Courseiva
DHCPCCNA 200-301

DHCP Snooping Dropping Legitimate DHCP Server Offers

Presenting Symptom

Clients in a VLAN are not receiving IP addresses from the legitimate DHCP server, even though the server is reachable and configured correctly.

Network Context

A small branch office with a single Layer 3 switch (Cisco Catalyst 3750 running IOS 12.2) acting as the default gateway for VLAN 10. A legitimate DHCP server is connected to the switch on a trusted port (GigabitEthernet1/0/1). DHCP snooping is enabled globally and on VLAN 10, but the switch is dropping DHCPOFFER messages from the server, preventing clients from obtaining IP addresses.

Diagnostic Steps

1

Check DHCP snooping status and configuration

show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
Insertion of option 82 is enabled
Interface                 Trusted    Rate limit (pps)
-----------------------   -------    ------------------
GigabitEthernet1/0/1      no         0

The output shows that DHCP snooping is enabled on VLAN 10, but the interface connected to the DHCP server (GigabitEthernet1/0/1) is not trusted. This is the root cause: DHCP snooping drops DHCP server messages (OFFER, ACK) on untrusted ports.

2

Verify DHCP snooping binding database

show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------

If the binding table is empty, it confirms that no DHCP transactions have been successfully completed. This is consistent with the server's offers being dropped.

3

Check DHCP packet statistics on the switch

show ip dhcp snooping statistics
Packets Processed by DHCP Snooping
-------------------------------------
Packet Type          Received   Dropped
-------------------------------------
BOOTREQUEST          10         0
BOOTREPLY            5          5

The statistics show that all BOOTREPLY (DHCP server messages) are being dropped. This confirms that DHCP snooping is discarding the server's responses.

4

Verify DHCP server connectivity and configuration

ping <dhcp-server-ip>
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

The DHCP server is reachable, ruling out connectivity issues. The problem is not network reachability but the switch's DHCP snooping filtering.

Root Cause

The interface connecting the legitimate DHCP server (GigabitEthernet1/0/1) is not configured as a trusted port for DHCP snooping. By default, all ports are untrusted, and DHCP snooping drops all DHCP server messages (OFFER, ACK, NAK) received on untrusted ports. This prevents clients from receiving IP addresses.

Resolution

Configure the interface connected to the DHCP server as a trusted port for DHCP snooping: interface GigabitEthernet1/0/1 ip dhcp snooping trust end This command marks the port as trusted, allowing DHCP server messages to be forwarded without inspection.

Verification

Run 'show ip dhcp snooping' to confirm the interface is now trusted: Switch# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 Insertion of option 82 is enabled Interface Trusted Rate limit (pps) ----------------------- ------- ------------------ GigabitEthernet1/0/1 yes 0 Then have a client renew its DHCP lease. Verify that the client receives an IP address and that the binding table shows an entry: Switch# show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:11:22:33:44:55 192.168.10.10 86400 dhcp-snooping 10 GigabitEthernet1/0/2

Prevention

1. Always configure the port connected to a legitimate DHCP server as a trusted port using 'ip dhcp snooping trust'. 2. Use DHCP snooping in conjunction with DAI (Dynamic ARP Inspection) and IP Source Guard for comprehensive security. 3. Document trusted ports in network diagrams to avoid misconfiguration during changes.

CCNA Exam Relevance

On the CCNA 200-301 exam, DHCP snooping is a key security feature. Questions may present a scenario where clients fail to get IP addresses and ask you to identify the cause (untrusted port) or the fix (configure trust). Expect multiple-choice or drag-and-drop questions testing your understanding of trusted vs untrusted ports and the default behavior of DHCP snooping.

Exam Tips

1.

Remember: DHCP snooping drops all DHCP server messages (OFFER, ACK, NAK) on untrusted ports by default.

2.

The 'show ip dhcp snooping' command is critical for verifying trusted ports and VLAN configuration.

3.

In the exam, if a DHCP server is not responding, always check if the interface is trusted before troubleshooting server connectivity.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions