Header Only - DO NOT REMOVE - Extreme Networks

SecureStack/G/D-Series DHCPSnooping Client on Trusted Port cannot get DHCP Address

Userlevel 3
Article ID: 12682

SecureStack C3, firmware and higher
SecureStack C2, firmware and higher
SecureStack B3, firmware and higher
SecureStack B2, firmware and higher
G-Series, firmware and higher
D-Series, firmware and higher

Configured DHCP Snooping ('set dhcpsnooping...')(12008).
A client on a trusted port ('set dhcpsnooping trust port <port-string> enable') attempts to get an IP address assignment via the DHCP process.

The DHCP process does not complete successfully.
The client does not receive an IP address.

Only trusted DHCP servers - not DHCP clients - should be connected on trusted ports.

By design, DHCP packets from DHCP clients connected on trusted ports get forwarded without creating the tentative binding for that host/DHCP client. When the DHCP server (on a trusted port) responds to the DHCP client message, because DHCP Snooping doesn't have the host/client binding information it drops the DHCP server's response packet to the client.

What is seen on a sniffer trace is that the server responds to the client's Discover request by sending a pair of Offer responses, one using destination UDP port 67 (to notify other servers) and one using destination UDP port 68 (to negotiate with the client). The switch as explained above drops the port 68 traffic, so the client never sees the server's attempt to negotiate. Though the client repeatedly tries to Discover a DHCP server, it never succeeds.

Functions as Designed (FAD).

Place any DHCP client behind a DHCPSnooping untrusted port ('set dhcpsnooping trust port <port-string> disable'). Note that "untrusted" is the default state for a port.

Also note that the FAD expectations have been changed as of firmware
G/C5/C3/B5/B3/A4 release notes state, in the 'Changes and Enhancements in' section:
17362 & 17619 Addressed an issue which prevented DHCP to function properly on trusted ports when DHCP snooping was enabled.

0 replies

Be the first to reply!