Reasons why users cannot obtain IP addresses after DHCP Snooping is configured on S series switch

5

After DHCP snooping is enabled, all interfaces on S series switches are untrusted by default. DHCP Discover packets, however, must be forwarded from a trusted interface on the switch. Therefore, you must configure the interface connected to the DHCP server as a trusted interface to ensure that users connected to the switch can obtain IP addresses.

Other related questions:
Why cannot users obtain IP addresses after DHCP snooping is configured
After DHCP snooping is enabled, all the interfaces on the device are untrusted interfaces by default. In this case, you need to use dhcp snooping trusted command to set the status of the interfaces connected to the DHCP server to trusted. Otherwise, the DHCP Reply messages sent from the DHCP server are discarded and users connected to the device cannot obtain IP addresses from the DHCP server.

On an S series switch enabled with DHCP snooping, the reason why the user cannot obtain the IP address after changing the terminal's location
On an S series switch enabled with DHCP snooping, a binding table is generated on the switch after a user obtains an IP address. If the user is switched to another interface of the device without releasing the IP address, the user cannot obtain the IP address or access the network. The corresponding binding table has been generated. The user attempts to apply for the same IP address with the same MAC address on a different interface. In this case, the switch does not know whether the user has switched to another interface or an unauthorized user attempts to access the network; therefore, the switch does not modify the binding table. As a result, the user fails to obtain the IP address and access the network. To solve this problem, you can delete the binding table from the switch.

Why the clients on a DHCP snooping network cannot obtain IP addresses after they move
On a network using DHCP snooping-enabled S series switches, a binding table is generated on the switch after a user obtains an IP address. If the user is switched to another port of the switch without releasing the IP address, the user may fail to obtain this IP address and access the network. If a user attempts to apply for the same IP address with the same MAC address on a different port after the corresponding binding table has been generated, the switch cannot distinguish whether the user has switched to another port or an unauthorized user attempts to access the network. As a result, the switch does not modify the binding table, resulting in the user's failure to obtain the IP address. To solve this problem, you can delete the binding table from the switch.

Clients cannot obtain IP addresses through DHCP after the DHCP relay agent is upgraded
This problem may occur on a fixed switch in the following scenario: - The switch was upgraded from V100R002/V100R003 to V100R005/V100R006. - The switch functions as a DHCP relay agent and is configured with the dhcp relay information enable command. - An authentication mechanism is enabled before the DHCP server allocates an IP address to a client. The authentication server authenticates the client based on the option 82 field. After the dhcp relay information enable command is configured on the switch, the interface name that the switch encapsulates in the DHCP option 82 field varies according to the system software version: - For V100R003 and earlier versions, a VLANIF interface name is encapsulated. - For V100R005 and later versions, a physical interface name is encapsulated. As different interface names may be encapsulated in the option 82 field before and after the upgrade, the authentication server may fail to authenticate the user based on the option 82 field. If this problem occurs, modify the user authentication configuration on the authentication server after the upgrade. To be specific, change the content of the option 82 field on the authentication server to the physical interface name, or change the user authentication policy by disabling DHCP option 82 field-based authentication.

Reasons why the PC that has obtained an IP address from the DHCP server cannot access the Internet on S series switch
For S series switches (exclude S1700 switches), in normal situations, a PC can access the Internet after obtaining an IP address through DHCP. However, if the IP address is assigned by a bogus DHCP server, the PC cannot access the Internet with the incorrect IP address. If this problem occurs, you are advised to configure DHCP snooping on the Layer 2 access device or first DHCP relay agent from the device, to ensure that PCs can obtain correct IP addresses. - When you configure DHCP snooping on a Layer 2 access device, steps 1, 2, and 3 are mandatory and must be performed in sequence. - When you configure DHCP snooping on a DHCP relay agent, only steps 1 and 2 are required. 1. Enable DHCP snooping globally. [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable 2. Configure the interfaces connected to DHCP clients. Perform the configuration on all interfaces connected to DHCP clients. GE0/0/1 is used as an example. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable [HUAWEI-GigabitEthernet0/0/1] quit 3. Perform the configuration on interfaces connected to the DHCP server. GE0/0/2 is used as an example. [HUAWEI] interface gigabitethernet 0/0/2 [HUAWEI-GigabitEthernet0/0/2] dhcp snooping trusted [HUAWEI-GigabitEthernet0/0/2] quit

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top