DHCP Snooping Blocking Legitimate Server on Untrusted Port
Presenting Symptom
Clients in VLAN 10 are unable to obtain IP addresses via DHCP, and the DHCP server (10.10.10.5) is reachable but not responding to requests.
Network Context
A small branch office with a single Cisco Catalyst 2960 switch (IOS 15.0) acting as the access layer. The switch has DHCP snooping enabled globally and on VLAN 10. The legitimate DHCP server is connected to port GigabitEthernet0/1, which is configured as an untrusted port by default. Clients are connected to other ports in VLAN 10.
Diagnostic Steps
Check DHCP snooping status and binding database
show ip dhcp snoopingSwitch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 Insertion of option 82 is enabled Interface Trusted Rate limit (pps) ----------------------- ------- ------------------ GigabitEthernet0/1 no unlimited GigabitEthernet0/2 no unlimited GigabitEthernet0/3 no unlimited GigabitEthernet0/4 no unlimited
The output shows that DHCP snooping is enabled on VLAN 10, but the interface connected to the DHCP server (GigabitEthernet0/1) is listed as untrusted (no). This means the switch will drop DHCP server messages (OFFER, ACK) received on that port, preventing clients from getting IP addresses.
Check DHCP snooping statistics for dropped packets
show ip dhcp snooping statisticsPackets Processed by DHCP Snooping ------------------------------------ Total packets processed: 150 DHCP packets dropped: 50 Packets with option 82: 0 Packets with invalid server: 50 ...
The statistics show that DHCP packets are being dropped due to 'invalid server'. This confirms that the switch is discarding DHCP server messages because they are arriving on an untrusted port.
Verify the DHCP server configuration and connectivity
ping 10.10.10.5!!!!!
The ping succeeds, indicating that the DHCP server is reachable at Layer 3. The problem is not due to connectivity but rather the switch's DHCP snooping filtering.
Check the DHCP binding table
show ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- No entries found
The binding table is empty, confirming that no DHCP leases have been granted. This is consistent with the server's OFFER/ACK messages being dropped.
Root Cause
The DHCP server is connected to a port (GigabitEthernet0/1) that is not configured as a trusted port for DHCP snooping. By default, all ports are untrusted, so the switch drops DHCP server messages (OFFER, ACK) received on that port, preventing clients from obtaining IP addresses.
Resolution
Verification
Run 'show ip dhcp snooping' to verify the port is now trusted: Switch# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 Insertion of option 82 is enabled Interface Trusted Rate limit (pps) ----------------------- ------- ------------------ GigabitEthernet0/1 yes unlimited ... Then have a client renew its IP address and verify with 'show ip dhcp snooping binding' that a binding appears.
Prevention
1. Always configure DHCP snooping trust on ports connected to legitimate DHCP servers before enabling DHCP snooping. 2. Use DHCP snooping rate limiting on untrusted ports to prevent DHCP starvation attacks. 3. Document and verify trusted port configurations as part of the network deployment checklist.
CCNA Exam Relevance
On the CCNA 200-301 exam, DHCP snooping is tested as a security feature. Questions may present a scenario where clients cannot get IP addresses and ask to identify the cause (untrusted port for the server) or the fix (configure trust). Expect multiple-choice or simulation questions where you must apply the correct command.
Exam Tips
Remember that DHCP snooping drops DHCP server messages (OFFER, ACK, NAK) on untrusted ports by default.
The command 'ip dhcp snooping trust' is applied on the interface facing the DHCP server, not the clients.
Use 'show ip dhcp snooping' to quickly verify trust status and 'show ip dhcp snooping statistics' to see dropped packet counts.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions