Ip dhcp snooping on vlan

hi
i have following configuration in my switch
ALS1(config)# ip dhcp snooping
ALS1(config)# interface range fastethernet 0/7 - 12
ALS1(config-if-range)# ip dhcp snooping trust
ALS1(config-if-range)# exit
ALS1(config)# interface range fastethernet 0/15 - 24
ALS1(config-if-range)# ip dhcp snooping limit rate 20
ALS1(config-if-range)# exit
ALS1(config)# ip dhcp snooping vlan 100,200
my question is why do we have to configure dhcp snooping on vlan if we already configured on port??
Thanks
vish

I think it just gives you more flexibility ie. you may want to enable DHCP snooping but only for some vlans.
If you are asking why you need to enable it globally and then per vlan when you could just enable it per vlan I agree with what you are saying.
There are a number of other commands etc. that follow this line ie. enable it globally and then per vlan or per interface etc.
I suspect it may be to do with enabling it globally sets up certain things needed on a system wide and not a per vlan or per interface basis but I have wondered that myself sometimes :-)
Jon

Similar Messages

C2950 IOS for DHCP Snooping and DAI

hi all,
anyone knows what image i would need for my 2950 to enable DHCP snooping and DAI features (just for lab purpose)?
or are these features just available on the bigger modular switches (4500 and 6500)?
>sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Fri 28-Jul-06 15:16 by weiliu
Image text-base: 0x80010000, data-base: 0x8056A000
Switch(config)#ip dhcp snooping ?
information DHCP Snooping information
vlan DHCP Snooping vlan
<cr>
Switch(config)#ip arp ?
% Unrecognized command

Hi Alain,
Thanks for this info! I've read you're CCNA Security.
Just curious, are you gonna write your CCNP Security soon?
Could you recommend a good lab switch for SECURE?
Sent from Cisco Technical Support iPad App

SGE2010P - DHCP Snooping - VLANs - Web GUI

Model: SGE2010P
FW: 3.0.0.18
In the web GUI:
Under DHCP Snooping ---> VLAN Settings
It does not allow you to enter a VLAN higher than 4092
I configured it to listen on VLAN 4094 via the CLI just fine.
I believe this should be fixed in the web GUI.

Yeah, I don't think I want to do that because of all the little troubleshooting steps they usually make me go through.
I buy high-end equipment so I can skip the simple stuff...they usually don't understand that.
I know it's a bug because I've already done the troubleshooting, I don't feel I should have to do the same stuff again.
I only make a call when absolutely necessary because I find the phone support for this product line very un-supportative.
At this level, I think I should get to skip the simple stuff.
If you can't submit a bug report thats fine, I'll just leave it at this.
It's no big deal, I just thought I'd let some one else know.

Can I use DHCP snooping and IOS DHCP server on the same switch stack

Hello,
I am shortly going to be deploying a Cisco CallManager solution for a customer whose network comprises stacks of Catalyst 3850 switches.
There is no separate core/server farm switch so the CallManager servers, voice gateways and IP phones will all plug into the same stack and be in the same VLAN (not my choice!).
For security we want to enable DHCP snooping and were planning on using the IOS DHCP server on the Catalyst switch stack.
Will this work? - when I enable DHCP snooping in networks with separate access layer switches I set the uplinks to the core as trusted links.
I am not sure whether DHCP snooping will work in this case. Do I need to set the VLAN interface on the switch as trusted, is this even possible?
Unfortunately I do not have access to a layer 3 switch to test this at the moment.
Thanks

Nope. That's the issue.
They'll sync on a third device acting as a hotspot, but the device sending a signal is not "on" the network it creates so the airport is all by itself on that network. At least that is what it looks like to me. Anyone have another take on it? Seems pretty silly that an iPad can put out a wifi signal, an Airport Express can receive a wifi signal, and yet there is no simple way to get them to communicate under this particular condition.

