Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3089
Views
0
Helpful
9
Replies

DHCP snooping binding table empty.

tedauction
Level 1
Level 1

‎01-25-2021 12:04 PM

Hello, I have a cisco WS-C3650-48PD running firmware 16.6.7.

I have configured DHCP snooping exactly as per our many other switches e.g.

 

GLOBALLY:

ip dhcp snooping

ip dhcp snooping vlan 10,110

 

On the uplink trunk Port Channel interface that routes to the DHCP server:
ip dhcp snooping trust 

Note that no other ports are trusted.

 

IP DHCP SNOOPING is confirmed via:

#sh ip dhcp snoop
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
10,110
DHCP snooping is operational on following VLANs:
10,110
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: bc4a.56ef.ad80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
TenGigabitEthernet1/1/3 yes yes unlimited
Custom circuit-ids:
TenGigabitEthernet1/1/4 yes yes unlimited
Custom circuit-ids:
Port-channel1 yes yes unlimited
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
Custom circuit-ids:

The problem is that when I run the command 'sh ip dhcp snooping binding' I see absolutely no bindings even though there are machines on this switch constantly updating and requesting DHCP.

 

The empty binding database:

MWCHCSW-L1#sh ip dhcp snoop bind
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0

 

Here is an example of logs taken via ' debug ip dhcp snooping event' and debug ip dhcp snooping paket':

