DHCP snooping config seems to drop packets in catalyst 3650

Marco__89 · ‎07-06-2022

Hi all,

i'm facing some problems with DHCP snooping config. The scenario is the following.

An IP phone is attached to the Catalyst 3650 switch. The switch has a SPAN port that has as source interface g1/0/46 (interface to which the phone is connected) and g1/0/48 (uplink trunk interface). Interface g1/0/45 is the destination port to the monitor session. This monitor session has no filter, hence packet that are generated from the phone and directed to the uplink interface are displayed twice in the wireshark capture located on interface g1/0/45 (session destination port).

The problem is that after having disabled DHCP snooping within the switch, it seems to drop DHCP packets (ie DHCP Discover messages) sourcing from IP phone. In fact, from wireshark i see DHCP packet only once, that are coming from g1/0/46 but not going out from int g1/0/48 (uplink interface).

So the IP phone connects to switch and gets authenticated via MAB from ISE (2.7). Its associated authorization profiling puts it into vlan 701. The dACL is composed by a permit ip any any statement.

The configs are the following

interface GigabitEthernet1/0/46
 switchport access vlan 200
 switchport mode access
 switchport voice vlan 201
 device-tracking attach-policy DeviceTrackingPolicy
 ip access-group WELCOMEACL in
 authentication event fail retry 3 action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer restart 10
 authentication timer inactivity server
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 18
 dot1x timeout tx-period 1
 dot1x max-reauth-req 3
 spanning-tree portfast
end

interface GigabitEthernet1/0/48
 switchport trunk allowed vlan 235,601,648,701,707,748,811
 switchport mode trunk

The sh run | i dhcp or sh run | i snooping display these results:

no ip dhcp snooping information option
device-sensor filter-list dhcp list DHCP_LIST
device-sensor filter-spec dhcp include list DHCP_LIST

no ip dhcp snooping information option
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
 class system-cpp-police-protocol-snooping

The output of sh ip dhcp snooping is

Switch DHCP snooping is disabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id default format: vlan-mod-port
   remote-id: 002c.c8dd.7f80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------

Snooping seems to be disabled.

Do you have any idea that cause the switch to drop the DHCP packets?

Mohammed al Baqari · ‎07-06-2022

Hi,

Can you check the output of show int g1/0/48 trunk to ensure that VLAN701
is allowed on the trunk and not blocked.? Also, check spanning tree on
VLAN701 to ensure that interface is blocked.

This has nothing to do with DHCP snooping and it should be something else
(unless you have ARP inspection configured and shared in the config).

***** please remember to rate useful posts

Marco__89 · ‎07-06-2022

Hi, thank for you reply.

This is the output of show int g1/0/48 trunk. As you can see, 701 is allowed.

Port        Mode             Encapsulation  Status        Native vlan
Gi1/0/48    on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/48    235,601,648,701,707,748,811

Port        Vlans allowed and active in management domain
Gi1/0/48    235,601,648,701,707,748,811

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/48    235,601,648,701,707,748,811

Note that there is no layer 3 interface for VLAN 701 in this switch. It also acts as L2 device.

Checking for spanning tree (through sh spanning-tree vlan 701) info i obtained the following

VLAN0701
  Spanning tree enabled protocol rstp
  Root ID    Priority    701
             Address     7018.a7af.f480
             Cost        3007
             Port        48 (GigabitEthernet1/0/48)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33469  (priority 32768 sys-id-ext 701)
             Address     002c.c8dd.7f80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/46            Desg FWD 19        128.46   P2p Edge
Gi1/0/48            Root FWD 4         128.48   P2p Peer(STP)

Using also sh spanning-tree summary.

Switch is in rapid-pvst mode
Root bridge for: VLAN0200, VLAN0235
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0200                     0         0        0          1          1
VLAN0235                     0         0        0          1          1
VLAN0601                     0         0        0          1          1
VLAN0648                     0         0        0          1          1
VLAN0701                     0         0        0          2          2
VLAN0707                     0         0        0          1          1
VLAN0748                     0         0        0          1          1
VLAN0811                     0         0        0          1          1

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
---------------------- -------- --------- -------- ---------- ----------
8 vlans

Last but not least i didn't enable ARP inspection but only DHCP snooping (to using it for profiling).

Marco__89 · ‎07-06-2022

Hi, thank you for your reply.