IP DHCP snooping, IP source Guard, and DIA

Hi All,
I have Configured DHCP snooping and IP source guard and Dynamic arp inspection on my 3560 and 3750 Network Switches,
on both of them I'm facing that issue. (the printers and access points are configured to get ip addresses via DHCP), but when the lease time expires, they don't get ip addresses, and become unreacheable.
while all other clients get thier ip addresses normally
below you can find the Configuration configuration
ip dhcp snooping vlan 98,105,111
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcpsnooping
ip dhcp snooping database write-delay 15
ip dhcp snooping
ip arp inspection vlan 98,105,111
ip verify trust on all access ports including printers and access point ports
all access ports are DHCP snooping untrusted
also when I create a static dhcp snooping binding record for these devices on the switch it resolves the Issue, but when I reload the switch it's removed automatically.
any resolution will be much appreciated.
regards,
Maher

check the following link for configuration of DHCP snooping
http://packetlife.net/blog/2010/aug/18/dhcp-snooping-and-dynamic-arp-inspection/
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

DHCP Snooping WLC

Hi,
I would like to DHCP snooping on the WLC.
Or a method to block DHCP pirate and authorized my DHCP.
Best Regards,
Julien Hernandez.

Here the client 192.168.0.0 :
(Cisco Controller) >show client detail 1c:99:4c:6f:c6:96
Client MAC Address............................... 1c:99:4c:6f:c6:96
Client Username ................................. N/A
AP MAC Address................................... 44:ad:d9:57:fd:20
AP Name.......................................... AP-INDE-106
AP radio slot Id................................. 0
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 1
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 44:ad:d9:57:fd:20
Connected For ................................... 8127 secs
Channel.......................................... 11
IP Address....................................... 192.168.0.155
Gateway Address.................................. Unknown
Netmask.......................................... Unknown
Association Id................................... 8
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 15000
Client CCX version............................... No CCX support
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... ON
Current Rate..................................... m7
Supported Rates.................................. 5.5,11.0,6.0,9.0,12.0,18.0,
............................................. 24.0,36.0,48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
Audit Session ID................................. none
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
mDNS Status...................................... Disabled
mDNS Profile Name................................ none
No. of mDNS Services Advertised.................. 0
Policy Type...................................... N/A
Encryption Cipher................................ None
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... Unknown
FlexConnect Data Switching....................... Local
FlexConnect Dhcp Status.......................... Local
FlexConnect Vlan Based Central Switching......... No
FlexConnect Authentication....................... Central
Quarantine VLAN.................................. 0
Access VLAN...................................... 321
Client Capabilities:
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented
Listen Interval............................ 10
Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
Number of Bytes Received................... 2526655
Number of Bytes Sent....................... 2425132
Total Number of Bytes Sent................. 2425132
Total Number of Bytes Recv................. 2526655
Number of Bytes Sent (last 90s)............ 64
Number of Bytes Recv (last 90s)............ 6764
Number of Packets Received................. 25105
Number of Packets Sent..................... 5996
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Request Msg Failures......... 0
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 1018
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 56
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -60 dBm
Signal to Noise Ratio...................... 24 dB
Client Rate Limiting Statistics:
Number of Data Packets Recieved............ 0
Number of Data Rx Packets Dropped.......... 0
Number of Data Bytes Recieved.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Recieved........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Recieved.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
AP-INDE-108(slot 0)