Jan 25 19:51:58.749: DHCP_SNOOPING: bridge packet send packet to cpu port: Vlan10.
Jan 25 19:52:00.213: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/24)
Jan 25 19:52:00.214: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/24, MAC da: ffff.ffff.ffff, MAC sa: 2cea.7f20.4180, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 2cea.7f20.4180, efp_id: -1086460656, vlan_id: 10
Jan 25 19:52:00.214: DHCP_SNOOPING: add relay information option.
Jan 25 19:52:00.215: DHCP_SNOOPING: Encoding opt82 CID in vlan-mod-port format
Jan 25 19:52:00.215: VRF id is valid
Jan 25 19:52:00.215: DHCP_SNOOPING: Encoding opt82 RID in MAC address format
Jan 25 19:52:00.215: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xA 0x1 0x18 0x2 0x8 0x0 0x6 0xBC 0x4A 0x56 0xEF 0xAD 0x80
Jan 25 19:52:00.217: DHCP_SNOOPING: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (10)
Jan 25 19:52:00.218: DHCP_SNOOPING: bridge packet send packet to cpu port: Vlan10.
Jan 25 19:52:03.937: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/24)
Jan 25 19:52:03.938: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/24, MAC da: ffff.ffff.ffff, MAC sa: 2cea.7f20.4180, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 2cea.7f20.4180, efp_id: -1086460656, vlan_id: 10
Jan 25 19:52:03.938: DHCP_SNOOPING: add relay information option.
Jan 25 19:52:03.938: DHCP_SNOOPING: Encoding opt82 CID in vlan-mod-port format
Jan 25 19:52:03.939: VRF id is valid
Jan 25 19:52:03.939: DHCP_SNOOPING: Encoding opt82 RID in MAC address format
Jan 25 19:52:03.939: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xA 0x1 0x18 0x2 0x8 0x0 0x6 0xBC 0x4A 0x56 0xEF 0xAD 0x80
Jan 25 19:52:03.942: DHCP_SNOOPING: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (10)
Jan 25 19:52:03.942: DHCP_SNOOPING: bridge packet send packet to cpu port: Vlan10.
Jan 25 19:52:12.546: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/24)
Jan 25 19:52:12.547: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/24, MAC da: ffff.ffff.ffff, MAC sa: 2cea.7f20.4180, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 2cea.7f20.4180, efp_id: -1086460656, vlan_id: 10
Jan 25 19:52:12.547: DHCP_SNOOPING: add relay information option.
Jan 25 19:52:12.548: DHCP_SNOOPING: Encoding opt82 CID in vlan-mod-port format
Jan 25 19:52:12.548: VRF id is valid
Jan 25 19:52:12.548: DHCP_SNOOPING: Encoding opt82 RID in MAC address format
Jan 25 19:52:12.548: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xA 0x1 0x18 0x2 0x8 0x0 0x6 0xBC 0x4A 0x56 0xEF 0xAD 0x80
Jan 25 19:52:12.550: DHCP_SNOOPING: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (10)
Jan 25 19:52:12.551: DHCP_SNOOPING: bridge packet send packet to cpu port: Vlan10.
Jan 25 19:52:14.575: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/29)
Jan 25 19:52:14.575: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/29, MAC da: ffff.ffff.ffff, MAC sa: 2cea.7f20.480e, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 2cea.7f20.480e, efp_id: -1086460656, vlan_id: 10
Jan 25 19:52:14.576: DHCP_SNOOPING: add relay information option.
Jan 25 19:52:14.576: DHCP_SNOOPING: Encoding opt82 CID in vlan-mod-port format
Jan 25 19:52:14.577: VRF id is valid
Jan 25 19:52:14.577: DHCP_SNOOPING: Encoding opt82 RID in MAC address format
Jan 25 19:52:14.578: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xA 0x1 0x1D 0x2 0x8 0x0 0x6 0xBC 0x4A 0x56 0xEF 0xAD 0x80
Jan 25 19:52:14.589: DHCP_SNOOPING: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (10)
Jan 25 19:52:14.589: DHCP_SNOOPING: bridge packet send packet to cpu port: Vlan10.
Jan 25 19:52:15.682: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/25)
Jan 25 19:52:15.683: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/25, MAC da: ffff.ffff.ffff, MAC sa: 2cea.7f20.444e, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 2cea.7f20.444e, efp_id: -1086460656, vlan_id: 10
Jan 25 19:52:15.683: DHCP_SNOOPING: add relay information option.
Jan 25 19:52:15.683: DHCP_SNOOPING: Encoding opt82 CID in vlan-mod-port format
Jan 25 19:52:15.683: VRF id is valid
Jan 25 19:52:15.684: DHCP_SNOOPING: Encoding opt82 RID in MAC address format
Jan 25 19:52:15.684: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xA 0x1 0x19 0x2 0x8 0x0 0x6 0xBC 0x4A 0x56 0xEF 0xAD 0x80
Jan 25 19:52:15.686: DHCP_SNOOPING: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (10)
Jan 25 19:52:15.686: DHCP_SNOOPING: bridge packet send packet to cpu port: Vlan10.
Jan 25 19:52:18.461: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/29)
Jan 25 19:52:18.462: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/29, MAC da: ffff.ffff.ffff, MAC sa: 2cea.7f20.480e, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 2cea.7f20.480e, efp_id: -1086460656, vlan_id: 10
Jan 25 19:52:18.462: DHCP_SNOOPING: add relay information option.
Jan 25 19:52:18.462: DHCP_SNOOPING: Encoding opt82 CID in vlan-mod-port format
Jan 25 19:52:18.463: VRF id is valid
Jan 25 19:52:18.463: DHCP_SNOOPING: Encoding opt82 RID in MAC address format
Jan 25 19:52:18.463: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xA 0x1 0x1D 0x2 0x8 0x0 0x6 0xBC 0x4A 0x56 0xEF 0xAD 0x80
Jan 25 19:52:18.465: DHCP_SNOOPING: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (10)
Jan 25 19:52:18.465: DHCP_SNOOPING: bridge packet send packet to cpu port: Vlan10.
Jan 25 19:52:20.166: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/17)
Jan 25 19:52:20.166: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi1/0/17, MAC da: 643a.ea7b.f74d, MAC sa: 001a.e22a.a2f4, IP da: 10.62.100.44, IP sa: 10.22.146.77, DHCP ciaddr: 10.22.146.77, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 001a.e22a.a2f4, efp_id: -1086460656, vlan_id: 110
Jan 25 19:52:20.167: DHCP_SNOOPING: add relay information option.
Jan 25 19:52:20.167: DHCP_SNOOPING: Encoding opt82 CID in vlan-mod-port format
Jan 25 19:52:20.167: DHCP_SNOOPING: Encoding opt82 RID in MAC address format
Jan 25 19:52:20.167: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x6E 0x1 0x11 0x2 0x8 0x0 0x6 0xBC 0x4A 0x56 0xEF 0xAD 0x80
Jan 25 19:52:20.170: DHCP_SNOOPING: bridge packet send packet to port: Port-channel1, vlan 110.
Jan 25 19:52:27.221: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/29)
Jan 25 19:52:27.222: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/29, MAC da: ffff.ffff.ffff, MAC sa: 2cea.7f20.480e, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 2cea.7f20.480e, efp_id: -1086460656, vlan_id: 10
Jan 25 19:52:27.222: DHCP_SNOOPING: add relay information option.
Jan 25 19:52:27.223: DHCP_SNOOPING: Encoding opt82 CID in vlan-mod-port format
Jan 25 19:52:27.223: VRF id is valid
Jan 25 19:52:27.223: DHCP_SNOOPING: Encoding opt82 RID in MAC address format
Jan 25 19:52:27.223: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xA 0x1 0x1D 0x2 0x8 0x0 0x6 0xBC 0x4A 0x56 0xEF 0xAD 0x80
Jan 25 19:52:27.226: DHCP_SNOOPING: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (10)
Jan 25 19:52:27.226: DHCP_SNOOPING: bridge packet send packet to cpu port: Vlan10.
Jan 25 19:52:27.762: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/24)
Jan 25 19:52:27.763: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi1/0/24, MAC da: ffff.ffff.ffff, MAC sa: 0025.4593.5de6, IP da: 255.255.255.255, IP sa: 10.22.146.64, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0025.4593.5de6, efp_id: -1086460656, vlan_id: 110
Jan 25 19:52:27.763: DHCP_SNOOPING: add relay information option.
Jan 25 19:52:27.763: DHCP_SNOOPING: Encoding opt82 CID in vlan-mod-port format
Jan 25 19:52:27.763: DHCP_SNOOPING: Encoding opt82 RID in MAC address format
Jan 25 19:52:27.764: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x6E 0x1 0x18 0x2 0x8 0x0 0x6 0xBC 0x4A 0x56 0xEF 0xAD 0x80
Jan 25 19:52:27.766: DHCP_SNOOPING: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (110)
Jan 25 19:52:28.433: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/20)
Jan 25 19:52:28.434: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi1/0/20, MAC da: 643a.ea7b.f74d, MAC sa: 0016.4600.0c57, IP da: 10.62.100.44, IP sa: 10.22.146.81, DHCP ciaddr: 10.22.146.81, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0016.4600.0c57, efp_id: -1086460656, vlan_id: 110
Jan 25 19:52:28.435: DHCP_SNOOPING: add relay information option.
Jan 25 19:52:28.435: DHCP_SNOOPING: Encoding opt82 CID in vlan-mod-port format
Jan 25 19:52:28.435: DHCP_SNOOPING: Encoding opt82 RID in MAC address format
Jan 25 19:52:28.435: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x6E 0x1 0x14 0x2 0x8 0x0 0x6 0xBC 0x4A 0x56 0xEF 0xAD 0x80
Jan 25 19:52:28.437: DHCP_SNOOPING: bridge packet send packet to port: Port-channel1, vlan 110.
Jan 25 19:52:29.547: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet1/0/24)
Jan 25 19:52:29.548: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/24, MAC da: ffff.ffff.ffff, MAC sa: 2cea.7f20.4180, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 2cea.7f20.4180, efp_id: -1086460656, vlan_id: 10
Jan 25 19:52:29.548: DHCP_SNOOPING: add relay information option.
Jan 25 19:52:29.548: DHCP_SNOOPING: Encoding opt82 CID in vlan-mod-port format
Jan 25 19:52:29.549: VRF id is valid
Jan 25 19:52:29.549: DHCP_SNOOPING: Encoding opt82 RID in MAC address format
Jan 25 19:52:29.549: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xA 0x1 0x18 0x2 0x8 0x0 0x6 0xBC 0x4A 0x56 0xEF 0xAD 0x80
Jan 25 19:52:29.551: DHCP_SNOOPING: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (10)
Jan 25 19:52:29.552: DHCP_SNOOPING: bridge packet send packet to cpu port: Vlan10.