So the 701 VLAN is allowed on trunk interface

Port        Mode             Encapsulation  Status        Native vlan
Gi1/0/48    on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/48    235,601,648,701,707,748,811

Port        Vlans allowed and active in management domain
Gi1/0/48    235,601,648,701,707,748,811

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/48    235,601,648,701,707,748,811

And it is in forwarding state seeing the following 2 output:

show spanning-tree vlan 701 output

VLAN0701
  Spanning tree enabled protocol rstp
  Root ID    Priority    701
             Address     7018.a7af.f480
             Cost        3007
             Port        48 (GigabitEthernet1/0/48)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33469  (priority 32768 sys-id-ext 701)
             Address     002c.c8dd.7f80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/46            Desg FWD 19        128.46   P2p Edge
Gi1/0/48            Root FWD 4         128.48   P2p Peer(STP)

show spanning-tree detail output

 VLAN0701 is executing the rstp compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, sysid 701, address 002c.c8dd.7f80
  Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
  Current root has priority 701, address 7018.a7af.f480
  Root port is 48 (GigabitEthernet1/0/48), cost of root path is 3007
  Topology change flag not set, detected flag not set
  Number of topology changes 2 last change occurred 20:02:39 ago
          from GigabitEthernet1/0/48
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 0, topology change 0, notification 0, aging 300

 Port 46 (GigabitEthernet1/0/46) of VLAN0701 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.46.
   Designated root has priority 701, address 7018.a7af.f480
   Designated bridge has priority 33469, address 002c.c8dd.7f80
   Designated port id is 128.46, designated path cost 3007
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 1386, received 0

 Port 48 (GigabitEthernet1/0/48) of VLAN0701 is root forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.48.
   Designated root has priority 701, address 7018.a7af.f480
   Designated bridge has priority 49853, address 00b0.e13a.de00
   Designated port id is 128.47, designated path cost 3003
   Timers: message age 15, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default, Peer is STP
   BPDU: sent 4, received 36032

I didn't enable IP ARP inspection so i don't think this is the source of the problem. Do you have other ideas?

MHM Cisco World · ‎07-06-2022

first let start step by step

authentication open<<<<- auth is open and you config DATA & Voice VLAN in port so the DHCP Server must reply to DHCP request from host in voice VLAN 201 and Data VLAN 200, are these VLAN have IP helper to DHCP Server???

Marco__89 · ‎07-06-2022

No, this are "welcome VLAN". They don't have neither a L3 interface nor a IP helper address. This is because, (referring to voice VLAN 201) as soon as the IP phones get authenticated, they are moved to VLAN 701. By doing so, IP phone DHCP discover messages are managed by DHCP server in VLAN 701. Even if the IP phone transmits a DHCP discover in VLAN 201, it isn't managed and so the phone does not receive any DHCP offer. The IP phone will hence continue to broadcast DHCP discover.

MHM Cisco World · ‎07-06-2022

but the

authentication open<<<- this make SW open port it meaning NO AUTH NEED FOR THIS PORT

let me simple explain
1- using dynamic VLAN
in this case you need Closed Mode dot1x and you push the VLAN ID from AAA server

2-using dACL
in this case you config the VLAN in Port and config pre-auth ACL and you push dACL from AAA server

here I don't know what exactly you want ?

Marco__89 · ‎07-06-2022

Yes you're right. Tha packets pass even before authentication. But as i said before, the voice vlan that is configured on scwitch interface (VLAN 201) has no ip dhcp helper address. VLAN 201 is like an empty container where messages are forwarded to a L2 brodcast. The DHCP discover messages will be trasmitted but nobody can answer to them and so the IP phone will continue to transmit them. Once the IP phone has authenticated, it is associated with VLAN 701 from the ISE, which has a working DHCP server.

What I want to do is send both a VLAN and an ACL from ISE.

MHM Cisco World · ‎07-06-2022

one by one, as I inform you before
dynamic VLAN + dACL together , this my first time I see such as this config,

check do one step for test
under SVI of VLAN 201 config the IP Helper check if the IP Phone get IP <this step to sure there is no issue with DHCP server and DHCP snooping>

second if you want dynamic VLAN
config already VACL or ACL under the SVI of voice VLAN 701
and make AAA server push only the VLAN ID.

Marco__89 · ‎07-07-2022

Hi MHM, thank you for you reply. I'm gonna open a new thread because i don't think that the problemi is related to DHCP snooping