4 Replies Latest reply: Dec 26, 2009 7:27 AM by Andrea D'Orsi RSS

    DHCP Snooping

    Nicolas MICHEL

      Hey there

       

      After some CAM table issue here is another one for you guys

       

       

      I have configured 2 cisco routers that act as DHCP Server. They work well , I'm leasing some IP with that stuff . Now for my lab , I'm using one router as DHCP ROGUE and another one as DHCP Server

       

      they are both in the same subnet and I wanted to try the DHCP Snooping feature offered by my Cisco 3550

      Here is the config of the switch :

       

      ip dhcp snooping vlan 1
      ip dhcp snooping

       

      interface FastEthernet0/1
      description ***PC THAT NEED IP ADDRESS***
      switchport mode access
      switchport port-security
      switchport port-security mac-address sticky
      switchport port-security mac-address sticky 0000.0000.0001
      spanning-tree portfast
      spanning-tree bpdufilter enable

       

      interface FastEthernet0/47
      description ***DHCP-ROGUE***
      switchport mode access
      switchport port-security
      switchport port-security mac-address sticky
      switchport port-security mac-address sticky blablabalb
      spanning-tree portfast
      spanning-tree bpdufilter enable
      !
      interface FastEthernet0/48
      description ***DHCP-SERVER***
      switchport mode access
      switchport port-security
      switchport port-security mac-address sticky
      switchport port-security mac-address sticky blblabalba
      spanning-tree portfast
      spanning-tree bpdufilter enable
      ip dhcp snooping trust
      !

       

      Switch#show ip dhcp snooping
      Switch DHCP snooping is enabled
      DHCP snooping is configured on following VLANs:
      1
      DHCP snooping is operational on following VLANs:
      1
      DHCP snooping is configured on the following L3 Interfaces:

       

      Insertion of option 82 is enabled
         circuit-id format: vlan-mod-port
          remote-id format: MAC
      Option 82 on untrusted port is not allowed
      Verification of hwaddr field is enabled
      Verification of giaddr field is enabled
      DHCP snooping trust/rate is configured on the following Interfaces:

       

      Interface                    Trusted     Rate limit (pps)
      ------------------------     -------     ----------------
      FastEthernet0/48             yes         unlimited

       

      I don't get why the fa0/1 computer cant get an IP address ....

       

       

      Thanks if you can enlight me

        • 1. Re: DHCP Snooping
          Nicolas MICHEL

          Hey guys !

           

          After some test I can't figure what I'm doing wrong ..... BTW all the interface are in the same VLAN .. So I don't know why i'm getting this issue.....

           

           

           

          PS : after disabling ip dhcp snooping , I can get an IP address ... so my DHCP are OK

           

          PS 2 : After configuring all the other ports with the limit rate, they appear as untrusted in the show ip dhcp snooping . and now my PC can get an IP

           

           

          Sorry for flooding the forum but that topic can serve to another student

           

          Nicolas

          • 2. Re: DHCP Snooping
            Nicolas MICHEL

            OK I got the point !!!

             

            Be aware guys that when you do a :

             

            ip dhcp snooping

             

            it will enable the : ip dhcp snooping information option (DHCP relay option 82) .

             

            And some DHCP server does not accept the Option 82 .. (no response)

             

            so here is the answer : no ip dhcp snooping information option .

             

             

            Then my wireshark shows me heaven !

             

            DHCP Discover (Broadcast)

            DHCP Offer (Unicast)

            DHCP Request (Broadcast)

            DHCP ACK (Unicast)

             

            WOOT ! Got my answer

             

            HTH

            • 3. Re: DHCP Snooping
              Andrea D'Orsi

              Hi Nicolas,

               

              thank you for this post. I lost some days trying to understand why this happens... I have a 3550 with EMI ios and I tried the DHCP snooping, but doesn'work... The problem was the same: the client can't get ip addres when dhcp snooping is working.

              I will try your solution ASAP.

              Best regards and... Merry Christmas!

               

              Andrea

              • 4. Re: DHCP Snooping
                Andrea D'Orsi

                You have reason... GREAT! IT WORKS!