cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2263
Views
0
Helpful
4
Replies

IP dhcp snooping issue on ASR920

Adis Cato
Level 1
Level 1

Hi Cisco kids,

Recently my company sold Cisco ASR 920 routers to an ISP customer. Pretty cool device, the customer wants to integrate this router in the network as a PE device and everything is fine except strange problem with DHCP snooping feature.

Platform: ASR-920-24SZ-M

IOS: asr920-universalk9_npe.03.16.02a.S.155-3.S2a-ext.bin (Cisco recommended)

 

We have multicast configured for the IPTV service, customers are connected via access ports (ASR920>DSLAM>SET-UP BOX) configured like this:

 

interface GigabitEthernet0/0/0

 description DSLAM_XXXXXX

!

service instance 934 ethernet

  encapsulation dot1q 934

  rewrite ingress tag pop 1 symmetric

  bridge-domain 934 split-horizon group 0

 

L3 interface that is used as a gateway for IPTV users:

 

interface BDI934

 description IPTV_Aggregation_and_access

 ip address 10.16.112.1 255.255.240.0 secondary

 ip address 10.71.240.1 255.255.240.0

 ip helper-address 10.120.1.47

 ip helper-address 10.120.25.48

 ip flow ingress

 ip pim passive

 ip access-group 105 in

 ip ospf 8000 area 0

 load-interval 30

end

!

 

And we have dhcp snooping configuration:

 

ip dhcp snooping

ip dhcp snooping bridge-domain 934

ip dhcp snooping track host

no ip dhcp snooping information option

 

When IP dhcp snooping feature is enabled SET-UP box devices cannot get an IP address from the DHCP server, located in a data center (10.120.1.47, 10.120.25.48). I have configured a one port as an access and connect the laptop to it for troubleshooting purposes:

 

interface GigabitEthernet0/0/17

 description TEST_LAPTOP

 no ip address

 negotiation auto

 service instance 934 ethernet

  encapsulation untagged

  bridge-domain 934

 !

End

We have two uplink interfaces configured to connect us to the IP/MPLS network:

interface GigabitEthernet0/0/22

description --Veza prema C7609_PE_XXXX-Gi-8/14 --

 mtu 9178

 ip address 10.100.103.205 255.255.255.252

 ip pim sparse-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 03540E1B004131181B5C

 ip ospf network point-to-point

 ip ospf hello-interval 1

 ip ospf 8000 area 0

 load-interval 30

 negotiation auto

 mpls ip

 mpls label protocol ldp

 mpls traffic-eng tunnels

 mpls traffic-eng backup-path Tunnel2280

 cdp enable

 service-policy input MPLS_LLQ_WAN_INPUT

 service-policy output MPLS_LLQ_WAN_PARENT

 ip rsvp bandwidth

 ip rsvp signalling hello

end

 

Current configuration : 635 bytes

!

interface GigabitEthernet0/0/23

 description --Veza prema C7606_PE_XXXX-Gi-1/23 --

 mtu 9178

 ip address 10.100.103.201 255.255.255.252

 ip pim sparse-mode

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 7 03540E1B004131181B5C

 ip ospf network point-to-point

 ip ospf hello-interval 1

 ip ospf 8000 area 0

 ip ospf cost 11

 load-interval 30

 negotiation auto

 mpls ip

 mpls label protocol ldp

 mpls traffic-eng tunnels

 mpls traffic-eng backup-path Tunnel2270

 cdp enable

 service-policy input MPLS_LLQ_WAN_INPUT

 service-policy output MPLS_LLQ_WAN_PARENT

 ip rsvp bandwidth

 ip rsvp signalling hello

end

 

And when dhcp snooping is enabled laptop cannot get an IP, after we disable dhcp snooping everything is working just fine. We have the same configuration on hundreds other locations, but on different platforms (C7600, ME3600...) and it works perfect, only on ASR 920 we have this issue. 

We have tried with debug and got this message:

DHCP_SNOOPING: can't find output interface for dhcp reply. the message is dropped.

I went through the available Cisco documentation but did not find anything.. Can somebody had similar experience or some advice.

Thank you in advance.

4 Replies 4

Andrew Judson
Community Member

What is the output of

show bridge-domain 934

does it differ with DHCP_Snooping on/off

could try removing split horizon, not needed in this case

Hi Andrew,

I have tried to remove split horizon configuration, but still facing the same issue...

not hitting CSCur76202?

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur76202

try the fixed IOS releases 

Hi Andrew,

We have 3.16.3aS(ED) Cisco recommended version installed on the router.

We are manage to figure it out that problem with dhcp snooping is with customers connected to the Alcatel DSLAM equipment. We do some testing and realize that if dhcp snooping is enabled, CPE equipment connected to the Alcatel DSLAM can not get an IP address. If we disable dhcp snooping, CPE gets an IP address. Test results also showed that if we enable the „ip dhcp snooping information option“ command on the router it works as well. 

Thank you for your reply.

Regards,

Adis Cato