 

Labels:
0 Helpful
9 Replies 9

Tyson Joachims
Spotlight
Spotlight

‎01-25-2021 01:17 PM

Could you upload a copy of your running configuration (remove any usernames and passwords). Additionally, what output do you get with the following command:

show ip dhcp snooping statistics
0 Helpful

tedauction
Level 1
Level 1
In response to Tyson Joachims

‎01-25-2021 03:45 PM

Hello here is the output of the statistics command:

 

sh ip dhcp snooping statistics
Packets Forwarded = 86518
Packets Dropped = 0
Packets Dropped From untrusted ports = 0

0 Helpful

paul driver
VIP
VIP

‎01-25-2021 01:26 PM

Hello

FYI - only enable dhcp snooping on L2 access switches not on my core or distribution layers.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

MHM Cisco World
VIP
VIP

‎01-25-2021 03:24 PM

friend 
DHCP snooping is work add entry only in case of ACK on the trust port.
here your DHCP request and discover but there are no ACK message, are you PC get IP from DHCP?
it seem to me that you not config trust port toward the DHCP server do you config trust port ?

0 Helpful

tedauction
Level 1
Level 1
In response to MHM Cisco World

‎01-25-2021 03:47 PM

Hello, yes I have configured trust DHCP on the uplink port that routes to the DHCP server:

 

interface Port-channel1
switchport trunk allowed vlan 10,110
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
end

0 Helpful

MHM Cisco World
VIP
VIP
In response to tedauction

‎01-25-2021 04:01 PM - edited ‎01-25-2021 04:04 PM

are you PC get ip from Server ?
also since this is Port channel, config trust under each interface that group of this port channel.

0 Helpful

tedauction
Level 1
Level 1

‎01-25-2021 05:15 PM

just realised that I did not have 'ip dhcp snooping trust' configured on the facing switches uplink port, so that switch was blocking DHCP for this switch thus the binding table never populated.

Thanks guys for your help anyway.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎01-26-2021 03:13 AM

ip dhcp snooping trust - try this command

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

AlwaysBeginner
Level 1
Level 1

‎10-05-2023 06:27 PM

Try to add the command "no ip dhcp snooping information option"

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card