Wired Intelligent Edge (Campus Switching and Routing)

 View Only
last person joined: one year ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of HPE Aruba Networking switching devices, and find ways to improve security across your network.
Back to Library

How to configure DHCP snooping in MAS 

Jul 04, 2014 05:35 AM

Introduction :

 

Switch snoops DHCP messages and builds a database, which is known as DHCP snooping database.
 
Each entry in the DHCP snooping database is called a binding entry, which binds the valid IP assigned to client with its mac address.
 
Binding is valid, until lease expires or client explicitly releases the address by sending DHCP release message.

For clients that are configured with static IP address, there is a provision to configure static DHCP snooping bindings. 

DHCP Snooping database is periodically saved to switch flash memory. Database is automatically updated from flash in case of switch reboot

DHCP Snooping Bindings are used to support security features such as Dynamic Arp Inspection (DAI) and IP Source Guard (IPSG).

 

 

Configuration Steps :

 

Create DHCP Snooping vlan profile and enable dhcp snooping.
 
(SW-3) (config) #vlan-profile dhcp-snooping-profile DHCP_SNOOPING
(SW-3) (dhcp-snooping-profile "DHCP_SNOOPING") #enable
 
Apply DHCP Snooping profile to VLAN.
 
(SW-3) (config) #vlan 5
(SW-3) (VLAN "5") #dhcp-snooping-profile DHCP_SNOOPING
 
 
Create static DHCP Snooping binding.
 
(SW-3) (VLAN "5") #dhcp-snooping-database 00:00:00:00:00:01 gigabitethernet  3/0/20 1.1.1.1

Database can be manually saved by using command “write dhcp-snooping-database”

 
(SW-3) #show dhcp-snooping-database
 
Total DHCP Snoop Entries : 2
Learnt Entries : 1, Static Entries : 1
 
DHCP Snoop Table
----------------
MAC                IP             BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --             -------------  ----------                 -------  ---------
00:00:00:00:00:01  1.1.1.1        Static entry   No lease time              5        gigabitethernet3/0/20
00:00:00:5f:2c:7d  172.5.255.254  Dynamic entry  2013-11-01 00:38:02 (PST)  5        gigabitethernet3/0/20


(SW-3) #clear dhcp-snooping-database ?
all                     Clear the dynamic entries in  DHCP Snooping database
vlan                    Snooping learnt on this VLAN
 
(SW-3) #show dhcp-snooping-database
 
Total DHCP Snoop Entries : 2
Learnt Entries : 2, Static Entries : 0
 
DHCP Snoop Table
----------------
MAC           IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---           --          -------------  ----------                 -------  ---------
A:B:C:D:E:F   1.1.1.1     Dynamic entry  2013-11-01 00:38:02 (PST)  5        g3/0/20
U:V:W:X:Y:Z   172.5.2.2   Dynamic entry  2013-11-01 00:38:02 (PST)  5        g3/0/20
 
(SW-3) #clear dhcp-snooping-database all
(SW-3) #show dhcp-snooping-database
 
Total DHCP Snoop Entries : 0
Learnt Entries : 0, Static Entries : 0
 

 

 

Troubleshooting :

 

Debugging using traceoptions.

DHCP Snooping traceoptions.
(SW-3) (config) #traceoptions
(SW-3) (traceoptions) #dhcp-snoop flags ?
all                     Enable tracing on all DHCP SNOOP modules
cfg                     Enable DHCP SNOOP error tracing
debug                   Enable DHCP SNOOP  general debug tracing
errors                  Enable DHCP SNOOP error tracing
receive                 Enable DHCP SNOOP dhcp packets receive (RX) tracing
timer                   Enable DHCP SNOOP timer) tracing
<cr>
 
 
(SW-3) (config) #vlan-profile dhcp-snooping-profile DHCP_SNOOPING
(SW-3) (dhcp-snooping-profile "DHCP_SNOOPING") #no enable
(SW-3) (dhcp-snooping-profile "DHCP_SNOOPING") #enable
(SW-3) (dhcp-snooping-profile "DHCP_SNOOPING") #end
 
[DHCP_SNOOP-CFG] instname "DHCP_SNOOPING" groupname "dhcp_snooping_prof" num_refs 1
[DHCP_SNOOP-CFG] Apply dhcp-snoop-profile (DHCP_SNOOPING) to vlan 5
[DHCP_SNOOP-CFG] dhcp_snoop_init_config called
[DHCP_SNOOP-CFG] dhcp_snoop_req_config_sync called
[DHCP_SNOOP-CFG] vlan_update_dhcp_snoop_configs called
[DHCP_SNOOP-CFG] DHCP snoop : 0 for vlan 5 , where 1 :enable 0 :disbale
[DHCP_SNOOP-CFG] instname "DHCP_SNOOPING" groupname "dhcp_snooping_prof" num_refs 1
[DHCP_SNOOP-CFG] Apply dhcp-snoop-profile (DHCP_SNOOPING) to vlan 5
[DHCP_SNOOP-CFG] dhcp_snoop_init_config called
[DHCP_SNOOP-CFG] dhcp_snoop_req_config_sync called
[DHCP_SNOOP-CFG] vlan_update_dhcp_snoop_configs called
[DHCP_SNOOP-CFG] DHCP snoop : 1 for vlan 5 , where 1 :enable 0 :disbale
 
DHCP Snooping receive packets and debug trace.
[DHCP_SNOOP-RECV] DHCP DISCOVER packet received with client mac address 00:00:00:5f:2c:7d on vlan 5
[DHCP_SNOOP-RECV] DHCP OFFER packet received with client mac address 00:00:00:5f:2c:7d on vlan 5
[DHCP_SNOOP-RECV] DHCP REQUEST packet received with client mac address 00:00:00:5f:2c:7d on vlan 5
[DHCP_SNOOP] Context added for DHCP Request packet with mac :  00:00:00:5f:2c:7d and vlan 5 and interface : gigabitethernet3/0/20
[DHCP_SNOOP-RECV] DHCP ACK packet received with client mac address 00:00:00:5f:2c:7d on vlan 5 Client IP ac05fffe
[DHCP_SNOOP] Context table found , interface info fetched by context table during dynamic snoop entry addition for the mac address  00:00:00:5f:2c:7d and vlan 5
[DHCP_SNOOP] DHCP Snoop dynamic entry added , vlan_id :5mac address  00:00:00:5f:2c:7dip address   ac05fffeinterface    gigabitethernet3/0/20binding type 2
[DHCP_SNOOP] Context deleted for DHCP packet with mac :  00:00:00:5f:2c:7d and vlan 5 and interface : gigabitethernet3/0/20
[DHCP_SNOOP-RECV] DHCP RELEASE packet received with client mac address 00:00:00:5f:2c:7d on vlan 5 Client IP 0
[DHCP_SNOOP] DHCP Snoop dynamic entry deleted , vlan_id :5mac address  00:00:00:5f:2c:7dip address   ac05fffebinding type 2

 

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.