antenna0: 5364 secs ago.................. -74 dBm
antenna1: 5364 secs ago.................. -87 dBm
AP-INDE-106(slot 0)
antenna0: 5364 secs ago.................. -67 dBm
antenna1: 5364 secs ago.................. -57 dBm
AP-INDE-106(slot 1)
antenna0: 5363 secs ago.................. -82 dBm
antenna1: 5363 secs ago.................. -87 dBm
AP-INDE-111(slot 0)
antenna0: 5364 secs ago.................. -94 dBm
antenna1: 5364 secs ago.................. -97 dBm
AP-INDE-119(slot 0)
antenna0: 5364 secs ago.................. -87 dBm
antenna1: 5364 secs ago.................. -91 dBm
AP-INDE-105(slot 0)
antenna0: 5364 secs ago.................. -68 dBm
antenna1: 5364 secs ago.................. -79 dBm
AP-INDE-105(slot 1)
antenna0: 5363 secs ago.................. -90 dBm
antenna1: 5363 secs ago.................. -87 dBm
AP-INDE-109(slot 0)
antenna0: 5364 secs ago.................. -75 dBm
antenna1: 5364 secs ago.................. -85 dBm
AP-INDE-109(slot 1)
antenna0: 5364 secs ago.................. -83 dBm
antenna1: 5364 secs ago.................. -78 dBm
AP-INDE-121(slot 0)
antenna0: 14490 secs ago................. -91 dBm
antenna1: 14490 secs ago................. -92 dBm
AP-INDE-126(slot 0)
antenna0: 8132 secs ago.................. -89 dBm
antenna1: 8132 secs ago.................. -92 dBm
AP-INDE-126(slot 1)
antenna0: 38197 secs ago................. -93 dBm
antenna1: 38197 secs ago................. -83 dBm
AP-INDE-116(slot 0)
antenna0: 5364 secs ago.................. -61 dBm
antenna1: 5364 secs ago.................. -50 dBm
AP-INDE-116(slot 1)
antenna0: 5364 secs ago.................. -82 dBm
antenna1: 5364 secs ago.................. -86 dBm
AP-INDE-112(slot 0)
antenna0: 5364 secs ago.................. -71 dBm
antenna1: 5364 secs ago.................. -71 dBm
AP-INDE-112(slot 1)
antenna0: 5364 secs ago.................. -88 dBm
antenna1: 5364 secs ago.................. -90 dBm
AP-INDE-107(slot 0)
antenna0: 8129 secs ago.................. -91 dBm
antenna1: 8129 secs ago.................. -85 dBm
AP-INDE-118(slot 0)
antenna0: 5364 secs ago.................. -94 dBm
antenna1: 5364 secs ago.................. -91 dBm
AP-INDE-114(slot 0)
antenna0: 5364 secs ago.................. -93 dBm
antenna1: 5364 secs ago.................. -85 dBm
AP-INDE-114(slot 1)
antenna0: 38197 secs ago................. -93 dBm
antenna1: 38197 secs ago................. -91 dBm
AP-INDE-123(slot 0)
antenna0: 5364 secs ago.................. -72 dBm
antenna1: 5364 secs ago.................. -83 dBm
AP-INDE-103(slot 0)
antenna0: 5364 secs ago.................. -91 dBm
antenna1: 5364 secs ago.................. -83 dBm
AP-INDE-104(slot 0)
antenna0: 5364 secs ago.................. -87 dBm
antenna1: 5364 secs ago.................. -90 dBm
AP-INDE-102(slot 0)
antenna0: 5364 secs ago.................. -90 dBm
antenna1: 5364 secs ago.................. -87 dBm
DNS Server details:
DNS server IP ............................. 0.0.0.0
DNS server IP ............................. 0.0.0.0
Assisted Roaming Prediction List details:
Client Dhcp Required: True
Allowed (URL)IP Addresses
(Cisco Controller) >show client detail ec:59:e7:e9:e5:68
Client MAC Address............................... ec:59:e7:e9:e5:68
Client Username ................................. N/A
AP MAC Address................................... 44:ad:d9:57:fd:20
AP Name.......................................... AP-INDE-106
AP radio slot Id................................. 0
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 1
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 44:ad:d9:57:fd:20
Connected For ................................... 3043 secs
Channel.......................................... 11
IP Address....................................... 192.168.0.162
Gateway Address.................................. Unknown
Netmask.......................................... Unknown
Association Id................................... 4
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 15000
Client CCX version............................... No CCX support
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... ON
Current Rate..................................... m7
Supported Rates.................................. 5.5,11.0,6.0,9.0,12.0,18.0,
............................................. 24.0,36.0,48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
Audit Session ID................................. none
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
mDNS Status...................................... Disabled
mDNS Profile Name................................ none
No. of mDNS Services Advertised.................. 0
Policy Type...................................... N/A
Encryption Cipher................................ None
