topic SecureStack/G/D-Series DHCPSnooping Client on Trusted Port cannot get DHCP Address in FAQs https://community.extremenetworks.com/t5/faqs/securestack-g-d-series-dhcpsnooping-client-on-trusted-port/m-p/41002#M24 Article ID: 12682 <BR /> <BR /> <B>Products</B><BR /> SecureStack C3, firmware 1.02.01.0004 and higher<BR /> SecureStack C2, firmware 5.02.01.0006 and higher<BR /> SecureStack B3, firmware 1.02.01.0004 and higher<BR /> SecureStack B2, firmware 4.02.01.0006 and higher<BR /> G-Series, firmware 1.02.00.0043 and higher<BR /> D-Series, firmware 6.03.01.0008 and higher <BR /> <BR /> <B>Changes</B><BR /> Configured DHCP Snooping ('set dhcpsnooping...')(<A href="http://bit.ly/1bgty2I" target="_blank" rel="nofollow noreferrer noopener">12008</A>).<BR /> A client on a trusted port ('set dhcpsnooping trust port &lt;<I>port-string</I>&gt; enable') attempts to get an IP address assignment via the DHCP process. <BR /> <BR /> <B>Symptoms</B><BR /> The DHCP process does not complete successfully.<BR /> The client does not receive an IP address. <BR /> <BR /> <B>Cause</B><BR /> Only trusted DHCP <I>servers</I> - not DHCP <I>clients</I> - should be connected on trusted ports. <BR /> <BR /> By design, DHCP packets from DHCP clients connected on trusted ports get forwarded without creating the tentative binding for that host/DHCP client. When the DHCP server (on a trusted port) responds to the DHCP client message, because DHCP Snooping doesn't have the host/client binding information it drops the DHCP server's response packet to the client. <BR /> <BR /> What is seen on a sniffer trace is that the server responds to the client's Discover request by sending a pair of Offer responses, one using destination UDP port 67 (to notify other servers) and one using destination UDP port 68 (to negotiate with the client). The switch as explained above drops the port 68 traffic, so the client never sees the server's attempt to negotiate. Though the client repeatedly tries to Discover a DHCP server, it never succeeds. <BR /> <BR /> <B>Solution</B><BR /> Functions as Designed (FAD). <BR /> <BR /> Place any DHCP <I>client</I> behind a DHCPSnooping <I>un</I>trusted port ('set dhcpsnooping trust port &lt;<I>port-string</I>&gt; disable'). Note that "untrusted" is the default state for a port. <BR /> <BR /> Also note that the FAD expectations have been changed as of firmware 6.61.07.0010.<BR /> G/C5/C3/B5/B3/A4 release notes state, in the 'Changes and Enhancements in 6.61.07.0010' section: <BR /> 17362 &amp; 17619 Addressed an issue which prevented DHCP to function properly on trusted ports when DHCP snooping was enabled. Wed, 04 Dec 2013 22:50:00 GMT FAQ_User 2013-12-04T22:50:00Z SecureStack/G/D-Series DHCPSnooping Client on Trusted Port cannot get DHCP Address https://community.extremenetworks.com/t5/faqs/securestack-g-d-series-dhcpsnooping-client-on-trusted-port/m-p/41002#M24 Article ID: 12682 <BR /> <BR /> <B>Products</B><BR /> SecureStack C3, firmware 1.02.01.0004 and higher<BR /> SecureStack C2, firmware 5.02.01.0006 and higher<BR /> SecureStack B3, firmware 1.02.01.0004 and higher<BR /> SecureStack B2, firmware 4.02.01.0006 and higher<BR /> G-Series, firmware 1.02.00.0043 and higher<BR /> D-Series, firmware 6.03.01.0008 and higher <BR /> <BR /> <B>Changes</B><BR /> Configured DHCP Snooping ('set dhcpsnooping...')(<A href="http://bit.ly/1bgty2I" target="_blank" rel="nofollow noreferrer noopener">12008</A>).<BR /> A client on a trusted port ('set dhcpsnooping trust port &lt;<I>port-string</I>&gt; enable') attempts to get an IP address assignment via the DHCP process. <BR /> <BR /> <B>Symptoms</B><BR /> The DHCP process does not complete successfully.<BR /> The client does not receive an IP address. <BR /> <BR /> <B>Cause</B><BR /> Only trusted DHCP <I>servers</I> - not DHCP <I>clients</I> - should be connected on trusted ports. <BR /> <BR /> By design, DHCP packets from DHCP clients connected on trusted ports get forwarded without creating the tentative binding for that host/DHCP client. When the DHCP server (on a trusted port) responds to the DHCP client message, because DHCP Snooping doesn't have the host/client binding information it drops the DHCP server's response packet to the client. <BR /> <BR /> What is seen on a sniffer trace is that the server responds to the client's Discover request by sending a pair of Offer responses, one using destination UDP port 67 (to notify other servers) and one using destination UDP port 68 (to negotiate with the client). The switch as explained above drops the port 68 traffic, so the client never sees the server's attempt to negotiate. Though the client repeatedly tries to Discover a DHCP server, it never succeeds. <BR /> <BR /> <B>Solution</B><BR /> Functions as Designed (FAD). <BR /> <BR /> Place any DHCP <I>client</I> behind a DHCPSnooping <I>un</I>trusted port ('set dhcpsnooping trust port &lt;<I>port-string</I>&gt; disable'). Note that "untrusted" is the default state for a port. <BR /> <BR /> Also note that the FAD expectations have been changed as of firmware 6.61.07.0010.<BR /> G/C5/C3/B5/B3/A4 release notes state, in the 'Changes and Enhancements in 6.61.07.0010' section: <BR /> 17362 &amp; 17619 Addressed an issue which prevented DHCP to function properly on trusted ports when DHCP snooping was enabled. Wed, 04 Dec 2013 22:50:00 GMT https://community.extremenetworks.com/t5/faqs/securestack-g-d-series-dhcpsnooping-client-on-trusted-port/m-p/41002#M24 FAQ_User 2013-12-04T22:50:00Z