4510 / Port Security / DHCP - Page 2

brian.kennedy · ‎02-24-2014

Any thoughts on this? Having a strange problem. On some of our newer 4510s (SUP 8e), I'm having some devices not getting dhcp addresses until I take off port-security.

The background: on at least two 4510s, new installs, everything comes up and works perfectly. After about a month on the first one, we started having a few printers suddenly stop working with no ip address. After some trouble-shooting, we took off port-security and immediately they got an address and started working. We installed another 4510; 3 weeks later the same thing started happening. However this time we noticed that the night before we did some generator testing, and the affected printers may have briefly lost power. So this gave me a little more to test on, and am now able to replicate it.

1st, all affected devices have been printers (mainly HP - although a co-worker thought an IP phone was affected on the first switch) - but not all printers on the switch have been affected. I plug a new printer in, everything comes up fine. If I power that printer off and back on, it fails to get a dhcp address. I can plug a laptop into the same port and it comes up fine. Back to the printer - take off port security, it will immediately pick up an address. I can put port-security back on, and it's fine until powered off again.

DHCP Snooping is not on.

Port-config:

interface GigabitEthernet10/18

description **IP PHONE OR PC**

switchport access vlan 24

switchport mode access

switchport voice vlan 14

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

no mdix auto

qos trust device cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy

service-policy output DBL

end

Network capture when it's failing only shows dhcp request, no answer.

failed:

No. Time Source Destination Protocol Length Info

157 50.802870000 0.0.0.0 255.255.255.255 DHCP 347 DHCP Discover - Transaction ID 0xc2f80993

Frame 157: 347 bytes on wire (2776 bits), 347 bytes captured (2776 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Bootstrap Protocol

No. Time Source Destination Protocol Length Info

182 54.820824000 0.0.0.0 255.255.255.255 DHCP 347 DHCP Discover - Transaction ID 0xc2f80993

Frame 182: 347 bytes on wire (2776 bits), 347 bytes captured (2776 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Bootstrap Protocol

(repeated)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Working:

No. Time Source Destination Protocol Length Info

138 35.496720000 0.0.0.0 255.255.255.255 DHCP 347 DHCP Discover - Transaction ID 0xc2f8a7b8

Frame 138: 347 bytes on wire (2776 bits), 347 bytes captured (2776 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Bootstrap Protocol

No. Time Source Destination Protocol Length Info

185 40.527732000 0.0.0.0 255.255.255.255 DHCP 379 DHCP Request - Transaction ID 0xc2f8a7b8

Frame 185: 379 bytes on wire (3032 bits), 379 bytes captured (3032 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Bootstrap Protocol

No. Time Source Destination Protocol Length Info

187 40.584626000 Hewlett-_86:fe:9f Broadcast ARP 60 Who has 10.201.238.252? Tell 0.0.0.0

Frame 187: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Address Resolution Protocol (request)

No. Time Source Destination Protocol Length Info

200 42.177704000 Hewlett-_86:fe:9f Broadcast ARP 60 Gratuitous ARP for 10.201.238.252 (Request)

Frame 200: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Address Resolution Protocol (request/gratuitous ARP)

No. Time Source Destination Protocol Length Info

203 42.415502000 10.201.238.252 224.0.1.60 IGMPv1 60 Membership Report

Frame 203: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: IPv4mcast_00:01:3c (01:00:5e:00:01:3c)

Internet Protocol Version 4, Src: 10.201.238.252 (10.201.238.252), Dst: 224.0.1.60 (224.0.1.60)

Internet Group Management Protocol

blue phoenix · ‎02-23-2017

Hi,

Had the same problem only I am doing this on a virtual lab environment.

What I did is to enable ip dhcp snooping on the vlan of the hosts that needs ip via DHCP.

trusted the uplink port going to the dhcp server. I have only trusted the uplink port of the access switch that I have configured ip dhcp snooping.

Then enabled:

no ip dhcp snooping information option on the access switch. Now it's either this or:

ip dhcp relay information trust-all ----:> THIS DOES NOT WORK

Please let me know if this works...