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... Unknown
FlexConnect Data Switching....................... Local
FlexConnect Dhcp Status.......................... Local
FlexConnect Vlan Based Central Switching......... No
FlexConnect Authentication....................... Central
Quarantine VLAN.................................. 0
Access VLAN...................................... 321
Client Capabilities:
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented
Listen Interval............................ 1
Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
Number of Bytes Received................... 13499
Number of Bytes Sent....................... 7662
Total Number of Bytes Sent................. 7662
Total Number of Bytes Recv................. 13499
Number of Bytes Sent (last 90s)............ 0
Number of Bytes Recv (last 90s)............ 0
Number of Packets Received................. 184
Number of Packets Sent..................... 69
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Request Msg Failures......... 0
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 61
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 2
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -70 dBm
Signal to Noise Ratio...................... 18 dB
Client Rate Limiting Statistics:
Number of Data Packets Recieved............ 0
Number of Data Rx Packets Dropped.......... 0
Number of Data Bytes Recieved.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Recieved........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Recieved.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
AP-INDE-120(slot 0)
antenna0: 36159 secs ago................. -98 dBm
antenna1: 36159 secs ago................. -97 dBm
AP-INDE-115(slot 0)
antenna0: 11075 secs ago................. -96 dBm
antenna1: 11075 secs ago................. -96 dBm
AP-INDE-108(slot 0)
antenna0: 188 secs ago................... -96 dBm
antenna1: 188 secs ago................... -95 dBm
AP-INDE-106(slot 0)
antenna0: 188 secs ago................... -78 dBm
antenna1: 188 secs ago................... -67 dBm
AP-INDE-111(slot 0)
antenna0: 1451 secs ago.................. -98 dBm
antenna1: 1451 secs ago.................. -95 dBm
AP-INDE-119(slot 0)
antenna0: 188 secs ago................... -87 dBm
antenna1: 188 secs ago................... -95 dBm
AP-INDE-122(slot 0)
antenna0: 73165 secs ago................. -95 dBm
antenna1: 73165 secs ago................. -95 dBm
AP-INDE-105(slot 0)
antenna0: 188 secs ago................... -85 dBm
antenna1: 188 secs ago................... -86 dBm
AP-INDE-109(slot 0)
antenna0: 332 secs ago................... -91 dBm
antenna1: 332 secs ago................... -89 dBm
AP-INDE-121(slot 0)
antenna0: 2708 secs ago.................. -98 dBm
antenna1: 2708 secs ago.................. -96 dBm
AP-INDE-126(slot 0)
antenna0: 215 secs ago................... -84 dBm
antenna1: 215 secs ago................... -86 dBm
AP-INDE-116(slot 0)
antenna0: 188 secs ago................... -61 dBm
antenna1: 188 secs ago................... -61 dBm
AP-INDE-112(slot 0)
antenna0: 187 secs ago................... -83 dBm
antenna1: 187 secs ago................... -85 dBm
AP-INDE-107(slot 0)
antenna0: 188 secs ago................... -89 dBm
antenna1: 188 secs ago................... -90 dBm
AP-INDE-118(slot 0)
antenna0: 188 secs ago................... -95 dBm
antenna1: 188 secs ago................... -98 dBm
AP-INDE-114(slot 0)
antenna0: 187 secs ago................... -83 dBm
antenna1: 187 secs ago................... -85 dBm
AP-INDE-113(slot 0)
antenna0: 38981 secs ago................. -94 dBm
antenna1: 38981 secs ago................. -95 dBm
AP-INDE-123(slot 0)
antenna0: 187 secs ago................... -73 dBm
antenna1: 187 secs ago................... -65 dBm
AP-INDE-117(slot 0)
antenna0: 11013 secs ago................. -94 dBm
antenna1: 11013 secs ago................. -97 dBm
AP-INDE-103(slot 0)
antenna0: 187 secs ago................... -70 dBm
antenna1: 187 secs ago................... -80 dBm
AP-INDE-104(slot 0)
antenna0: 214 secs ago................... -95 dBm
antenna1: 214 secs ago................... -91 dBm
AP-INDE-102(slot 0)
antenna0: 215 secs ago................... -87 dBm
antenna1: 215 secs ago................... -88 dBm
AP-INDE-100(slot 0)
antenna0: 11014 secs ago................. -96 dBm
antenna1: 11014 secs ago................. -96 dBm
AP-INDE-101(slot 0)
antenna0: 11013 secs ago................. -96 dBm
antenna1: 11013 secs ago................. -95 dBm
DNS Server details:
DNS server IP ............................. 0.0.0.0
DNS server IP ............................. 0.0.0.0
Assisted Roaming Prediction List details:
Client Dhcp Required: True
Allowed (URL)IP Addresses

