Wired Intelligent Edge

Hello,

 

I have the following DHCP snooping configuration on my Aruba 2930F 8-port switch:

2930F-SW01# show dhcp-snooping         

 DHCP Snooping Information

  DHCP Snooping              : Yes
  Enabled VLANs              : 1 12 14-16 18-19 71 75 80                                
  Verify MAC address         : Yes
  Option 82 untrusted policy : drop   
  Option 82 insertion        : Yes
  Option 82 remote-id        : mac      
  Store lease database       : Not configured

  Authorized Servers
  ------------------
  192.168.18.1      
 

                  Max     Current Bindings
   Port  Trust  Bindings  Static   Dynamic
  -----  -----  --------  ----------------
    2     Yes      -        -        -   
    3     No       -        1        -   

  Ports 1,4-10 are untrusted

and the static bindings:

2930F-SW01# show dhcp-snooping binding 


  MacAddress        IP              VLAN Interface Time Left
  ----------------- --------------- ---- --------- ---------
  b827eb-26bb60     192.168.18.2    18   3         static   
  b827eb-b94579     192.168.18.1    18   2         static   

One Raspberry Pi running the DHCP server is patched into interface 2, and another one, running the DNS server (Pi-Hole), is patched into interface 3.

 

With this configuration, a Linux PC (arch-laptop) patched into interface 1 cannot get a dynamically assigned IP address from the DHCP server. Below is an excerpt of the "isc-dhcp-server status" command:

Mar 29 14:36:22 dhcp-server dhcpd[1150]: DHCPDISCOVER from 00:50:b6:45:d4:4a (arch-laptop) via eth0.14
Mar 29 14:36:22 dhcp-server dhcpd[1150]: DHCPOFFER on 192.168.14.4 to 00:50:b6:45:d4:4a (arch-laptop) via eth0.14

So, the laptop is offered an IP which it doesn't want to acknowledge.

 

Now, just a bit of background: the DHCP server has scopes configured for VLANs 14-16, 71, and 75 (only these VLANs accommodate DHCP clients). The arch-laptop client is patched into interface 1 which is untagged for VLAN 14.

 

If I completely disable DHCP snooping on the switch, or if I disable it only for VLAN 14, the laptop happily gets, and keeps the IP from the server.

 

To be honest, I am not really sure why the DHcP snooping has to be configured on each VLAN intended to be protected. Could anyone tell me where I am wrong? There is no question that I AM wrong... (sorry if this has been discussed before).

 

Cheerio!

Which device is doing the DHCP relay? I’ve seen some issues in the past when using the authorized DHCP server option in the switches. It’s not required to specify the DHCP server ip address. It’s enough to trust the uplink. Can you try to remove the authorized DHCP server ip’s?

Hi Willem,

 

Thanks for your feedback. There is no need for DHCP relay as both the DHCP server and the DHCP clients are patched into the same 2930F switch.

 

I did follow your advice and, with DHCP-snooping configured on the VLANs with DHCP clients, I removed the authorized DHCP server IP and preserving the trusted link:

 

no dhcp-snooping authorized-server 192.168.18.1
dhcp-snooping trust ethernet 2

It seems it's working.

 

Thanks!

What is the AOS-CX cli equivalent for dhcp-snooping ?

Thanks.

I have just looked into the CLI Guide for ArubaOS-CX 10.03 and into the release notes for the same OS and I couldn't find any reference to DHCP snooping.

 

The Aruba 8400 switch I am running as VM has no command for DHCP snooping either.

 

I may be wrong but it looks like DHCP snooping is not implemented into ArubaOS-CX.

Apparently DHCP snooping is coming to ArubaOS-CX in the next release: 10.4

DHCP Snooping is more "Access" Feature (and not a DC feature...)

 

 

hi,

 

Could you show me the "sh run" of the device on which you have configured the shcp snooping? I want to configure it  and I think I'm missing something.

 My device is an Aruba 2930.

Regards and thank you very much.

Hi,

 

I'm afraid I can't as I disabled the feature long ago.

 

# show dhcp-snooping 

 DHCP Snooping Information

  DHCP Snooping              : No 

Sorry about this.

 

hi,

 

I get it. And if I send you the configuration file of my switch, could you tell me if it's ok? If you can do it, you could send it to an email or where you tell me.

Greetings and thank you very much.

 

 

You would get more help from the community if you are opening a new thread describing your specific issue but if you want, you can send me a private message with your enquiry although I can't promise a quick reply.