what if the only I gather any sort of dhcp snooping info is by turning on ip dhcp snooping information option which breaks dhcp but I get some info in the show ip dhcp snooping stats? How would I fix that?
Hello Leo
It looks like youâre experiencing the classic âOption 82 with zero giaddrâ problem. If this is indeed the case, let me explain further
When you enable ip dhcp snooping information option, the switch inserts DHCP Option 82 into client DHCP packets. Option 82 is used to include DHCP relay agent information. However, because your switch operates at Layer 2, the Gateway IP address (giaddr) field in the DHCP packet remains 0.0.0.0. Most DHCP servers (including Cisco IOS by default) will DROP packets that contain Option 82 that have a zero giaddr. They are considered an invalid state from a misconfigured relay agent. This is why DHCP âbreaks.â
Keep in mind that DHCP snooping does NOT require Option 82 to function properly. You should be able to see the DHCP snooping binding database and statistics WITHOUT enabling the information option. The binding table (show ip dhcp snooping binding) is the most important output, it proves the switch is successfully snooping DHCP transactions.
The solution to the issue would be to simply disable Option 82 insertion. If you donât specifically need Option 82 (which is used for advanced policies like location-based IP assignment), simply disable it:
Switch(config)# no ip dhcp snooping information option
After this change, DHCP should work normally, and your binding database will populate. The statistics youâre looking for should appear once successful DHCP transactions complete.
Now if you actually need Option 82 for specific requirements, you should configure the upstream Cisco IOS DHCP server or relay to trust packets with Option 82 and a zero giaddr. This can be done using the following command, if your DHCP server is a router or L3 switch:
Router(config)# ip dhcp relay information trust-all
Alternatively, if you need to keep Option 82 enabled and have specific topology requirements, you can configure the switch to allow Option 82 on untrusted ports:
Switch(config)# ip dhcp snooping information option allow-untrusted
I hope this has been helpful!
Laz
Yes I am using a windows dhcp server and the no ip dhcp snooping information option command in place but the dhcp snooping binding table was empty. I will try the dhcp relay commands and let you guys know what I found.
Hello Leo
Your empty DHCP snooping binding table is a common issue when first configuring this feature with an external Windows DHCP server. The good news is that your no ip dhcp snooping information option command is correctly configured, which prevents issues with Windows DHCP servers dropping packets containing Option 82.
Why do you see an empty dhcp snooping binding table? There may be several reasons.
The most likely cause is that no new DHCP transactions have taken place. The DHCP snooping binding table only populates when the switch sees a complete DHCP exchange. It cannot detect existing leases that were assigned before snooping was enabled. Try to force a new DHCP transaction and see the results.
Also keep in mind that simply enabling DHCP snooping globally is not sufficient. You must explicitly enable it for the specific VLANs where clients reside. For example:
ip dhcp snooping vlan <vlan-id>
Another thing you may want to check is the interface connecting to your Windows DHCP server (or the uplink toward it). It must be configured as trusted. Without this, the switch will drop DHCP OFFER/ACK packets from the server, preventing both successful client leases and binding table population.
Take these into account when you revisit the issue, and let us know how you get along!
I hope this has been helpful!
Laz
1 Like