How to synchronize between DHCP binding table and DHCP snooping table ?

I clear DHCP snooping table with command "clear ip dhcp snooping binding " , and PC can't communicate with other any more. So how to synchronize between DHCP binding table and DHCP snooping table ?
dhcp-test#sh ip dhcp bind
IP address Client-ID/ Lease expiration Type
Hardware address
99.1.65.32 0100.1125.353c.25 Mar 02 1993 01:05 AM Automatic
99.1.65.33 0100.1438.059f.85 Mar 02 1993 12:01 AM Automatic
dhcp-test#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
Total number of bindings: 0
thanks!

ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds
Add binding entries to the DHCP snooping binding database. The vlan-id range is from 1 to 4904. The seconds range is from 1 to 4294967295.
Enter the above command for each entry that you add
To delete the database agent or binding file, use the no ip dhcp snooping database interface configuration command. To reset the timeout or delay values, use the ip dhcp snooping database timeout seconds or the ip dhcp snooping database write-delay seconds global configuration command.To renew the database, use the renew ip dhcp snooping database privileged EXEC command.

Catalyst 3750E's and DHCP Snooping

I am using on our perimeter Catalyst 3750E's and 4500 series switches and I have DHCP Snooping enabled. Each switch has redundant Layer 3 10Gb uplinks back to our Core/Distribution switches. We have a central DHCP server and each switch writes its snooping database back to a central TFTP server.
This was working fine until we upgraded our Active Directory domain to a 2008 domain, with our DHCP server now residing on a Windows 2008R2 server.
Since the upgrade all 12 stacks of 3750E's will no longer write of the dhcp snooping database.
show ip dhcp snooping database
Agent URL : tftp://<path>
Write delay Timer : 3600 seconds
Abort Timer : 300 seconds
Agent Running : No
Delay Timer Expiry : 17 (00:00:17)
Abort Timer Expiry : Not Running
Last Succeded Time : None
Last Failed Time : None
Last Failed Reason : No failure recorded.
Total Attempts       :        0   Startup Failures :        0
Successful Transfers :        0   Failed Transfers :        0
Successful Reads     :        0   Failed Reads     :        0
Successful Writes    :        0   Failed Writes    :        0
Media Failures       :        0
All of the 4500's (5 of them) however still work as they did prior to the upgrade.
show ip dhcp snooping database
Agent URL : tftp://<path>
Write delay Timer : 3600 seconds
Abort Timer : 60 seconds
Agent Running : No
Delay Timer Expiry : 2737 (00:45:37)
Abort Timer Expiry : Not Running
Last Succeded Time : 07:18:07 EDT Wed Jun 15 2011
Last Failed Time : None
Last Failed Reason : No failure recorded.
Total Attempts       :       13   Startup Failures :        0
Successful Transfers :       13   Failed Transfers :        0
Successful Reads     :        0   Failed Reads     :        0
Successful Writes    :       13   Failed Writes    :        0
Media Failures       :        0
Is this a software bug and has anybody else seen this after upgrading to a Windows 2008 AD domain?

well i found this
When DHCP snooping is disabled and DAI is enabled, the switch shuts down all the hosts because all
ARP entries in the ARP table will be checked against a nonexistent DHCP database. When DHCP
snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny ARP packets
We dont do arp acl
Here is a little infor on the setup on 6500
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs: Q,W,E,RT,TY,Y
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
Interface Trusted Rate limit (pps)
GigabitEthernetX/X yes unlimited
Port-channel    yes unlimited
port config port-channel
ip arp inspection trust
ip dhcp snooping trust
2960 config
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:Q
Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 1111:1111:1111 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
Port-channel yes yes unlimited
port config
interface Port-channel
ip arp inspection trust
ip dhcp snooping trust

