Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Occasional Contributor II

DHCP Snooping - Why would I want to protect all the configured VLANs

Hello,

 

I have the following DHCP snooping configuration on my Aruba 2930F 8-port switch:

2930F-SW01# show dhcp-snooping         

 DHCP Snooping Information

  DHCP Snooping              : Yes
  Enabled VLANs              : 1 12 14-16 18-19 71 75 80                                
  Verify MAC address         : Yes
  Option 82 untrusted policy : drop   
  Option 82 insertion        : Yes
  Option 82 remote-id        : mac      
  Store lease database       : Not configured

  Authorized Servers
  ------------------
  192.168.18.1      
 

                  Max     Current Bindings
   Port  Trust  Bindings  Static   Dynamic
  -----  -----  --------  ----------------
    2     Yes      -        -        -   
    3     No       -        1        -   

  Ports 1,4-10 are untrusted

and the static bindings:

2930F-SW01# show dhcp-snooping binding 


  MacAddress        IP              VLAN Interface Time Left
  ----------------- --------------- ---- --------- ---------
  b827eb-26bb60     192.168.18.2    18   3         static   
  b827eb-b94579     192.168.18.1    18   2         static   

One Raspberry Pi running the DHCP server is patched into interface 2, and another one, running the DNS server (Pi-Hole), is patched into interface 3.

 

With this configuration, a Linux PC (arch-laptop) patched into interface 1 cannot get a dynamically assigned IP address from the DHCP server. Below is an excerpt of the "isc-dhcp-server status" command:

Mar 29 14:36:22 dhcp-server dhcpd[1150]: DHCPDISCOVER from 00:50:b6:45:d4:4a (arch-laptop) via eth0.14
Mar 29 14:36:22 dhcp-server dhcpd[1150]: DHCPOFFER on 192.168.14.4 to 00:50:b6:45:d4:4a (arch-laptop) via eth0.14

So, the laptop is offered an IP which it doesn't want to acknowledge.

 

Now, just a bit of background: the DHCP server has scopes configured for VLANs 14-16, 71, and 75 (only these VLANs accommodate DHCP clients). The arch-laptop client is patched into interface 1 which is untagged for VLAN 14.

 

If I completely disable DHCP snooping on the switch, or if I disable it only for VLAN 14, the laptop happily gets, and keeps the IP from the server.

 

To be honest, I am not really sure why the DHcP snooping has to be configured on each VLAN intended to be protected. Could anyone tell me where I am wrong? There is no question that I AM wrong... (sorry if this has been discussed before).

 

Cheerio!


Accepted Solutions
Highlighted
MVP Expert

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

Which device is doing the DHCP relay? I’ve seen some issues in the past when using the authorized DHCP server option in the switches. It’s not required to specify the DHCP server ip address. It’s enough to trust the uplink. Can you try to remove the authorized DHCP server ip’s?

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!

View solution in original post

Highlighted
Occasional Contributor II

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

Hi,

 

I'm afraid I can't as I disabled the feature long ago.

 

# show dhcp-snooping 

 DHCP Snooping Information

  DHCP Snooping              : No 

Sorry about this.

View solution in original post


All Replies
Highlighted
MVP Expert

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

Which device is doing the DHCP relay? I’ve seen some issues in the past when using the authorized DHCP server option in the switches. It’s not required to specify the DHCP server ip address. It’s enough to trust the uplink. Can you try to remove the authorized DHCP server ip’s?

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!

View solution in original post

Highlighted
Occasional Contributor II

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

Hi Willem,

 

Thanks for your feedback. There is no need for DHCP relay as both the DHCP server and the DHCP clients are patched into the same 2930F switch.

 

I did follow your advice and, with DHCP-snooping configured on the VLANs with DHCP clients, I removed the authorized DHCP server IP and preserving the trusted link:

 

no dhcp-snooping authorized-server 192.168.18.1
dhcp-snooping trust ethernet 2

It seems it's working.

 

Thanks!

Highlighted

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

What is the AOS-CX cli equivalent for dhcp-snooping ?

Thanks.


../smb/air
Highlighted
Occasional Contributor II

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

I have just looked into the CLI Guide for ArubaOS-CX 10.03 and into the release notes for the same OS and I couldn't find any reference to DHCP snooping.

 

The Aruba 8400 switch I am running as VM has no command for DHCP snooping either.

 

I may be wrong but it looks like DHCP snooping is not implemented into ArubaOS-CX.

Highlighted
Occasional Contributor II

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

Apparently DHCP snooping is coming to ArubaOS-CX in the next release: 10.4

Highlighted
MVP Guru Elite

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

DHCP Snooping is more "Access" Feature (and not a DC feature...)

 



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Occasional Contributor II

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

 

hi,

 

Could you show me the "sh run" of the device on which you have configured the shcp snooping? I want to configure it  and I think I'm missing something.

 My device is an Aruba 2930.

Regards and thank you very much.

Highlighted
Occasional Contributor II

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

Hi,

 

I'm afraid I can't as I disabled the feature long ago.

 

# show dhcp-snooping 

 DHCP Snooping Information

  DHCP Snooping              : No 

Sorry about this.

View solution in original post

Highlighted
Occasional Contributor II

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

 

hi,

 

I get it. And if I send you the configuration file of my switch, could you tell me if it's ok? If you can do it, you could send it to an email or where you tell me.

Greetings and thank you very much.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: