Solved: Does dhcp snooping option in CML 2.8 free tier work?

rngfinder · ‎01-01-2025

Hi

I configured a simple lab, dhcp server is on R1, dhcp snooping is at SW2 on vlan 1, insertion of option 82 is enabled (see a quote from config and screen shots below). However dhcp discover message goes as usual and SW1 do not drop it in the untrusted interface E0/1. I checked with Packet Capture and no option 82 at SW1 is inserted so DORA process works normally, both PCs get IP addresses from dhcp server.

The other strange thing is the command #show ip dhcp snooping binding doesn't return any data about snooping leased addresses and hosts, the table is empty.

Cannot understand why?

Similar config in Packet Tracer works Ok.

(full config is attached, delete .txt extension and it can be imported in CML free tier)

From SW2 config:
...
!
hostname SW2
...
ip dhcp snooping vlan 1
ip dhcp snooping
...
interface Ethernet0/0
ip dhcp snooping trust
!
interface Ethernet0/1
switchport mode access
!
interface Ethernet0/2
switchport mode access
...
end

-----------------

...
Insertion of option 82 is enabled
...

-----------------

MHM Cisco World · ‎01-01-2025

Run then

Debug ip udp <<- in SW2

MHM

View solution in original post

MHM Cisco World · ‎01-01-2025

ip dhcp snooping information option <<- add this in SW2

MHM

rngfinder · ‎01-01-2025

Thanks for reply, I tried but it doesn't cure the problem neither with opt. 82 nor with the snooping binding table. And the insertion of option 82 is enabled by default, the #sh ip dhcp snooping shows this perfectly clear

MHM Cisco World · ‎01-01-2025

Are you use dhcp helper? If Yes

Then you need

Ip dhcp relay information

rngfinder · ‎01-01-2025

No, I do not, no relay agent necessary here because dhcp server and both SWs are in the same subnet. I tried another topology with x2 routers, x2 different subnets and relay agent, it worked the same way, i.e did not work properly ))

MHM Cisco World · ‎01-01-2025

Debug ip dhcp <<- run this in SW2 share output here

MHM

rngfinder · ‎01-01-2025

This is only I could get from the command. Or I do not know how to use it, sorry

MHM Cisco World · ‎01-01-2025

Yes this with
debug ip dhcp server packet detail <<- in SW with local DHCP server

MHM

rngfinder · ‎01-01-2025

the same..

dhcp server is in a router, not in a SW

MHM Cisco World · ‎01-01-2025

after you run debug,

disconnect and re connect host and see debug appear

MHM

rngfinder · ‎01-01-2025

I switched on debugging on dhcp server and on SW2 for snooping packets, then switched hosts off/on, renewed IP, disconnected/connected back cables, shut down/up interface on the PC - no one log appeared, looks strange

MHM Cisco World · ‎01-01-2025

Run then

Debug ip udp <<- in SW2

MHM

rngfinder · ‎01-04-2025

Hi

Thanks for your help, #debug command and debugging were new for me. Then, in CML nodes logging console is disabled by default, after enabling it works (#logging console debugging)

I made and checked the same topology in GNS3 with Cisco vIOS-L2 and everything works as it should work.

It seems the snooping function in CML free tier switches is not working, here are the logs for IP renew command from PC at SW2 with enabled snooping and opt. 82 insertion, and from dhcp R1 server.

In GNS3, at SW there was a full set of DHCP_SNOOPING exchange messages

---------------------

From SW2:

SW2#debug ip udp
UDP packet debugging is on
SW2#
Jan 4 09:18:21.937: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=308
Jan 4 09:18:21.937: UDP: Clearing forwarding/pre-route states in the pak
Jan 4 09:18:21.937: UDP: Failed to clear inject subblock preroute state
Jan 4 09:18:21.997: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=308
Jan 4 09:18:21.997: UDP: Clearing forwarding/pre-route states in the pak
Jan 4 09:18:21.997: UDP: Failed to clear inject subblock preroute state
SW2#
Jan 4 09:18:34.301: DHCP_SNOOPING: checking expired snoop binding entries
SW2#
----------------------------

