241.68.154 Lease=86393     ld Type=dhcp-snooping Vlan=11 If=FastEthernet1/0/43

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: 0022.BEED.0EC3, packet is flooded to ingress VLAN: (11)

Jun 12 08:52:59.420 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:53:07.851 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:53:07.859 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:53:07.859 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:53:07.868 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:53:07.868 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:53:07.868 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:53:07.868 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:53:07.868 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

Jun 12 08:53:10.586 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan11)

Jun 12 08:53:10.586 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Vl11, MAC da: e411.5b38.0257, MAC sa: 0022.beed.0ec3, IP da: 10.241.68.154, IP sa: 10.241.68.129, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.241.68.154, DHCP siaddr: 10.241.68.66, DHCP giaddr: 10.241.68.129, DHCP chaddr: e411.5b38.0257

Jun 12 08:53:10.586 UTC: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet1/0/43.

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet1/0/43)

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Fa1/0/43, MAC da: ffff.ffff.ffff, MAC sa: e411.5b38.0257, IP da: 255.255.255.255, IP sa: 192.168.1.2, DHCP ciaddr: 192.168.1.2, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: e411.5b38.0257

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING: add relay information option.

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x2F 0x2 0x8 0x0 0x6 0x0 0x22 0xBE 0xED 0xE 0x80

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (11)

Jun 12 08:53:16.911 UTC: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan11.

New Member

DHCP Snooping - over L3 WAN link

There is a DHCP client connected to the port F1/0/43 (we can see DHCP REQUEST packet on it) ....

New Member

DHCP Snooping - over L3 WAN link

Because  this rogue dhcp device is connected to a DHCP client VLAN, it will also act as a client in sending out a DHCP request to the DHCP server hence the requests you see. The problem i am facing is trying to stop this machine from sending out DHCP requests to users on the same VLAN as itself...

New Member

DHCP Snooping - over L3 WAN link

What is the DHCP scope you have defined?

New Member

DHCP Snooping - over L3 WAN link

The scope defined from the 'real' dhcp server for the users is 10.241.69.128/26 and the scope defined from the rogue dhcp server is 192.168.1.0/24.

New Member

DHCP Snooping - over L3 WAN link

Actually, what I don't understand is that looking at the logs, we can see only DHCP client packet incoming on f1/0/43: DHCPINFORM, DHCPREQUEST. DHCPDISCOVER, etc..) All DHCP packet sent by a server (DHCPACK, DHCPOFFER) are seen only on interface vl11, and offering IP address in 10.241.69.128, so provided by the good server. Enven the server connected on int f1/0/43 send a as a client DHCP RELEASE for IP address 10.241.69.154

So there I see 2 possible reasons:

- the rogue server send specific DHCP packets that are not seen as DHCP packet by the switch (to not blocked by DHCP snoopin)

- it is not not the server on interface f1/0/43 which act as a rogue server ...

Perhaps anotehr reason, but I don't see.

Can you try to force a DHCP release on a client which obtained an IP address in 192.168.1.x ?

1021
Views
0
Helpful
17
Replies
CreatePlease to create content