Hi Cisco kids,
Recently my company sold Cisco ASR 920 routers to an ISP customer. Pretty cool device, the customer wants to integrate this router in the network as a PE device and everything is fine except strange problem with DHCP snooping feature.
Platform: ASR-920-24SZ-M
IOS: asr920-universalk9_npe.03.16.02a.S.155-3.S2a-ext.bin (Cisco recommended)
We have multicast configured for the IPTV service, customers are connected via access ports (ASR920>DSLAM>SET-UP BOX) configured like this:
interface GigabitEthernet0/0/0
description DSLAM_XXXXXX
!
service instance 934 ethernet
encapsulation dot1q 934
rewrite ingress tag pop 1 symmetric
bridge-domain 934 split-horizon group 0
L3 interface that is used as a gateway for IPTV users:
interface BDI934
description IPTV_Aggregation_and_access
ip address 10.16.112.1 255.255.240.0 secondary
ip address 10.71.240.1 255.255.240.0
ip helper-address 10.120.1.47
ip helper-address 10.120.25.48
ip flow ingress
ip pim passive
ip access-group 105 in
ip ospf 8000 area 0
load-interval 30
end
!
And we have dhcp snooping configuration:
ip dhcp snooping
ip dhcp snooping bridge-domain 934
ip dhcp snooping track host
no ip dhcp snooping information option
When IP dhcp snooping feature is enabled SET-UP box devices cannot get an IP address from the DHCP server, located in a data center (10.120.1.47, 10.120.25.48). I have configured a one port as an access and connect the laptop to it for troubleshooting purposes:
interface GigabitEthernet0/0/17
description TEST_LAPTOP
no ip address
negotiation auto
service instance 934 ethernet
encapsulation untagged
bridge-domain 934
!
End
We have two uplink interfaces configured to connect us to the IP/MPLS network:
interface GigabitEthernet0/0/22
description --Veza prema C7609_PE_XXXX-Gi-8/14 --
mtu 9178
ip address 10.100.103.205 255.255.255.252
ip pim sparse-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 03540E1B004131181B5C
ip ospf network point-to-point
ip ospf hello-interval 1
ip ospf 8000 area 0
load-interval 30
negotiation auto
mpls ip
mpls label protocol ldp
mpls traffic-eng tunnels
mpls traffic-eng backup-path Tunnel2280
cdp enable
service-policy input MPLS_LLQ_WAN_INPUT
service-policy output MPLS_LLQ_WAN_PARENT
ip rsvp bandwidth
ip rsvp signalling hello
end
Current configuration : 635 bytes
!
interface GigabitEthernet0/0/23
description --Veza prema C7606_PE_XXXX-Gi-1/23 --
mtu 9178
ip address 10.100.103.201 255.255.255.252
ip pim sparse-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 03540E1B004131181B5C
ip ospf network point-to-point
ip ospf hello-interval 1
ip ospf 8000 area 0
ip ospf cost 11
load-interval 30
negotiation auto
mpls ip
mpls label protocol ldp
mpls traffic-eng tunnels
mpls traffic-eng backup-path Tunnel2270
cdp enable
service-policy input MPLS_LLQ_WAN_INPUT
service-policy output MPLS_LLQ_WAN_PARENT
ip rsvp bandwidth
ip rsvp signalling hello
end
And when dhcp snooping is enabled laptop cannot get an IP, after we disable dhcp snooping everything is working just fine. We have the same configuration on hundreds other locations, but on different platforms (C7600, ME3600...) and it works perfect, only on ASR 920 we have this issue.
We have tried with debug and got this message:
DHCP_SNOOPING: can't find output interface for dhcp reply. the message is dropped.
I went through the available Cisco documentation but did not find anything.. Can somebody had similar experience or some advice.
Thank you in advance.