Illegal dhcp (DHCP Snooping )

hi,
in my network , where there is a dhcp (i use dhcp relay on my layer 3 switch),
often someone connect a pc with a service of dhcp service active , and this produces a problem.
i read in cisco.com and i find the documentation about how to fix this problem.
DHCP Snooping is the solution.
The release on my cisco 6509 with msfc2 not support this feature.
WHAT DO YOU THINK ABOUT IT ?
HAVE YOU A LINK WITH AN EXAMPLE OF ALTERNATIVE METHODS?
Thanks
FC

my version are:
IOS (tm) MSFC2 Software (C6MSFC2-JSV-M), Version 12.1(11b)E4
in CAT OS
WS-C6509 Software, Version NmpSW: 7.6(8)
Step 1. (Permit DHCP response from host 1.2.3.4). "set security acl ip SERVER permit udp host 1.2.3.4 any eq 68"
Step 2. (Deny DHCP responses from any other host). "set security acl ip SERVER deny udp any any eq 68"
Step 3. (Permit other IP traffic). "set security acl ip SERVER permit any any"
Step 4.(Commit the VACL)."commit security acl SERVER"
Step 5.(Map the VACL to VLAN 10 for example). "set security acl map SERVER 10"
WHAT DO YOU THINK ABOUT MY CONFIGURATION?
Thanks
FC

Configuring DHCP snooping

I am settting up DHCP snooping for the first time on an 3750. My DHCP server resides on another switch. The 3750 is connected through a Gig SFP fiber to a 3550 with DHCP relay.
Is the following config correct? The client will not get a dhcp with the option 82 enabled.
(config)#ip dhcp snooping
(config)#ip dhcp snooping vlan 2-200
(config)#no ip dhcp snooping info option
!The client will not get an ip with
!this option enabled.
! trusted interface connected to the 3550
(config)#int gi1/0/4
(config-if)#ip dhcp trust
! untrusted interface
(config-if)#ip dhcp limit rate 100
(config)#ip dhcp snooping database flash:/database1
(config)#ip dhcp snooping database timeout 30
(config)#ip dhcp snooping database write-delay 30

Have you enabled option 82 on your DHCP server? Also, on your DHCP relay switch, configure the following under the VLAN interface in question and see if it makes any difference.
Example:
c3550-A(config)#int vlan 1
c3550-A(config-if)#ip dhcp relay information trusted ?

[solved] DHCP snooping in environment with core and access switches

Hello,
I'd like to know what steps are needed to configure DHCP snooping in my environment:
1) two core switches Catalyst 6500 (VSS): VLAN defined here, DHCP server connected here
2) access switches Catalyst 3750: clients connected here
Access switches are connected to core ones via trunk ports (fiber optics).
How many snooping databases are required? One for core and next for each stack?

Hi Marian,
If your network is properly designed and connected so that clients, including DHCP clients, are attached to the access layer switches, then the DHCP Snooping should be run only on access switches. Running DHCP Snooping on core switches is not going to increase the security because the DHCP communication has already been sanitized on the access layer.
If you intend to save the DHCP Snooping database then each switch performing the DHCP Snooping needs to have its own database if you intend to use a persistent storage for it. However, you can always have the switch to save the database to its own FLASH, alleviating the need for a centralized networked storage.
I am not sure if this answers your question so please feel welcome to ask further.
Best regards,
Peter

SGE2010P DHCP Snooping Bug

In some cases with DHCP snooping enabled, the switch can cause a DHCP request to be blocked.
This is appears to be a corner case but it has happened to me with two different pieces of hardware in two different scenarios.
First, I have a printer on a VLAN where other computers can get an IP address fine but when DHCP snooping is enabled, the printer is unable to obtain an IP.
Second, I created a separate VLAN for an isolated network and enabled DHCP snooping on that VLAN. A modem was hooked up to one port and added as a trusted interface. A computer was hooked up to another port and with DHCP snooping enabled, the computer was unable to obtain an IP address.
In both cases, the DHCP snooping binding table shows an IP of 0.0.0.0 for the port with a very low renew time (~100sec). Also, as soon as I disabled DHCP snooping for either of the above VLANs, the devices are able to obtain IP address. It appears that the DHCP OFFER is never making its way back to the device with DHCP snooping enabled.

