Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1282
Views
4
Helpful
16
Replies

Bizarre DHCP snooping causing spanning tree issues on 3650s on reboot

hemmerling
Level 1
Level 1

ā€Ž09-05-2024 08:57 AM

Can someone explain what could possibly be causing the problem we've been seeing recently.
We have had to implement ip dhcp snooping and it's having a bizarre interaction with spanning tree when certain 3650 devices reboot.

Maybe it's because we're writing the dhcp binding table to the flash so it survives the rebooting and that is causing a weird interaction at boot. I don't now.

But what seems to be happening is that certain 3650 switches running 16.12.10 or higher that have ip dhcp snooping applied will randomly on a reboot start advertising the lowest interface's mac address as a new root for all allowed vlans, and this is often the either unused or completely disabled Gi 0/0 (RP management port).

Because we have loop and root guard applied everywhere this will start blocking various trunk ports. "%SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet1/1/1 on VLAN0xxx"
If the RP port (or lowest mac on the device) isn't disabled you can see this as the MAC address in one of the other switches that is showing the spanning tree root change, it shows up as "%SPANTREE-5-ROOTCHANGE: Root Changed for vlan xxx: New Root Port is GigabitEthernet1/1/1. New Root Mac Address is xxxx.xxxx.xxxx"
It doesn't matter that the port is unplugged and down/down, it still somehow is now advertising that it's the new root.
If it's admin shut (which most of ours are) the other switch doesn't show the mac address, the only mac you'll see is when the root changes back to what it was before it started blocking.

The only reason I know that it's DHCP snooping related is that it was the last change on the devices and when we remove it, the new root advertisement stops. It absolutely stops when the "ip dhcp snooping vlan xxx" is removed from the offending switch that is doing the root advertisement from it's RP port.

This is clearly a bug, and we had no issues for weeks after configuring dhcp snooping, but after it was running for a few weeks when we were doing switch IOS upgrades it started happening on some of them following reboots.

I can find no other case of this online, and I know it seems crazy to say they're connected but they are connected, somehow.

Here are the various errors someone will see when it's happening:
%SPANTREE-5-ROOTCHANGE: Root Changed for vlan xxx: New Root Port is GigabitEthernet1/1/1. New Root Mac Address is xxxx.xxxx.xxxx
%SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet1/1/1 on VLAN0xxx
%SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port GigabitEthernet1/1/1 on VLAN0xxx.
%SPANTREE-5-TOPOTRAP: Topology Change Trap for vlan xxx

And it will happen on every allowed VLAN, and if the RP (or lowest mac address on the interfaces) port is not disabled you will see that as being advertised as the new root, but if it's admin shut then you won't see who is the new root, just that there is one and then the blocking. You will have to prune to find the offending device.

It did it on 16.12.10 and 16.12.11 on the 3650s, but the spanning tree changes impact every switch sharing the same VLANs.
I'm mostly asking this here so that the next unlucky network tech has a hope of knowing why their network is going crazy when it happens to them.

Has anyone seen this before?


 

Labels:
0 Helpful
16 Replies 16

MHM Cisco World
VIP
VIP
In response to hemmerling

ā€Ž09-09-2024 11:30 PM

Dhcp snooping is mac-ip-port database and it not relate again to stp root bridge ID.

The dhcp snooping is effect cpu and hence bpdu not receive abd stp topolgy change.

Check the send recieve bpdu in interface and check cpu.

Dont waste your time 

MHM

0 Helpful

hemmerling
Level 1
Level 1

ā€Ž09-23-2024 03:56 PM

So I think I figured out what I'm seeing. 
It looks like on a 3650 running 16.10 or higher (maybe earlier) that when you enable "ip dhcp snooping vlan xx" and "ip dhcp snooping", that the switch will sometimes put a random mac address from one of its interfaces (like a trunk or an RP port) into the vlan(s) configured in the snooping command as soon as you turn on "ip dhcp snooping" globally.
This will trigger all kinds of spanning tree issues when the switch reboots because it comes up as root to itself first, and because of the loop guard we have to run it sems to be what is causing the bouncing.
That mac will show up as being in the vlan to all upstream devices but not in the mac address table of the device itself.
As soon as you remove dhcp snooping from the 3650 that mac will time out after about 480 seconds and be removed from the mac address table in the upstream switches.

It doesn't seem to do this on the 2960x or 9300 or 9300l so I don't think this is the way it's supposed to work.
All devices are configured with "no ip dhcp snooping information option"
Is this normal, and if so why is only the 3650 doing it?

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card