And logs from DHCP server:

R1#debug ip dhcp server packet det
DHCP server packet detail debugging is on.
R1#
Jan 4 09:18:21.938: Option 82 not present
Jan 4 09:18:21.938: DHCPD: tableid for 10.0.100.1 on Ethernet0/0 is 0
Jan 4 09:18:21.938: DHCPD: client's VPN is .
Jan 4 09:18:21.938: DHCPD: No option 125
Jan 4 09:18:21.938: DHCPD: No option 124
Jan 4 09:18:21.938: DHCPD: Option 125 not present in the msg.
Jan 4 09:18:21.938: Option 82 not present
Jan 4 09:18:21.938: Option 82 not present
Jan 4 09:18:21.938: DHCPD: Option 125 not present in the msg.
Jan 4 09:18:21.938: DHCPD: DHCPDISCOVER received from client 0152.5400.19eb.f5 on interface Ethernet0/0.
Jan 4 09:18:21.938: DHCPD: Option 125 not present in the msg.
Jan 4 09:18:21.938: Option 82 not present
Jan 4 09:18:21.938: Option 82 not present
Jan 4 09:18:21.938: DHCPD: Option 125 not present in the msg.
Jan 4 09:18:21.938: DHCPD: Setting only requested parameters
Jan 4 09:18:21.938: DHCPD: Option 125 not present in the msg.
Jan 4 09:18:21.938: DHCPD: src nbma addr as zero
Jan 4 09:18:21.938: DHCPD: ARP entry exists (10.0.100.12, 5254.0019.ebf5).
Jan 4 09:18:21.938: DHCPD: egress Interface Ethernet0/0
Jan 4 09:18:21.938: DHCPD: unicasting BOOTREPLY to client 5254.0019.ebf5 (10.0.100.12).
Jan 4 09:18:21.998: Option 82 not present
Jan 4 09:18:21.998: DHCPD: tableid for 10.0.100.1 on Ethernet0/0 is 0
Jan 4 09:18:21.998: DHCPD: client's VPN is .
Jan 4 09:18:21.998: DHCPD: No option 125
Jan 4 09:18:21.998: DHCPD: No option 124
Jan 4 09:18:21.998: DHCPD: DHCPREQUEST received from client 0152.5400.19eb.f5 on interface Ethernet0/0
Jan 4 09:18:21.998: DHCPD: Client is Selecting (DHCP Request with Requested IP = 10.0.100.12, Server ID = 10.0.100.1)
Jan 4 09:18:21.998: DHCPD: Option 125 not present in the msg.
Jan 4 09:18:21.998: DHCPD: Can't find any hostname to update
Jan 4 09:18:21.998: DHCPD: Setting only requested parameters
Jan 4 09:18:21.998: DHCPD: Option 125 not present in the msg.
Jan 4 09:18:21.998: DHCPD: src nbma addr as zero
Jan 4 09:18:21.998: DHCPD: ARP entry exists (10.0.100.12, 5254.0019.ebf5).
R1#
Jan 4 09:18:21.998: DHCPD: egress Interface Ethernet0/0
Jan 4 09:18:21.998: DHCPD: unicasting BOOTREPLY to client 5254.0019.ebf5 (10.0.100.12).
R1#

ammahend · ‎01-01-2025

"However dhcp discover message goes as usual and SW1 do not drop it in the untrusted interface E0/1"

any client message like discover, request, release, inform, decline etc are allowed on untrusted port, only server messages are like Offer, Ack, Nack etc are denied on untrusted ports.

about the empty dhcp snooping database I think its a bug.

since you don't want option 82, "no ip dhcp snooping information option" is the right config, its often good to disable it unless your server side is configured to acknowledge and use option 82.

-hope this helps-

rngfinder · ‎01-01-2025

You're right, but I thought SW1 should forward them only if there is no opt. 82 in dhcp messages. The problem is that SW2 has to insert this option anyway to the dhcp messages incoming to access interfaces as the insertion is enabled, and SW1 then should drop them. But they don't do that