tag:blogger.com,1999:blog-5155143875742485795.post5790540274941386186..comments2023-10-11T10:18:46.347+02:00Comments on cisco ccie security attempt: DHCP Snooping on Cisco SwitchesDarkSidehttp://www.blogger.com/profile/01942501073623806035noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-5155143875742485795.post-26025359749947186852018-06-16T17:03:04.855+02:002018-06-16T17:03:04.855+02:00Howdy! I simply would like to give a huge thumbs u...Howdy! I simply would like to give a huge thumbs up for the good information you might have here on this post. I will probably be coming back to your blog for more soon. <a href="https://online-casinos.us.org" rel="nofollow">slots for real money</a>jamesfo8376https://www.blogger.com/profile/04475023307921432593noreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-47631923666693577802012-03-19T09:22:34.366+01:002012-03-19T09:22:34.366+01:00this command will stop all the comparation the swi...this command will stop all the comparation the switch doing withween the CHADDR AND THE MACHINE MAC ADDRESS :<br /><br />"no ip dhco snooping verify mac-address"<br /><br />this will stop all the loggs you have.<br /><br />this is what i did in my company.shani kashtinoreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-37731595054585443242012-02-16T16:25:30.253+01:002012-02-16T16:25:30.253+01:00I'm also having this issue, are there any reco...I'm also having this issue, are there any recommendations on applications that can be installed on the workstations to allow only one connection to the network? Either wired or wireless?<br /><br />Also, I think the previous person had a great question. Why would the MAC address of the wireless NIC be seen on the switchport?Matthew Marcaccinihttps://www.blogger.com/profile/13918071727879098757noreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-76393083354875243672011-04-13T14:50:29.432+02:002011-04-13T14:50:29.432+02:00I have enable DHCP snooping on my 900 equipments. ...I have enable DHCP snooping on my 900 equipments. I can see also this erro:%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: MACOFTHEWIRELESSCARD, MAC sa: MACOFTHEWIREDCARD<br /><br />I have this issue only on 2960 equipments. With this IOS: 12.2(44)SE6 and with a 12.2(44)SE6 also. I confirm that when I disable the wireless card, the problem disappears. But why is the wireless card talking with the wired ?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-70776155621189108322011-03-08T10:35:17.022+01:002011-03-08T10:35:17.022+01:00I rolled out snooping a while ago and started seei...I rolled out snooping a while ago and started seeing this issue. It looks like the MAC is being spoofed because it's not in the table, however I found that the chaddr address is the wireless Nic MAC and the SA address is the wired NIC MAC for the affected hosts. Turning off wireless whilst connected to the wired network worked for me. Hope this helps.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-74639368629826930812010-12-15T19:11:41.173+01:002010-12-15T19:11:41.173+01:00HI, what IOS version were you running when you exp...HI, what IOS version were you running when you experienced this problem. I am going to enable snooping and would like to know the version that is most stable.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-22639643715253608842010-09-16T10:10:27.832+02:002010-09-16T10:10:27.832+02:00Hello,
Just to give you an update regarding the i...Hello,<br /><br />Just to give you an update regarding the issue I got earlier...<br /><br />The DHCP snooping configuration had to be completely removed and put-back, in order to restore the good behavior.<br />Users are now getting their DHCP leases without any problem.<br /><br />Configs before and after the fixup are the same.<br /><br />Meanwhile, no bug has been identified with Cisco.<br />Investigations are still on-going.<br /><br />I'll keep you posted if any news related to a bug...<br /><br />Thanks for your assistance.<br /><br />Best regards.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-55270325135603985752010-09-01T12:03:21.224+02:002010-09-01T12:03:21.224+02:00Hello,
In fact, it's not a new vlan.
It's...Hello,<br /><br />In fact, it's not a new vlan.<br />It's a separate vlan used for meeting rooms only.<br /><br />L3 config on distrib is ok and having the "ip helper-address" set.<br />It's configured the same than for users vlan.<br /><br />Unfortunately, no syslog messages on the access switch showing the reason of the blocking packets due to DHCP snooping.<br /><br />I'll keep you posted for sure...<br /><br />BR.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-61282012997509254322010-08-31T18:33:12.441+02:002010-08-31T18:33:12.441+02:00I've meant for the new vlan that you've cr...I've meant for the new vlan that you've created for test. In my understanding the interface vlan which is on distribution switch should have "ip helper" set to be able to unicast the DHCP discovers messages. To me it seems like the DHCP messages didn't reached the DHCP server due to ip helper settings on the new vlan. If they were stopped on the access switch due to dhcp snooping, you would saw a log message on the access switch. <br />Would be great if you comment back once you have the solution.DarkSidehttps://www.blogger.com/profile/01942501073623806035noreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-60223293815454329492010-08-31T18:19:33.944+02:002010-08-31T18:19:33.944+02:00Which message in the log are you referring to?
