Wired Intelligent Edge (Campus Switching and Routing)

DHCP snooping is a feature which allows a Aruba Mobility Switch to inspect DHCP traffic traversing its  switch ports.

Uses:

1. Can be used for general address allocation troubleshooting.
2. Support security features like IP source Guard and Dynamic ARP inspection.

Environment :This article applies to all Aruba Mobility Switches with code versions 7.3 and above.

Configuration Steps :

1. Create a dhcp-snooping profile:

(ArubaS2500-24P) #configure t
(ArubaS2500-24P) (config) #vlan-profile dhcp-snooping-profile new
(ArubaS2500-24P) (dhcp-snooping-profile "new") #enable
(ArubaS2500-24P) (dhcp-snooping-profile "new") #exit

(ArubaS2500-24P) (config) #show vlan-profile dhcp-snooping-profile new
dhcp-snooping-profile "new"
---------------------------
Parameter      Value
---------      -----
DHCP Snooping  Enabled

2. Enable it on a vlan:

(ArubaS2500-24P) (config) #vlan 1
(ArubaS2500-24P) (VLAN "1") #dhcp-snooping-profile new
(ArubaS2500-24P) (VLAN "1") #exit


Note: DHCP snooping profile is mapped in "vlan 1". On interface vlan 1, we do not have option for dhcp snooping:

(ArubaS2500-24P) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(ArubaS2500-24P) (config) #interface vlan 1          -------------> command not available here
(ArubaS2500-24P) (vlan "1") #?
clone                        Copy data from another vlan
description                Interface description
dhcp-relay-profile     Apply DHCP relay profile to interface
igmp-profile               Apply IGMP profile to interface
ip                               Interface internet protocol commands
ipv6                           Interface internet protocol v6 commands
mtu                            Set MTU on interface between 1400 and 1570
no                              Delete Command
ospf-profile               Apply OSPF profile to interface
pim-profile                 Apply PIM profile to interface
session-processing  Enable session processing on this interface
shutdown                  Enable or disable interface
vrrp-profile                 Apply VRRP profile to interface

(ArubaS2500-24P) (vlan "1") #
(ArubaS2500-24P) (vlan "1") #exit
(ArubaS2500-24P) (config) #
(ArubaS2500-24P) (config) #vlan 1          ------------------------->command is available here
(ArubaS2500-24P) (VLAN "1") #?
aaa-profile                          VLAN AAA profile
clone                                   Copy data from another VLAN
description                           VLAN description
dhcp-snooping-database    Add Static Snoop mac entry
dhcp-snooping-profile   dhcp snooping profile name
igmp-snooping-profile           igmp snooping profile name
mac-address-table               Configure the MAC address table
mac-aging-time                     Mac Aging Time in Minutes
mld-snooping-profile             mld snooping profile name
no                                          Delete Command
pvst-profile                           per vlan rapid spanning tree profile name



3. We can also add an entry to DHCP snooping table manually:

(ArubaS2500-24P) (config) #vlan 1
(ArubaS2500-24P) (VLAN "1") #dhcp-snooping-database 00:00:00:00:00:01 gigabitethernet 0/0/20 10.1.1.100
(ArubaS2500-24P) (VLAN "1") #exit
(ArubaS2500-24P) (config) #exit
(ArubaS2500-24P) #show dhcp-snooping-database

Total DHCP Snoop Entries : 2
Learnt Entries : 1, Static Entries : 1

DHCP Snoop Table
----------------
MAC                IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --          -------------  ----------                 -------  ---------
00:00:00:00:00:01  10.1.1.100  Static entry   No lease time              1        gigabitethernet0/0/20
f0:1f:af:52:44:09  10.1.1.251  Dynamic entry  2013-12-28 19:33:01 (PST)  1        gigabitethernet0/0/20

(ArubaS2500-24P) #


4. To remove an entry:

(ArubaS2500-24P) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(ArubaS2500-24P) (config) #vlan 1
(ArubaS2500-24P) (VLAN "1") #no dhcp-snooping-database 00:00:00:00:00:01 gigabitethernet 0/0/20 10.1.1.100
(ArubaS2500-24P) (VLAN "1") #no dhcp-snooping-database f0:1f:af:52:44:09 gigabitethernet 0/0/20  10.1.1.251
Error: Static DHCP Snoop entry doesn't exist


(ArubaS2500-24P) (config) #show dhcp-snooping-database
----------------
MAC                IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --          -------------  ----------                 -------  ---------
f0:1f:af:52:44:09  10.1.1.251  Dynamic entry  2013-12-28 19:33:01 (PST)  1        gigabitethernet0/0/20


Note: we can only remove a static entry not dynamically learned entry.

Verification :

To verify, execute the following command:


(ArubaS2500-24P) #show dhcp-snooping-database
Total DHCP Snoop Entries : 1
Learnt Entries : 1, Static Entries : 0
DHCP Snoop Table
----------------
MAC                IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --          -------------  ----------                 -------  ---------
f0:1f:af:52:44:09  10.1.1.251  Dynamic entry  2013-12-28 19:33:01 (PST)  1        gigabitethernet0/0/20

Troubleshooting :

To make sure DHCP snooping is working correctly:

1. Confirm that client is using DHCP.
2. Make sure that the port belongs to the correct vlan.
3. Verify that the vlan has DHCP snooping profile mapped to it.