dhcp snooping - err disabled

alliasneo

Hi guys,

Can I just be clear on something.

When enabling DHCP Snooping - will untrusted ports be placed into err-disabled when dhcp requests come in?

The Material I have been using for studying states it will but I've tested this in the lab and nothing happens to the port. It seems the switch will just drop the packets.


Does option 82 have any effect on the port state? - I found this on the Cisco website:



Step 2

[no] errdisable detect cause dhcp-rate-limit

Example:

n1000v(config)# errdisable detect cause dhcp-rate-limit


Enables DHCP error-disabled detection. The no option disables DHCP error-disabled detection





Thanks.

fiftyo

Hi!
If untrusted ports were err-disabled when receiving dhcp requests your clients would have lots of trouble connecting to the lan!
DHCP snooping will filter DHCPOFFER and DHCPACKs on every untrusted port. Refer back to how the host requires an address;
The end host sends a broadcasted DHCP discover. If a dhcp server receives this message it will send a unicast dhcp offer to the end host, with the subnet mask IP address etc. When the end host receives this message it will send a dhcp request to the server which it received the dhcp offer from. The dhcp server will send a dhcp ack to the end host leasing the address.
The main purpose of dhcp snooping is to filter out the bogus dhcp offers. The dhcp snooping feature will also build a database where it maps mac addresses to the leased ip address, which other features such as dynamic arp inspection will utilize.
Anyway, this is a good document to understand the functionality Catalyst 3560 Software Configuration Guide, Release 12.2(52)SE - Configuring DHCP Features and IP Source Guard  [Cisco Catalyst 3560 Series Switches] - Cisco Systems

alliasneo

Thanks very much for the reply. This is really clear and very helpful.