Thi...Which message in the log are you referring to?<br />This is the only debug output in the syslog:<br /><br />DHCP_SNOOPING: checking expired snoop binding entries<br /><br /><br /><br />"interface vlan" is on distrib switches, and yes, there's the ip helper-address command.<br /><br />Between access and distrib, trunks are allowing the same list of vlans.<br /><br /><br /><br />Could it be a bug of IOS?<br />(I'll try removing the trusted, and putting back again)<br /><br />Else, I'll open a TAC and don't bother you anylonger.<br /><br />Your help has been really appreciated!<br /><br />Kind regards.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-85158673178071450102010-08-31T18:09:16.798+02:002010-08-31T18:09:16.798+02:00Hmm.. this is interesting.. What is the message in...Hmm.. this is interesting.. What is the message in the log of the switch? Do you have "ip helper address" configured on the SVI (interface vlan)?DarkSidehttps://www.blogger.com/profile/01942501073623806035noreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-88154336953796972112010-08-31T17:56:08.726+02:002010-08-31T17:56:08.726+02:00Some additional notes:
using Wireshark to capture...Some additional notes:<br /><br />using Wireshark to capture DHCP packets, only the DHCP Discover is sent, without any DHCP Offer reply from server.<br />(packet DHCP Discover sent 5 times)<br /><br />Changing the switchport vlan to a non-snooped vlan, and Wireshark is showing the complete DHCP session:<br />DHCP Discover<br />DHCP Offer<br />DHCP Request<br />DHCP ACKAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-75795978154199250982010-08-31T17:31:50.721+02:002010-08-31T17:31:50.721+02:00Hello,
I did the troubleshoot with my laptop as t...Hello,<br /><br />I did the troubleshoot with my laptop as test machine.<br />It was connected to the same switch, on another vlan with DHCP snooping only on this vlan.<br /><br />Nothing relevant with the debug session:<br /><br />#debug ip dhcp snooping event<br />DHCP Snooping Event debugging is on<br />#debug ip dhcp snooping packet<br />DHCP Snooping Packet debugging is on<br />#<br />Aug 31 16:53:52 CEST: DHCP_SNOOPING: checking expired snoop binding entries<br /><br />(the last syslog message is repeated each 2 minutes)<br /><br /><br /><br />Else, the DHCP servers are not connected to this access switch but in our datacenters.<br /><br />Uplinks to the distrib switches are DHCP snooping trusted (users ports are all untrusted of course).<br /><br /><br /><br />Any other idea? :(<br /><br />Thanks again.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-86890638824079777762010-08-31T17:24:31.392+02:002010-08-31T17:24:31.392+02:00PS: per floor
150/175 users + printers and meeting...PS: per floor<br />150/175 users + printers and meeting roomsAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-76109748725085852992010-08-31T15:19:24.524+02:002010-08-31T15:19:24.524+02:00Hello
Those drops are there because the client HAR...Hello<br />Those drops are there because the client HARDWARE MAC address (CHADDR) is not the same as the source MAC address of the machines which are requesting IP addresses. You can see the CHADDR in the MAC address table. If this was working before and suddenly all the users had the same problem, I would suspect installation of a new application which deals with network interfaces, or an update of an operating system. Would be great to have the debugs. Also, is the DHCP server connected on the same switch, or it is few hops away from the clients connected on this switch?<br />Thanks!DarkSidehttps://www.blogger.com/profile/01942501073623806035noreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-8882890162059532702010-08-31T14:26:22.469+02:002010-08-31T14:26:22.469+02:00Hello,
Thanks for answering my post.
Syslogs are...Hello,<br /><br />Thanks for answering my post.<br /><br />Syslogs are not showing anything relevant.<br />They're full of such messages which are there since a while too...<br /><br />Aug 30 18:00:34 MET-DST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001d.e096.b753, MAC sa: 001b.3894.9d9c<br />Aug 30 18:01:58 MET-DST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001d.e096.b753, MAC sa: 001b.3894.9d9c<br />Aug 30 18:02:40 MET-DST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 001d.e096.b753, MAC sa: 001b.3894.9d9c<br /><br />DHCP option 82 is disabled.<br /><br />Else, for the troubleshoot, it will take some time to have all of these completed as asked, but it's feasible.<br /><br />I'll keep you posted tomorrow with the debug outputs.<br /><br />Cheers.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-60773795649222313242010-08-31T13:35:50.528+02:002010-08-31T13:35:50.528+02:00Hello
Can you provide me the logs from your switc...Hello <br />Can you provide me the logs from your switch. Also would it be possible to configure new vlan and to assign new DHCP scope for that vlan and enable snooping just for that vlan, and test with a machine? Before that you can enable "debug ip dhcp snooping events" and "debug ip dhcp packets". That should provide me with more details to look into this. Do you use dhcp option 82 for your vlans?DarkSidehttps://www.blogger.com/profile/01942501073623806035noreply@blogger.comtag:blogger.com,1999:blog-5155143875742485795.post-90940772896597295492010-08-31T13:25:57.674+02:002010-08-31T13:25:57.674+02:00Hello,
Having DHCP snooping on users vlan since a...Hello,<br /><br />Having DHCP snooping on users vlan since a while, and no change done on Cisco switch configuration, what could explain an issue for users to obtain a new DHCP lease?<br /><br />DHCP server is working fine and is able to deliver leases on others vlans.<br /><br />For the moment, I've disabled the DHCP snooping to restore connectivity to users.<br /><br />Thanks in advance for any answer.<br /><br />Best regards.Anonymousnoreply@blogger.com