Wired Intelligent Edge (Campus Switching and Routing)

Occasional Contributor II

DHCP Snooping - Why would I want to protect all the configured VLANs



I have the following DHCP snooping configuration on my Aruba 2930F 8-port switch:

2930F-SW01# show dhcp-snooping         

 DHCP Snooping Information

  DHCP Snooping              : Yes
  Enabled VLANs              : 1 12 14-16 18-19 71 75 80                                
  Verify MAC address         : Yes
  Option 82 untrusted policy : drop   
  Option 82 insertion        : Yes
  Option 82 remote-id        : mac      
  Store lease database       : Not configured

  Authorized Servers

                  Max     Current Bindings
   Port  Trust  Bindings  Static   Dynamic
  -----  -----  --------  ----------------
    2     Yes      -        -        -   
    3     No       -        1        -   

  Ports 1,4-10 are untrusted

and the static bindings:

2930F-SW01# show dhcp-snooping binding 

  MacAddress        IP              VLAN Interface Time Left
  ----------------- --------------- ---- --------- ---------
  b827eb-26bb60    18   3         static   
  b827eb-b94579    18   2         static   

One Raspberry Pi running the DHCP server is patched into interface 2, and another one, running the DNS server (Pi-Hole), is patched into interface 3.


With this configuration, a Linux PC (arch-laptop) patched into interface 1 cannot get a dynamically assigned IP address from the DHCP server. Below is an excerpt of the "isc-dhcp-server status" command:

Mar 29 14:36:22 dhcp-server dhcpd[1150]: DHCPDISCOVER from 00:50:b6:45:d4:4a (arch-laptop) via eth0.14
Mar 29 14:36:22 dhcp-server dhcpd[1150]: DHCPOFFER on to 00:50:b6:45:d4:4a (arch-laptop) via eth0.14

So, the laptop is offered an IP which it doesn't want to acknowledge.


Now, just a bit of background: the DHCP server has scopes configured for VLANs 14-16, 71, and 75 (only these VLANs accommodate DHCP clients). The arch-laptop client is patched into interface 1 which is untagged for VLAN 14.


If I completely disable DHCP snooping on the switch, or if I disable it only for VLAN 14, the laptop happily gets, and keeps the IP from the server.


To be honest, I am not really sure why the DHcP snooping has to be configured on each VLAN intended to be protected. Could anyone tell me where I am wrong? There is no question that I AM wrong... (sorry if this has been discussed before).



Super Contributor I

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

Which device is doing the DHCP relay? I’ve seen some issues in the past when using the authorized DHCP server option in the switches. It’s not required to specify the DHCP server ip address. It’s enough to trust the uplink. Can you try to remove the authorized DHCP server ip’s?

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor II

Re: DHCP Snooping - Why would I want to protect all the configured VLANs

Hi Willem,


Thanks for your feedback. There is no need for DHCP relay as both the DHCP server and the DHCP clients are patched into the same 2930F switch.


I did follow your advice and, with DHCP-snooping configured on the VLANs with DHCP clients, I removed the authorized DHCP server IP and preserving the trusted link:


no dhcp-snooping authorized-server
dhcp-snooping trust ethernet 2

It seems it's working.



Search Airheads
Showing results for 
Search instead for 
Did you mean: