Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
900
Views
0
Helpful
5
Replies

DHCP Snooping dropping it all

Jorge F
Level 1
Level 1

‎08-08-2019 01:56 AM

Hello folks,

Altough the subject matter has been revisited a hundred times, all proposed configurations have not worked for me and therefore can't get the PCs to get an IP address when rebooting them, the switch will simply drom the DHCP traffic.

To sum it up, my topology is fairly simple, having a stack of access switches (3650) where DHCP snooping is implemented, a 4500X core switch (SVIs) and then a WAN router.
My DHCP server is a windows based machine across the WAN.
IP helper addresses are configued at each Vlan SVI at the core switch.
No DHCP snooping config exists at the core (I did later on configured some )

Deployed config at the access switches is:

ip dhcp snooping vlan 16,32
no ip dhcp snooping information option
ip dhcp snooping

!
int Po16, Gi1/0/48, Gi2/0/48, Gi3/0/48, Gi4/0/47, Gi4/0/48 (being Po16 the trunk down to the core. All other interafaces are
wifi APs left out of the equation for now)
ip dhcp snooping trust
!
!

///////

Show ip dhcp snooping:

Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
16,32
DHCP snooping is operational on following VLANs:
16,32
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 00d7.8f8a.3c00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is disabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet1/0/48 yes yes 500
Custom circuit-ids:
TenGigabitEthernet1/1/3 yes yes unlimited
Custom circuit-ids:
GigabitEthernet2/0/21 no no 25
Custom circuit-ids:
GigabitEthernet2/0/48 yes yes 500
Custom circuit-ids:
GigabitEthernet3/0/48 yes yes 500
Custom circuit-ids:
GigabitEthernet4/0/47 yes yes 500
Custom circuit-ids:
GigabitEthernet4/0/48 yes yes 500
Custom circuit-ids:
TenGigabitEthernet4/1/3 yes yes unlimited
Custom circuit-ids:
Port-channel16 yes yes unlimited
Custom circuit-ids:


////////////////////////

Keep getting drops at untrusted ports (client access)

Packets Forwarded = 100
Packets Dropped = 69
Packets Dropped From untrusted ports = 67

/////////////////////

Enabled a debug and all I get no matter what I try is:


*Aug 7 22:25:19.395: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet4/0/47)
*Aug 7 22:25:19.445: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi4/0/47, MAC da: ffff.ffff.ffff, MAC sa: f48c.50db.b672, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:19.445: DHCP_SNOOPING: message type : DHCPDISCOVER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:19.445: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (32)
*Aug 7 22:25:19.575: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel16)
*Aug 7 22:25:19.587: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Po16, MAC da: f48c.50db.b672, MAC sa: 0008.e3ff.fc28, IP da: 10.60.32.120, IP sa: 10.60.32.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.60.32.120, DHCP siaddr: 10.61.211.8, DHCP giaddr: 10.60.32.1, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:19.590: DHCP_SNOOPING: message type : DHCPOFFER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.60.32.120, DHCP siaddr: 10.61.211.8, DHCP giaddr: 10.60.32.1, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:19.590: DHCP_SNOOPING: direct forward dhcp replyto output port: GigabitEthernet4/0/47.
*Aug 7 22:25:20.734: %DOT1X-5-FAIL: Authentication failed for client (ecb1.d749.f9a8) on Interface Gi3/0/24 AuditSessionID 0A3C080600017D84CFCFFE36
*Aug 7 22:25:20.758: %MAB-5-FAIL: Authentication failed for client (ecb1.d749.f9a8) on Interface Gi3/0/24 AuditSessionID 0A3C080600017D84CFCFFE36
*Aug 7 22:25:24.248: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet4/0/47)
*Aug 7 22:25:24.288: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi4/0/47, MAC da: ffff.ffff.ffff, MAC sa: f48c.50db.b672, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:24.289: DHCP_SNOOPING: message type : DHCPDISCOVER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:24.289: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (32)
*Aug 7 22:25:24.351: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel16)
*Aug 7 22:25:24.360: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Po16, MAC da: f48c.50db.b672, MAC sa: 0008.e3ff.fc28, IP da: 10.60.32.120, IP sa: 10.60.32.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.60.32.120, DHCP siaddr: 10.61.211.8, DHCP giaddr: 10.60.32.1, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:24.360: DHCP_SNOOPING: message type : DHCPOFFER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.60.32.120, DHCP siaddr: 10.61.211.8, DHCP giaddr: 10.60.32.1, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:24.360: DHCP_SNOOPING: direct forward dhcp replyto output port: GigabitEthernet4/0/47.
*Aug 7 22:25:27.636: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet4/0/47)
*Aug 7 22:25:27.661: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi4/0/47, MAC da: ffff.ffff.ffff, MAC sa: f48c.50db.b672, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:27.661: DHCP_SNOOPING: message type : DHCPDISCOVER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:27.661: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (32)
*Aug 7 22:25:27.738: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel16)
*Aug 7 22:25:27.739: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Po16, MAC da: f48c.50db.b672, MAC sa: 0008.e3ff.fc28, IP da: 10.60.32.120, IP sa: 10.60.32.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.60.32.120, DHCP siaddr: 10.61.211.8, DHCP giaddr: 10.60.32.1, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:27.739: DHCP_SNOOPING: message type : DHCPOFFER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.60.32.120, DHCP siaddr: 10.61.211.8, DHCP giaddr: 10.60.32.1, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:27.740: DHCP_SNOOPING: direct forward dhcp replyto output port: GigabitEthernet4/0/47.
*Aug 7 22:25:35.446: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet4/0/47)
*Aug 7 22:25:35.519: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi4/0/47, MAC da: ffff.ffff.ffff, MAC sa: f48c.50db.b672, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:35.519: DHCP_SNOOPING: message type : DHCPDISCOVER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:35.519: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (32)
*Aug 7 22:25:35.602: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel16)
*Aug 7 22:25:35.608: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel16)
*Aug 7 22:25:35.615: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Po16, MAC da: f48c.50db.b672, MAC sa: 0008.e3ff.fc28, IP da: 10.60.32.120, IP sa: 10.60.32.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.60.32.120, DHCP siaddr: 10.61.211.8, DHCP giaddr: 10.60.32.1, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:35.615: DHCP_SNOOPING: message type : DHCPOFFER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.60.32.120, DHCP siaddr: 10.61.211.8, DHCP giaddr: 10.60.32.1, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:35.616: DHCP_SNOOPING: direct forward dhcp replyto output port: GigabitEthernet4/0/47.
*Aug 7 22:25:35.616: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Po16, MAC da: f48c.50db.b672, MAC sa: 0008.e3ff.fc28, IP da: 10.60.36.101, IP sa: 10.60.32.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.60.36.101, DHCP siaddr: 10.61.211.9, DHCP giaddr: 10.60.32.1, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:35.616: DHCP_SNOOPING: message type : DHCPOFFER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.60.36.101, DHCP siaddr: 10.61.211.9, DHCP giaddr: 10.60.32.1, DHCP chaddr: f48c.50db.b672
*Aug 7 22:25:35.616: DHCP_SNOOPING: direct forward dhcp replyto output port: GigabitEthernet4/0/47.

