Wired Networks

What is DHCP snooping and how to enable it?

Introduction :

 

DHCP snooping is a feature which allows a Aruba Mobility Switch to inspect DHCP traffic traversing its  switch ports.

Uses:

1. Can be used for general address allocation troubleshooting.
2. Support security features like IP source Guard and Dynamic ARP inspection.

 

Environment :This article applies to all Aruba Mobility Switches with code versions 7.3 and above.

 

Configuration Steps :

 

1. Create a dhcp-snooping profile:

(ArubaS2500-24P) #configure t
(ArubaS2500-24P) (config) #vlan-profile dhcp-snooping-profile new
(ArubaS2500-24P) (dhcp-snooping-profile "new") #enable
(ArubaS2500-24P) (dhcp-snooping-profile "new") #exit

(ArubaS2500-24P) (config) #show vlan-profile dhcp-snooping-profile new
dhcp-snooping-profile "new"
---------------------------
Parameter      Value
---------      -----
DHCP Snooping  Enabled

2. Enable it on a vlan:

(ArubaS2500-24P) (config) #vlan 1
(ArubaS2500-24P) (VLAN "1") #dhcp-snooping-profile new
(ArubaS2500-24P) (VLAN "1") #exit


Note: DHCP snooping profile is mapped in "vlan 1". On interface vlan 1, we do not have option for dhcp snooping:

(ArubaS2500-24P) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(ArubaS2500-24P) (config) #interface vlan 1          -------------> command not available here
(ArubaS2500-24P) (vlan "1") #?
clone                        Copy data from another vlan
description                Interface description
dhcp-relay-profile     Apply DHCP relay profile to interface
igmp-profile               Apply IGMP profile to interface
ip                               Interface internet protocol commands
ipv6                           Interface internet protocol v6 commands
mtu                            Set MTU on interface between 1400 and 1570
no                              Delete Command
ospf-profile               Apply OSPF profile to interface
pim-profile                 Apply PIM profile to interface
session-processing  Enable session processing on this interface
shutdown                  Enable or disable interface
vrrp-profile                 Apply VRRP profile to interface

(ArubaS2500-24P) (vlan "1") #
(ArubaS2500-24P) (vlan "1") #exit
(ArubaS2500-24P) (config) #
(ArubaS2500-24P) (config) #vlan 1          ------------------------->command is available here
(ArubaS2500-24P) (VLAN "1") #?
aaa-profile                          VLAN AAA profile
clone                                   Copy data from another VLAN
description                           VLAN description
dhcp-snooping-database    Add Static Snoop mac entry
dhcp-snooping-profile   dhcp snooping profile name
igmp-snooping-profile           igmp snooping profile name
mac-address-table               Configure the MAC address table
mac-aging-time                     Mac Aging Time in Minutes
mld-snooping-profile             mld snooping profile name
no                                          Delete Command
pvst-profile                           per vlan rapid spanning tree profile name



3. We can also add an entry to DHCP snooping table manually:

(ArubaS2500-24P) (config) #vlan 1
(ArubaS2500-24P) (VLAN "1") #dhcp-snooping-database 00:00:00:00:00:01 gigabitethernet 0/0/20 10.1.1.100
(ArubaS2500-24P) (VLAN "1") #exit
(ArubaS2500-24P) (config) #exit
(ArubaS2500-24P) #show dhcp-snooping-database

Total DHCP Snoop Entries : 2
Learnt Entries : 1, Static Entries : 1

DHCP Snoop Table
----------------
MAC                IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --          -------------  ----------                 -------  ---------
00:00:00:00:00:01  10.1.1.100  Static entry   No lease time              1        gigabitethernet0/0/20
f0:1f:af:52:44:09  10.1.1.251  Dynamic entry  2013-12-28 19:33:01 (PST)  1        gigabitethernet0/0/20

(ArubaS2500-24P) #


4. To remove an entry:

(ArubaS2500-24P) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(ArubaS2500-24P) (config) #vlan 1
(ArubaS2500-24P) (VLAN "1") #no dhcp-snooping-database 00:00:00:00:00:01 gigabitethernet 0/0/20 10.1.1.100
(ArubaS2500-24P) (VLAN "1") #no dhcp-snooping-database f0:1f:af:52:44:09 gigabitethernet 0/0/20  10.1.1.251
Error: Static DHCP Snoop entry doesn't exist


(ArubaS2500-24P) (config) #show dhcp-snooping-database
----------------
MAC                IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --          -------------  ----------                 -------  ---------
f0:1f:af:52:44:09  10.1.1.251  Dynamic entry  2013-12-28 19:33:01 (PST)  1        gigabitethernet0/0/20


Note: we can only remove a static entry not dynamically learned entry.

 

 

Verification :

To verify, execute the following command:


(ArubaS2500-24P) #show dhcp-snooping-database
Total DHCP Snoop Entries : 1
Learnt Entries : 1, Static Entries : 0
DHCP Snoop Table
----------------
MAC                IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --          -------------  ----------                 -------  ---------
f0:1f:af:52:44:09  10.1.1.251  Dynamic entry  2013-12-28 19:33:01 (PST)  1        gigabitethernet0/0/20

 

Troubleshooting :

 

To make sure DHCP snooping is working correctly:

1. Confirm that client is using DHCP.
2. Make sure that the port belongs to the correct vlan.
3. Verify that the vlan has DHCP snooping profile mapped to it.

 

 

Version History
Revision #:
1 of 1
Last update:
‎07-08-2014 04:17 PM
Updated by:
 
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.