HP Procurve DHCP Snooping

This article will show you how to:

  • Set up DHCP snooping
  • Troubleshoot DHCP snooping
  • How to disable it when (if) shit hits the fan

 

Set up

Information to gather beforehand:

  • Uplink/trunk ports (assuming that your DHCP servers are behind these ports)
  • DHCP server IP addresses
  • What vlans you want to enable snooping on

SSH/telnet/console to your switch of choice.

switch#
switch# configure terminal
switch(config)# show dhcp-snooping

If it's not enabled, it will just say DHCP Snooping : No

Turn on the service
switch(config)# dhcp-snooping

Add your DHCP servers
switch(config)# dhcp-snooping authorized-server 10.10.10.1
switch(config)# dhcp-snooping authorized-server 10.10.11.1

Allow DHCP ACK replies to be sent from the uplink interfaces
switch(config)# dhcp-snooping trust B21-B22

Disable option 82 insertion
switch(config)# no dhcp-snooping option 82

Start DHCP snooping on each vlan (.10 .11 subnets for example)
switch(config)# dhcp-snooping vlan 10-11

Why no option 82 insertion? Apparently windows doesn’t like that option, according to this blog post (and taking the risk is not worth it): http://www.synetx.com/tips/?p=20

Troubleshooting

Show statistics - dropped requests etc.
switch# show dhcp-snooping stats

Show snooped IP addresses, and what port & vlan they're at
switch# show dhcp-snooping binding

Debug further
switch# debug destination session
switch# debug security dhcp-snooping

Stop debugging
switch# no debug security dhcp-snooping

Disabling

Disable DHCP snooping per vlan (10 for example)
switch(config)# no dhcp-snooping vlan 10

 

3 comments
  1. hi guys,

    Please help me…i am using hp 5406 switch…

    the this is i am using ruckus controller but the dhcp not able to detect AP…

    when i checked there is DHCP dhcp-snooping enabled….

    Below is the config

    interface A13
    dhcp-snooping trust
    name “AP test 3419”
    exit

    dhcp-snooping
    dhcp-snooping authorized-server 172.16.0.1
    dhcp-snooping authorized-server 172.16.13.1
    dhcp-snooping authorized-server 172.20.0.1
    dhcp-snooping authorized-server 172.27.0.1
    dhcp-snooping authorized-server 192.168.105.1
    dhcp-snooping authorized-server 192.168.106.1
    dhcp-snooping vlan 1-4 8-4000

    DHCP ip range i use 172.16.13.1 so on

    please help asap.

    thank you

    • Hi!

      Did you configure “dhcp-snooping trust” on the interface that is connected towards the DHCP server?
      Also, you might want to consider to have your wireless access points on a separate VLAN, with DHCP snooping disabled (if it’s causing you trouble).

      /Stefan

Add Comment

Required fields are marked *. Your email address will not be published.

*