8 Replies Latest reply: Jan 18, 2013 1:57 PM by Gonzo RSS

    DHCP snooping

    Gonzo

      Hello,

       

      I am using 2 L3 switches which are trunked and have a Ubuntu laptop in one of the ports on switch 1 in DHCP mode. On switch 2 I have DHCP running for VLAN 5 and have put the laptop in VLAN 5 and it gets and IP address.  Now I have turned DHCP Snooping on using "IP DHCP snooping" so all ports are untrusted, but the laptop still gets and IP address after a renew. 

       

      I guess I'm doing this test wrong and shouldn't be using a DHCP on the other switch over a trunk?  Not sure how I can get a DHCP server to be blocked if I only have 2 L3 switches and a laptop to test with.  May I need an old router with DHCP enable and just plug into a port?

       

      Thanks

        • 1. Re: DHCP snooping
          Anthony Sequeira, CCIE,VCP

          Did you remember to enable DHCP snooping for VLAN 5. You need to do this in addition to enabling the feature globally on the switch!

           

          The trunk port between the switches should not be an issue, it is just that to enable to correct deployment of DHCP it will have to be a trusted port.

           

          Anthony Sequeira

          http://www.stormwind.com

          Twitter: @compsolv

          Facebook: http://www.facebook.com/compsolv

          • 2. Re: DHCP snooping
            Gonzo

            DHCP snooping is enable globally and for VLAN 5 and the laptop still gets an IP, I thought snooping would treat the trunk port as untrusted as this is the default and stop it receiving an IP from the other switch?

            • 3. Re: DHCP snooping
              cadetalain

              Hi,

               

              On switch 2 I have DHCP running for VLAN 5 and have put the laptop in VLAN 5

              What do you mean by that ? your SW2 is a DHCP server ? then of course it is leasing out an IP to your client

               

              Regards.

               

              Alain

              • 4. Re: DHCP snooping
                Gonzo

                Yes but it is leasing over a trunk to VLAN 5 to a switch that is running IP DHCP snooping and IP DHCP snooping VLAN 5.  Wouldn't the trunk be treated as untrusted?

                • 5. Re: DHCP snooping
                  cadetalain

                  Hi,

                   

                  Can you clarify by posting a simple sketch of your topology.

                   

                  Regards.

                   

                  Alain

                  • 6. Re: DHCP snooping
                    Gonzo

                    Sure.

                     

                    10.JPG

                    • 7. Re: DHCP snooping
                      cadetalain

                      Hi,

                      By default all ports are untrusted and so the trunk should be untrusted and drop DHCP server messages and your client should not receive an IP address from the server unless you configure the trunk as trusted.

                      Can you post output of sh ip dhcp snooping database detail.

                      Can you release/renew the IP  on the linux host and see if it is still the same

                       

                      Regards.

                       

                      Alain

                      • 8. Re: DHCP snooping
                        Gonzo

                        I've gone back to basics here and still DHCP isn't being blocked.  I have 1 x 3560 (did a 'wr erase' and 'del vlan.dat' and 'reload') with a laptop in port fa 0/24 and my home DSL router in fa 0/23 which has dhcp running and the laptop got an IP and VLAN 1 on the switch as I requested an IP.

                         

                        !

                        !

                        ip dhcp snooping vlan 1,5

                        ip dhcp snooping

                        !

                        !

                        interface FastEthernet0/23

                        description DHCP

                        switchport access vlan 5

                        switchport mode access

                        !

                        interface FastEthernet0/24

                        description Host

                        switchport access vlan 5

                        switchport mode access

                        spanning-tree portfast

                        !

                        interface GigabitEthernet0/1

                        !

                        interface GigabitEthernet0/2

                        !

                        interface Vlan1

                        ip address dhcp

                         

                        What am I doing wrong here?

                         

                        1. Do I need to use the 'ip dhcp snoop rate-limit' command?
                        2. Should I see any DHCP snooping alerts because I don't?
                        3. I know I have to set DHCP snooping globally and also set the VLAN, but what if I want it to be all VLANs do I still need to use the DHCP snooping vlan command?

                         

                        Thanks