× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

Wireless roaming and DHCP snooping - incompatible or tunable?

msi
Luminary
Luminary
‎2019-06-13 01:18 AM
‎2019-06-13 01:18 AM

Wireless roaming and DHCP snooping - incompatible or tunable?

Hi there

 

I've tried enabling DHCP snooping on our M4300 switches but came to realize that this has rather caused me more issues than it prevented rogue DHCP servers in the network when it comes to wireless roaming.

 

When a client roams from one AP to another when DHCP snooping is enable on the VLANs used by the Wireless APs (in my case UniFi), client devices sometimes end up with no IP received as DHCP snooping block it as the binding is still active on the physical port of the previous AP the device has roamed from to a new AP (on the same switch).

 

Is it not possible to keep DHCP snooping enabled while not causing issues with wireles roaming?

It seems IOS has firmwares had a command 'authentication mac-move permit' (usually related to 802.1x) that would alleviate these kind of issues but is there an equivalent or  other tunable that could be explored?

 

Thanks in advance for any hints!

Model: GSM4328PB|M4300-28G-PoE+ - 24x1G PoE+ Stackable Managed Switch with 2x10GBASE-T and 2xSFP+ (1000W PSU)
Message 1 of 2
0 Kudos
Reply
msi
Luminary
Luminary
‎2019-07-04 02:46 PM
‎2019-07-04 02:46 PM

Re: Wireless roaming and DHCP snooping - incompatible or tunable?

Although I'm still having an eye on it, I might have a potential solution - I was made aware about a specific options in another networking forum: In many cases, and mostly so with wireless APs, blocking a rogue DHCP server is usefuly while verifying the MAC address isn't, and in our case does seem to cause issues.

 

On M4300 "verification of the source MAC address with the client hardware address in the received DCHP message" is enable by default as soon as DHCP snooping is enabled globally (IPv4 or v6) and on the VLAN used by WiFi clients. It looks like roaming could actually cause the MAC verification to be tripped. The default value of with M4300 is actually inversed to the defaults in a number products from vendor with a bridge in its logo, however other vendors do have it enabled by default as well, it's not just a Netgear thing.

 

If you need to disable it, these are the options:

 

configure
no ip dhcp snooping verify mac-address
no ipv6 dhcp snooping verify mac-address

 

 

Message 2 of 2
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 1 reply
  • ‎2019-06-13 01:18 AM
  • 2013 views
  • 0 kudos
  • 1 in conversation
Announcements