Nah,
I think it has something to do with MAC addresses that don't start with 00.
Just a hunch though.
I know they will never fix it and I have moved on.
I guess it's the "quality" you should expect for Cisco Small Biz.

Enabling DHCP snooping

Hello,
We have a 2960 48 port switch in a remote office with a couple of VLANs (VOIP & Data). The L3 routing is provided via the WAN router and acts as a 'router on a stick' and provides DHCP for both VLANs.
I need to enable DHCP snooping and I have issued the 'ip dhcp snooping trust' on the router port but not for the access ports. I have then added 'ip dhcp snooping' to the switch but not 'ip dhcp snooping vlan x , x' as I was hoping the ip dhcp snooping bindings database would start to fill up after a few days but it hasn't.
If I add 'ip dhcp snooping vlan x , x' I think the users will get issues as there is no database, what should I do as the router is doing the DHCP.
Thanks

You need to identify the vlans where snooping should be implemented using:
ip dhcp snooping vlan #
The default allows dhcp requests on untrusted ports.

FS300-24s, Enable IP DHCP Snooping

Hi everyone,
I have 5 sites with FS300-24 and i have a big problem with DHCP.
On the catalist switches is easy to enable DHCP snooping and Configure “trusted” DHCP ports.
Is there a way to configure this on fs300-24?
Any help would be appreciated.
Albert

Hello
1) requires to active ip dhcp snooping the ip dhscp snooping vlan xx - Completed
2) if applied to one switch with uplinks switches, then the uplink switch will require snooping enabled also and its trunk links trusted ONLY if the dhcp server is originating from the uplink switch.- Completed
3) if dhcp server is attached to the same switch as the snooping database then just trust
the interface where the server is situated - Completed
FYI - As long as interfaces are trusted the snooping database does nothing else.
It listens on the the untrsuted ports and snoops the ip & macs.
Snooping database WILL NOT be populated with exisitng clients,
it will populate next time dhcp renews
res
Paul

LAN was down ie Users are not getting ip from DHCP server after enabling DHCP snooping

Hi All ,
Enclosed file has network connectivity diagram.
1. L3 vlan's ie 2,3,4,5 and 6 are configured on ACC-CR1 and ACC-CR2.
2.Trunk is configured between Core switches ( CR1 and CR2) and access switches .VTP mode is transparent on all switches.L2 vlans are configured on all access switches.
3.DHCP is server is located at different location and is reachable over MPLS.
Without enabling dhcp snooping , users connected to access switches (Sw1,sw2,sw3 and Sw4 ) are getting ip address from DHCP server without any problem and everything is working fine.
But users connected to Sw3 and Sw4 are getting ip address from rouge DHCP server which is not pingable from any one of the switch.
So we have configured DHCP snooping for all vlan's on CR1 , CR2 , SW3 and SW4 and "trusted uplink ports" which are connected to WAN routers from CR1 and CR2 and also "trusted uplink ports " of Sw3 and Sw4 which are connected to CR1 and CR2.
As soon we have enabled DHCP snooping and trusted respective uplink ports , users are not getting ip address from remote DHCP server and even users connected to Sw1 and SW2 are facing same issue.
Note : DHCP snooping is not configured on SW1 and SW2.
Why users are not getting ip address from remote DHCP server as soon as we enabled dhcp snooping on Core switches and two access switches ie sw3 and sw4 ? what could have caused DHCP packets to be dropped ? Any idea would be appreciated .

Hi,
as you say: " HSRP is configured between CR1 and CR2 and Vlans are active on CR1" does it mean there are L3 intrefaces configured in each VLAN on your CR switches and ip hepler-address pointing to the remote DHCP server is configured on each of them?
I know it's difficult in a productive environment but IMHO you need to find out where are the DHCP offers dropped.
Either by enabling DHCP debugging or by capturing packets via Wireshark, e.g.
Best regards,
Milan

Ip dhcp snooping on vlan

Similar Messages

Maybe you are looking for