Security
This chapter contains steps to resolve security issues.
DHCP Snooping
 
Symptom/Cause
Solution
DHCP packets not received
 
DHCP snooping not enabled on bridge.
DHCP snooping for that vlan not enabled on bridge
Use this command:
show ip dhcp snooping bridge BRIDGEID
Make sure DHCP snooping is enabled on the bridge
DHCP snooping entries not visible
 
The interface which the ip address assigned might be a trust port
Use this command:
show ip dhcp snooping bridge BRIDGEID
Make sure the interface connected to host should be untrusted.
If it is showing trust for that interface, untrust the interface to see the entry in the table.
DHCP Snooping IP Source Guard
 
Symptom/Cause
Solution
Not able to enable ip source guard on interface
Use this command:
 
show ip dhcp snooping bridge BRIDGEID
Make sure DHCP snooping is enabled on the bridge
Unable to execute the ip source guard mode merge command
Use the above command to make sure ipsg is enabled on that interface and then only merge will be accepted.
How to see the policies used as part of IP source guard on interface
Use this command:
 
show ip verify source interface IFNAME
 
Shows the entries learned as part this interface and the same is pushed as policies.
DHCP Snooping over MLAG
 
Symptom/Cause
Solution
DHCP packets are not received.
DHCP snooping is not enabled on the bridge.
DHCP snooping for that VLAN is not enabled on the bridge.
Use this command: show ip dhcp snooping bridge BRIDGEID
Make sure DHCP snooping is enabled on the bridge.
DHCP snooping entries are not visible. The interface to which the IP address assigned might be a trust port.
Use this command: show ip dhcp snooping bridge BRIDGEID
Make sure the interface connected to host should be untrusted.
If it is showing trust for that interface, untrust the interface to see the entry in the table.
DHCP packets are not synced between MLAG active-active/active-standby nodes.
Use this command: show mcec statistics
Make sure MLAG domain adjacency is up and neighbor is in-sync.
DHCP packets are dropped.
Use this command: show ip dhcp snooping bridge BRIDGEID
Make sure that the MLAG interface facing towards the server is trusted.
DHCPv6-Prefix Delegation
 
Symptom/Cause
Solution
Prefix are not delegated.
Use this config command: no ipv6 nd suppress-ra
Make sure this command is enabled on the requesting router host connected interface.
Prefixes are not delegated with varying prefix length.
Use this config command:
ipv6 address PREFIX_FROM_SERVER ::1:0:0:0:1/64
Suffix should start with "::" and mask should be 64.
Prefixes are not learnt on Requesting router.
Use this command: show ipv6 dhcp interface
Make sure that prefix delegation is enabled on that interface.