cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
478
Views
0
Helpful
0
Replies
Eric R. Jones
Participant

Configuring QoS for Cisco 3750,3850 and 9300 models breaks dhcp and port-channel link connections

This is our current configuration we are trying to deploy on our Edges.
Edge configuration:
ip arp inspection vlan $vlans
ip dhcp snooping vlan $vlans
ip dhcp snooping
ip igmp snooping

 

interface port-channel $port-channel
ip dhcp snooping trust
ip arp inspection trust

 

class-map match-all C2_VOICE
match ip dscp 47
class-map match-all VOICE
match ip dscp ef
class-map match-all VIDEO
match ip dscp af41
class-map match-all PREFERRED_DATA
match ip dscp af33

policy-map QOS_POLICY_SWITCHPORT
class C2_VOICE


priority level 1 percent 10
class VOICE
priority level 2 percent 10
class VIDEO
bandwidth percent 10
class PREFERRED_DATA
bandwidth remaining percent 10
class class-default
bandwidth remaining percent 60

 

int range g1/1/1-2
service-policy output QOS_POLICY_SWITCHPORT

 

interface range g1/0/1 - 24
spanning-tree guard root
switchport block unicast
ip verify source
storm-control unicast level bps 62000000
storm-control broadcast level bps 5000000

 

Distribution:
The distribution switches have "ip arp inspection trust" configured on the port-channel link.
The distribution switches don't have "ip dhcp snooping trust" enabled on them.

######################################################################
When deployed, the switch remains operational; however, our hosts lose connection to the dhcp server and/or connectivity grinds to halt to the point where trying to ssh into the device fails.

They start getting APIPA addresses and so far the only thing that fixes this is to remove the i"p arp inpsection" and "ip dhcp snooping" configurations.
Not sure which specific ones of these settings, "trust" or "vlan" could be causing the issue, but we regain connectivity.
I did some reading and it mentions having "ip dhcp relay information trusted" configured on the SVI on the distribution side.
Having this means "ip dhcp snooping trust" is not required on the port-channels.

 

I did some more testing and applied the "ip arp inspection trust" and "ip dhcp inspection trust" to the port channels on both the edge and the distribution. This didn't change anything as long as "ip arp inspection vlan $vlans" was configured globally.

 

I opened a TAC case and the engineer passed this on to me which I read, see the link below. Based on the reading I believe my configuration is workable but that I'm missing something else that may be required on the distribution/core side.

For those who know, this is a STIG requirement and not the only one required but this one focuses on QoS.

 

For the QoS configuration on the 9300 and 3850 please refer to the guide below, https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-5/configuration_guide/qos/b_165_qos_9300_cg/b_165_qos_9300_9500_cg_chapter_01.html

 

 

 

0 REPLIES 0