Hi everyone,

Recently i have been doing some labs of DHCP snooping but i couldnt get it to work, the exact problem is that when i specify the trusted interface(where the dchp server is) hosts doesnt get their ip from the server. I've tried ALL(or maybe not) but it just dont work as expected.

here is the configuration i used:

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ALS1

!

enable secret 5 $1$eQoF$tfl7RK0R8CBUyHkq5gnR40

!

username janedoe password 0 cisco

username johndoe password 0 cisco

username joesmith password 0 cisco

no aaa new-model

ip subnet-zero

no ip domain-lookup

!

ip dhcp snooping vlan 100,200

ip dhcp snooping information option allow-untrusted

ip dhcp snooping

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

!

!

!

interface FastEthernet0/1

switchport access vlan 100

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0013.c3df.ae19

spanning-tree portfast

!

interface FastEthernet0/2

switchport access vlan 100

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security mac-address sticky

spanning-tree portfast

!

interface FastEthernet0/3

switchport access vlan 100

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0019.aa7d.e689

spanning-tree portfast

!

interface FastEthernet0/4

switchport access vlan 100

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security mac-address sticky

spanning-tree portfast

!

interface FastEthernet0/5

switchport access vlan 100

switchport mode access

spanning-tree portfast

ip dhcp snooping limit rate 100

ip dhcp snooping trust

!

interface FastEthernet0/6

switchport mode dynamic desirable

!

interface FastEthernet0/7

switchport mode dynamic desirable

!

interface FastEthernet0/8

switchport mode dynamic desirable

!

interface FastEthernet0/9

switchport mode dynamic desirable

!

interface FastEthernet0/10

switchport mode dynamic desirable

!

interface FastEthernet0/11

switchport mode dynamic desirable

!

interface FastEthernet0/12

switchport mode dynamic desirable

!

interface FastEthernet0/13

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping limit rate 20

ip dhcp snooping trust

!

interface FastEthernet0/14

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping limit rate 20

ip dhcp snooping trust

!

interface FastEthernet0/15

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping limit rate 20

ip dhcp snooping trust

!

interface FastEthernet0/16

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping limit rate 20

!

interface FastEthernet0/17

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping limit rate 20

!

interface FastEthernet0/18

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping limit rate 20

!

interface FastEthernet0/19

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping limit rate 20

!

interface FastEthernet0/20

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping limit rate 20

!

interface FastEthernet0/21

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping limit rate 20

!

interface FastEthernet0/22

switchport mode dynamic desirable

!

interface FastEthernet0/23

switchport mode dynamic desirable

!

interface FastEthernet0/24

switchport mode dynamic desirable

!

interface GigabitEthernet0/1

switchport mode dynamic desirable

!

interface GigabitEthernet0/2

switchport mode dynamic desirable

!

interface Vlan1

ip address 172.16.1.101 255.255.255.0

!

ip default-gateway 172.16.1.1

ip classless

ip http server

ip http secure-server

!

!

!

control-plane

!

!

line con 0

exec-timeout 0 0

password cisco

logging synchronous

login

line vty 0 4

exec-timeout 0 0

password cisco

logging synchronous

login

line vty 5 15

exec-timeout 0 0

password cisco

logging synchronous

login

!

end

Ports fas0/1 - 5 was configured for vlan 100 as you can see, the dhcp server was on port fas0/5, the particular host from where i was doing my tests was on port fas0/3. As i said before i have tried various things to get it to work but nothing has done the job. I also tried configuring it apart with only the dchp snooping config but got the same thing , since i have started thinking this was an IOS bug or something in that manner or maybe im missing something very simple.

this is the output of the "debug ip dhcp snooping events" and "debug ip dhcp packets"(dhcp snooping config only, no port security):

=================================================================================

*Mar 1 00:12:02.919: DHCPSN: Found ingress pkt on Fa0/3 VLAN 100

*Mar 1 00:12:02.919: DHCPSN: DHCP packet being sent to PI snooping process

*Mar 1 00:12:02.919: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/3)

*Mar 1 00:12:02.919: DHCP_SNOOPING: process new DHCP packet, message type:

DHCPDISCOVER, input interface: Fa0/3, MAC da: ffff.ffff.ffff, MAC sa: 0019.aa7d.e689, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0,

DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0019.aa7d.e689

*Mar 1 00:12:02.919: DHCP_SNOOPING: add relay information option.

*Mar 1 00:12:02.919: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format

*Mar 1 00:12:02.919: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format

*Mar 1 00:12:02.919: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x2 0x2 0x8 0x0 0x6 0x0 0xE 0x83 0x16 0xF5 0x0

*Mar 1 00:12:02.919: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (100)

*Mar 1 00:12:02.919: DHCP_SNOOPING_SW: bridge packet send packet to port: FastEthernet0/5, vlan 100.do

*Mar 1 00:12:26.031: DHCPSN: Found ingress pkt on Fa0/3 VLAN 100

*Mar 1 00:12:26.031: DHCPSN: DHCP packet being sent to PI snooping process

*Mar 1 00:12:26.031: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/3)

*Mar 1 00:12:26.031: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa0/3, MAC da: ffff.ffff.ffff, MAC sa: 0019.aa7d.e689, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.u al0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0019.aa7d.e689

*Mar 1 00:12:26.031: DHCP_SNOOPING: add relay information option.

*Mar 1 00:12:26.031: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format

*Mar 1 00:12:26.031: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format

*Mar 1 00:12:26.031: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x2 0x2 0x8 0x0 0x6 0x0 0xE 0x83 0x16 0xF5 0x0

*Mar 1 00:12:26.031: DHCP_SNOOPING_SW: bridlge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (100)

*Mar 1 00:12:26.031: DHCP_SNOOPING_SW: bridge packet send packet to port: FastEthernet0/5, vlan 100.

*Mar 1 00:12:29.915: DHCPSN: Found ingress pkt on Fa0/3 VLAN 100

*Mar 1 00:12:29.915: DHCPSN: DHCP packet being sent to PI snooping process

*Mar 1 00:12:29.915: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/3)

*Mar 1 00:12:29.915: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa0/3, MAC da: ffff.ffff.ffff, MAC sa: 0019.aa7d.e689, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.

All possible debugging has been turned off

Switch(config)#0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0019.aa7d.e689

*Mar 1 00:12:29.915: DHCP_SNOOPING: add relay information option.

*Mar 1 00:12:29.915: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format

*Mar 1 00:12:29.915: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format

*Mar 1 00:12:29.915: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x64 0x0 0x2 0x2 0x8 0x0 0x6 0x0 0xE 0x83 0x16 0xF5 0x0

*Mar 1 00:12:29.915: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (100)

*Mar 1 00:12:29.919: DHCP_SNOOPING_SW: bridge packet send packet to port: FastEthernet0/5, vlan 100.

=================================================================================

Can somebody help with this plz??. I really want to know whats the bug here as it give me a Not-So-Strong headache...lol

From your debug output, it sure looks like the DISCOVER message is being sent to the DHCP server on fa0/5, but the server doesn't appear to be responding to the request (otherwise we would see it in the debug also, even if it was being blocked).

Have you tried plugging a host directly into your DHCP server to make sure that DHCP is configured correctly?

I had this problem as well. Your dhcp client(s) (in my case, a Windows 7 host) didn't play well with the option-82 insertion. Try adding this to your configuration:

no ip dhcp snooping information option