 

 

Any insights?

 

Thanks in advance por your support.

Labels:
0 Helpful
5 Replies 5

marce1000
VIP
VIP

‎08-08-2019 03:34 AM

 

 Try this in the configuration : no ip dhcp snooping information option

  M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Jorge F
Level 1
Level 1
In response to marce1000

‎08-08-2019 03:48 AM

Hi Marce,

 

Thanks for the tip, although as stated in my post, the said command is present.

0 Helpful

paul driver
VIP
VIP

‎08-08-2019 06:22 AM

Hello

I see the initial discovery and then offer from the server but then see

Aug 7 22:25:20.734: %DOT1X-5-FAIL: Authentication failed for client (ecb1.d749.f9a8) on Interface Gi3/0/24
*Aug 7 22:25:20.758: %MAB-5-FAIL: Authentication failed for client

 

So its looks like mac authentication failure possible to the active directory server for the client

Are you running Dot1x authentication on the switches?
Does this work without DHCP snooping?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Jorge F
Level 1
Level 1
In response to paul driver

‎08-09-2019 12:57 AM

Hi @paul driver - thanks.

 

We do indeed have dot1x auth implemtented and some ports actually have a MAB auth issue, but by the time we tested this ou we focused on two laptops hooked up to ports Gi2/0/21 and Gi4/0/6.

I believe some dot1x output mixed up in the logs.

 

The said two machines were correctly authenticated:

 

Gi2/0/21 7cd3.0a2a.606f dot1x DATA Auth 0A3C080600017D8AD0A34F02

Gi4/0/6 7cd3.0a2d.8c49 dot1x DATA Auth 0A3C080600017D91D1CD139A

 

@marce1000 

 

Across the change window - around 4 hours -, coudnt get a single binding:

 

SW_BCP015V0-7(config-if)#do sh ip dhcp snoo bin
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0

 

 

So all machines would ping back normally once snooping implemented, and then when restarted they wouldn't get a valid lease as shown in the logs before.

 

Altough appartently not needed, went down to the core switch and configured snooping also there just in case, trusted uplinks to access switch and issued "no ip dhcp snooping verify no-relay-agent-address" at the SVI as suggested in other sites. Same thing.

 

Thanks all for your support

 

 

 

0 Helpful

marce1000
VIP
VIP

‎08-08-2019 09:40 AM

 

 - Could you also issue show ip dhcp binding vlan 16 (e.g.) ; to check wether any addresses are being allocated or not (same for vlan 32).

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card