Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

question about catalyst 2960s dhcp snooping

Hi,

The network dirgram  is :

dhcp client - ( SW1 port 1 ) - SW1 - ( SW1 port 2 ) - SW2 - dhcp server

The SW1 is Catalyst 2960S switch ( WS-C2960S-48TD-L ) with universal image ( c2960s-universalk9-mz.122-55.SE7 ).

We tried to enable the dhcp snooping feature. If the SW1 port 1 configure to untrust port and SW1 port 2 configure to trust port, the dhcp client can get IP address from dhcp server immediately. If both SW1 port 1 & port 2 configure to untrust port, the dhcp client still can get the IP address after 1 minute. ( it seems not correct!! )

Please help to identify the problem.

The switch configuration is :

ip dhcp snooping vlan 1

no ip dhcp snooping verify mac-address

ip dhcp snooping

interface GigabitEthernet1/0/1

spanning-tree portfast

!

interface GigabitEthernet1/0/2

spanning-tree portfast

.......

Best Regards,

4 REPLIES
Cisco Employee

question about catalyst 2960s dhcp snooping

Hello Jackson,

This is interesting. Have you tried to completely deconfigure the DHCP client, i.e. perform ipconfig /release if it is running under Windows, and only then tried to acquire the IP address? There is a slight possibility that the client uses unicast IP communication with the DHCP server after it knows who the DHCP server is, somehow bypassing DHCP Snooping protection (although very improbable!)

Anyway, please configure the Gi1/0/1 and Gi1/0/2 ports with switchport mode access - currently, they are in dynamic mode.

Best regards,

Peter

New Member

question about catalyst 2960s dhcp snooping

Hi,

We disconnect / reconnect the dhcp client LAN cable to release / renew IP address.

Best Regards,

New Member

question about catalyst 2960s dhcp snooping

Hi,

I tried to run ipconfig /release, then the dhcp client can not get IP address if both dhcp server and client are connect to untrust port. Why it don't work when I disconnect / reconnect the dhcp client LAN cable?

Best Regards,

Purple

question about catalyst 2960s dhcp snooping

Hi Peter,

There is a slight possibility that the client uses unicast IP  communication with the DHCP server after it knows who the DHCP server  is, somehow bypassing DHCP Snooping protection (although very  improbable!)

Can you explain further, the DHCP snooping process was blocking server-side messages on untrusted ports so how can the client type of communication( broadcast or unicast) could influence this ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
230
Views
0
Helpful
4
Replies
CreatePlease to create content