I’ve been using DHCP Snooping on my corporate network and its working as I would expect, apart from a few oddities. Which I would like to point out to you guys and hopefully find people seeing similar.
The main focus is an issue we've been experiencing with Windows 7 clients sending DHCP Offer packets instead of acknowledgement/request packets. This causes DHCP snooping to kick into life and to either disable the port or drop the packet, which is what we have it set too after the issues we are seeing. This then causes a log message informing us that an untrusted source has sent a DHCP offer of 0.0.0.0, which we then get alerted on via our syslog server.
When this happens it can also take the client PC longer to obtain an IP address. The symptoms/circumstances that can cause this to happen have been tested extensively and we’ve confirmed they are consistent. However, that’s not to say it will always trigger the offer packet from the client. It is seemingly random. Generally speaking, when a laptop is moved from a private network, or another subnet within our corporate network, there’s a chance it will send a DHCP offer packet. Please see example below. Entry one, two, four and five are from the DHCP Servers. The third entry is from the client machine, sending an offer packet itself instead of a request/acknowledgement.
58476 12:56:58 16/11/2012 XXX.XXX.XXX.XXX
58477 12:56:58 16/11/2012 XXX.XXX.XXX.XXX
58494 12:56:58 16/11/2012 0.0.0.0 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58498 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
58507 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526
Previously we had set the port to block on detection of rogue DHCP Services, however, with the more wide spread rollout of Windows 7 we changed this to just drop the packet. However the frequency and volume of syslog alerts has increased as you would expect.
Basically, I’ve submitted my findings to Microsoft and they have confirmed it’s a bug in Windows 7 that was introduced with a hotfix pre-SP1. In order for them to be willing to fix it and to release a hotfix to fix the hotfix, they need to gauge the impact on businesses running Windows 7 with DHCP Snooping enabled on their network.
Please can people respond to this thread if they’ve seen some similar behaviour, even if they haven’t been able to explain it please? I’m hoping there are more people out there who have been using DHCP snooping with Windows 7 client s
I would like people to respond to this thread please, especially the people using Windows 7 and DHCP snooping and have seen this issue. Even if it hasn’t occurred to you that Windows 7 might have been the issue, any DHCP Snooping false positives would be handy to know about.
Googling around, there have been some instances reported with people running a competitors switch setup (not sure if I can mention their name here! ) and they’re seeing the same issue with DHCP Snooping enabled and Windows 7 being used. So I’m pretty certain it’s in no way an issue with Extreme’s implementation. Take this thread as an example:
Shows someone also noticing/experiencing the issue, so I’m hoping there are more people here.
Many thanks for takign the time to read all of it if you got this far! :)