11-27-2009 07:48 AM - edited 03-06-2019 08:45 AM
Hi all,
I'm having problems starting DHCP snooping on a 6509 L3 switch. This is the configuration:
switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
306-307
DHCP snooping is operational on following VLANs:
306-307
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
GigabitEthernet5/1 yes unlimited
GigabitEthernet5/2 yes unlimited
switch#sh ip dhcp snooping statistics
Packets Processed by DHCP Snooping = 15
Packets Dropped Because
IDB not known = 0
However, there are no bindings:
switch#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0
I'm running a debug to troubleshoot the issue:
switch#sh debug
DHCP Snooping packet debugging is on
DHCP Snooping event debugging is on
and I get some messages that I'm not able to decode:
Nov 27 16:45:30 CET: DHCP_SNOOPING: checking expired snoop binding entries
Nov 27 16:45:55 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:45:59 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:06 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:21 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Do you have any idea what I may be doing wrong in this configuration?
many thanks in advance
Eduardo
11-27-2009 07:49 AM
forgot to mention that we're running:
BOOTLDR: s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2)
11-27-2009 10:34 AM
eduardonpinto wrote:
Hi all,
I'm running a debug to troubleshoot the issue:
switch#sh debug
DHCP Snooping packet debugging is on
DHCP Snooping event debugging is onand I get some messages that I'm not able to decode:
Nov 27 16:45:30 CET: DHCP_SNOOPING: checking expired snoop binding entries
Nov 27 16:45:55 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:45:59 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:06 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:21 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !Do you have any idea what I may be doing wrong in this configuration?
many thanks in advance
Eduardo
You may have other Vlans on this switch where DHCP snooping isn't enabled and clients are requesting DHCP services hence the message above.
As for the lack of information on the DHCP snooping database, try releasing and renewing a DHCP lease from a client residing on the Vlan where DHCP snooping is enabled.
I recommend reading the configuration guidelines from this link:
Regards
Edison
11-27-2009 10:49 AM
Hi Edison,
thank you for the prompt reply. I now understand the results of the debug.
Unfortunately, I can't say the same about the lack of bindings on the database. I called a user and asked him to issue an "ipconfig /renew" on his windows pc but it seems they don't have permission to issue it. I had to ask him to reboot his machine but, after that the database is still showing no entries...
I've configured all DHCP snooping settings according to the document you mentioned.
Regards,
Eduardo
11-27-2009 10:59 AM
An ipconfig /renew won't release the current lease - you need an ipconfig /release but I understand they don't even have access to such command.
You need to wait until a lease expires from a client in order to have the database populated. A reboot won't do it.
BTW, since they have Windows - they can go into Local Area Connection | Support | Repair
Regards
Edison.
11-27-2009 11:23 AM
We will have to wait then...let's see what the weekend brings. I thought rebooting the pc would generate a DHCP request.
Is there perhaps a way, by means of DHCP server configuration, to force the pc's to renew the lease? I think the DHCP lease in my company is of 1 month and I wouldn't like to wait that long to activate DAI again...(next time I'll save the database file in NVRAM, for sure)
Many thanks
Eduardo
11-28-2009 12:36 PM
Eduardo,
Are you sure you have some interfaces defined as "DHCP Snooping Trusted", ie the uplink ports (if dhcp is remotely connected) or the port of the official DHCP server (if locally connected) ?
regards,
Geert
11-28-2009 01:12 PM
Edurado,
Could you try reconfiguring the DHCP snoopig configurations once again, this is a pretty know symptom that unless no binding tables are created for dhcp snooping it would never work even with a release renew.
Also i agree with you that with snooping table not complete we cannot implement DAI. Hence please do try the above and let me know how it goes.
Also if you could provide a brief idea of your topology right from your DHCP server to the end client we can identify where exaclty we are missing the link.
11-30-2009 02:19 AM
Hi all,
thank you for helping me on this problem.
After this weekend the situation still hasn't improved:
switch#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0
With a NAM on the switch I was able to trace the vlans where DHCP snooping is enabled for UDP ports 67 and 68 and found DHCP traffic flowing, including DHCP ACKs (end of DHCP transaction).
This is a L2 switch with two redundant uplinks to 2x L3 core switches where an SVI is configured with the correct ip-helper address. The uplinks are trusted:
switch#sh ip dhcp snooping
(...)
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
GigabitEthernet5/1 yes unlimited
GigabitEthernet5/2 yes unlimited
The configuration of DHCP snooping was completely removed from the switch last week and added back again following the configuration steps provided by Cisco.
Regards,
Eduardo
12-02-2009 09:36 AM
Hi Eduardo,
That's very odd. I don't know what else to suggest. I recommend opening a TAC case for further troubleshooting.
Regards,
Edison
12-02-2009 12:01 PM
It is indeed something strange. I've already opened a case...
Thank for all your help. I will leave the answer here as soon as I have it.
12-03-2009 08:42 AM
eduardonpinto wrote:
It is indeed something strange. I've already opened a case...
Thank for all your help. I will leave the answer here as soon as I have it.
Please do. We will love to see the solution.
Regards
Edison
06-05-2019 01:03 AM
Hello
did you find a solution
if not can you please post your full scenario
did you connect any device such cisco ip phone to the 6509 L3 Switch or a laptob would it show in the binding
which switch connect to switch one
rate if helpful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide