Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1611
Views
0
Helpful
7
Replies

DHCP Snooping not capturing printer requests on 3650 works fine on 2960x

Wolfus
Level 1
Level 1

‎11-17-2020 02:00 AM

Hi,


We are using DHCP snooping and ARP inspection on our switches which is working fine for us so far with PC/laptops, phones  and are now moving Printers on to it and on our 2960x config it works fine but on our 3650's which is running 16.12.4 we are not seeing any mac address in the binding table for that interface and the printer is unreachable.  If we take off the "ip verify source mac-check" on the printer interface then the printer starts working.  We can see that the request gets through to the DHCP server as an address comes up for that mac address but is only on a 15min lease so seems like its not getting the conformation from the printer that it accepts that offer.  

 

Has any one else come across this?

0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎11-17-2020 03:29 AM

Can you give us 2960 config and 3650 config. - also give us DHCP Server IP - what DHCP Server is this ?

 

please read the some config tips :

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-12/configuration_guide/sec/b_1612_sec_3850_cg/configuring_dhcp.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Wolfus
Level 1
Level 1
In response to balaji.bandi

‎11-17-2020 08:36 AM

Thank you for the reply please see attached both config with some sensitive information taken out.  The two ports on there are the ports we are having issues with.  We are using a Microsoft DHCP server and the printer VLAN is 50

Preview file
5 KB
Preview file
8 KB
0 Helpful

Marius Gunnerud
VIP
VIP

‎11-18-2020 12:30 PM

First off, why do you have port-security and dot1x configured on the same port?  dot1x has port-security built into it so the port security commands are obsolete.

I have seen this issue a few times, and in my case this was due to the printers not sending any packets on the network when they are idle and not doing print jobs and the mac address-table aging-time times out and the MAC entry is discarded.

check the output of show mac address-table aging-time and see if the timeout corresponds to about when the printer mac is removed.  Once this happens the ip verify source mac-check command will check both the IP to port (ARP) and MAC to port bindings.  Since the ARP table timeout is longer than the MAC table by default, the MAC will timeout and be discarded and therefore fail the source check. There are a few things you can try to solve this issue.  You could try to increase the timeout of the MAC address table, you could also remove the mac-check keyword and just to a regular source guard check. Or you could script a PC/Linux server to send a ping to the printer every minute or so.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Marius Gunnerud

‎11-18-2020 01:03 PM

@Marius Gunnerud yes silent host has a big problem in the network, that is the reason they go with static IP address always as part of the reservation, i saw some medical device same behavior.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Wolfus
Level 1
Level 1
In response to Marius Gunnerud

‎11-19-2020 06:08 AM

Hi Marius,

 

It has both as all ports have this as standard config across all our ports and some equipment cant use dot1x.  i could try taking the dot1x off though on this port and see if anything different happens.

 

The only issue is the mac address never shows in the snooping table to age out.  The mac will show on the interface but just not in the dchp snooping table even after a reboot of the printer seems like we are getting this with CCTV cameras as well

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-18-2020 12:56 PM

Can you also post :

 

#sh ip DHCP snooping

 

there could be a bug, check if you can able to upgrade to the latest version.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Wolfus
Level 1
Level 1
In response to balaji.bandi

‎11-19-2020 06:16 AM

Hi Balaji,

 

please see below for the output:

 

Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
1-399,401-999
DHCP snooping is operational on following VLANs:
1-399,401-999
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 502f.a8f8.b200 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet1/0/9 yes yes unlimited
Custom circuit-ids:
GigabitEthernet1/0/47 yes yes unlimited
Custom circuit-ids:
GigabitEthernet1/1/4 yes yes unlimited
Custom circuit-ids:
GigabitEthernet2/0/21 yes yes unlimited
Custom circuit-ids:
GigabitEthernet2/0/33 yes yes unlimited
Custom circuit-ids:

 

We are currently on the latest version of code for this model switch 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card