Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

DHCP Snooping problems

Hi

I am looking at a way to stop rogue DHCP servers effecting a LAN on one of our customers sites and believe DHCP Snooping is the way forward!

I have a test switch 2960 with the following spec

Switch   Ports  Model              SW Version              SW Image           

------   -----  -----              ----------              ----------         

*    1   50     WS-C2960-48TC-L    12.2(25)SEE3            C2960-LANBASE-M

I have enabled port 1 as a trusted (DCHP server) port and ports 2 - 24 as untrusted (client) and no matter where i put the DHCP server (Draytek Router) my client gets an IP address. Should the port that i connect the DHCP server to (ie port 22) not be shut down when it responds from a DHCP request from client PC in port 7?

My config is below:

Switch#sh run
Building configuration...

Current configuration : 4520 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
no aaa new-model
ip subnet-zero
!
ip dhcp snooping vlan 1,10
no ip dhcp snooping information option
ip dhcp snooping
no ip domain-lookup
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!        
interface FastEthernet0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/11
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/12
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/13
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/14
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/15
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/16
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/17
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/18
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/19
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/20
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/21
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5
!
interface FastEthernet0/22
switchport access vlan 10
switchport mode access
spanning-tree portfast
ip dhcp snooping limit rate 5

I have also attached the debug from when i attach the dhcp router to an untrusted port and the pc does a ipconfig/renew.

Any ideas greatly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

DHCP Snooping problems

clear ip dhcp snooping binding will reset the database.

yes, there is no log entry, it just stops giving out IP address via DHCP.

If your problem is solved, please rate this thread as such.

Regards,

5 REPLIES
Hall of Fame Super Bronze

DHCP Snooping problems

Per the documentation:

"

When a switch receives a packet on an untrusted  interface and the interface belongs to a VLAN in which DHCP snooping is  enabled, the switch compares the source MAC address and the DHCP client  hardware address. If the addresses match (the default), the switch  forwards the packet. If the addresses do not match, the switch drops the  packet. "

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/15.0_2_se/configuration/guide/swdhcp82.html#wp1058243

The switch has the MAC address and DHCP Client hardware address from your DHCP server when you had it on a trusted port so it forwards the packet even when placed on untrusted ports after the fact. You need to clear the DHCP Snooping database and try again.

New Member

Re: DHCP Snooping problems

Thanks for the explanation this clears things up, I will try this in my lab tomorrow and let you know the outcome


Sent from Cisco Technical Support iPad App

New Member

Re: DHCP Snooping problems

After doing the command clear ip dhcp snooping binding this worked, thanks. Not sure about the database command as this does not seem to do anything or even when I do a show IP dhcp snooping database does it show anything.

I was expecting the port to shut down or see some kind of log when carrying out a show command but nothing!

It just stopped it giving out dhcp, is this how it should function?

Sent from Cisco Technical Support iPhone App

Hall of Fame Super Bronze

DHCP Snooping problems

clear ip dhcp snooping binding will reset the database.

yes, there is no log entry, it just stops giving out IP address via DHCP.

If your problem is solved, please rate this thread as such.

Regards,

I have same problem so I have

I have same problem so I have tried fix that above guide but problem not fixed. I have created interface vlan 4009 on my remote switch and configured ip address dhcp on this vlan. DHCP addressing working when I remove ip dhcp snooping vlan 4009 however it's not working when add this command.

Any help would be greatly appreciated,

Regards,

 
483
Views
0
Helpful
5
Replies
CreatePlease to create content