Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8115
Views
5
Helpful
15
Replies

DHCP snooping headache

cltrenholm
Level 1
Level 1

‎10-13-2011 08:07 AM - edited ‎03-07-2019 02:47 AM

I have attempted to implement DHCP snooping and have been having some strange issues. I have 5 3560s taht I use for my edge and when I attempt to implement on all five, the VLAN that houses my voice data appears to no longer be able to recieve DHCP lease renewals so after the 24 expiration all of my phones lose their configs. Once I roll back the changes the voice VLAN comes back. The other VLANs seem to function correctly as theya re able to renew their DHCP addresses.

The 3560s tie into each other using GIG Ports 1 & 2 and the top and bottom switches tie into our core switch, a 4507. The config that I use is below, failry simple and straightforward.... I think?!?!?!

!

ip dhcp snooping vlan 1,2,3,etc.

ip dhcp snooping

!

interface GigabitEthernet0/1

description TRUNK to Core Switch

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping trust

!

interface GigabitEthernet0/2

description TRUNK to Core Switch

switchport trunk encapsulation dot1q

switchport mode trunk

speed 1000

duplex full

ip dhcp snooping trust

!

4 of the 5 switches feed our general office vlans for voice and data however the 5th switch is there for expansion and not in use. As such I have left the config changes in place on it and have tied myself and a colleague into it and have been operating fine for over a week now. So the config that I use seems sound in theory and should work on the other 4 switches with no issue.

I'm left scratching my head on this but can't understand what it is that I am missing. Any suggestions/advice would be helpful as I'm not sure how to proceed.

Labels:
0 Helpful
15 Replies 15

cadet alain
VIP Alumni
VIP Alumni

‎10-13-2011 08:31 AM

Hi,

What device is your dhcp server? Cisco IOS? and are you using ip helper-address for voice vlan and did they get their ip address before you implemented dhcp snooping?

if all answers are yes then enter this command:  no ip dhcp snooping information option

Regards.

Alain.

Don't forget to rate helpful posts.

cltrenholm
Level 1
Level 1
In response to cadet alain

‎10-13-2011 08:49 AM

Our voice VLAN, the one having issues, uses the voice gateway as its DHCP server; its a Cisco 3825 ISR. It is located on the same VLAN as our phones so ip helper doesn't come into play. All phones were functioning correctly before implementation and getting IP settings correctly.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to cltrenholm

‎10-13-2011 10:49 AM

Hi,

try the global config command I posted above anyway and let us know.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

marcinwojcik
Level 1
Level 1
In response to cltrenholm

‎10-14-2011 03:55 AM

Hi,

Do PCs use another DHCP server? Did I get it right? Did you configure "ip dhcp snooping trust" on the interface connected to the voice gateway?

0 Helpful

cltrenholm
Level 1
Level 1
In response to marcinwojcik

‎10-14-2011 05:34 AM

The PCs do use a seperate DHCP server than the phones. The voice gateway is attached to our core switch and DHCP snooping is not configured on it.

0 Helpful

marcinwojcik
Level 1
Level 1
In response to cltrenholm

‎10-17-2011 12:40 AM

Hi,

Could you list the config for one of the interfaces connected to a phone?

0 Helpful

cltrenholm
Level 1
Level 1
In response to marcinwojcik

‎10-17-2011 05:55 AM

This is the global config for snooping and the standard config that we use on all of our edge layer switchports. I have this running on one of our switches and there has been no issues at all; only two switchports in use, myself and my co-worker are tied into it.

The issue only seems to occur when I enable it on all 5 of may edge switches. The other 4 carry the bulk of the traffic so I'm wondering if maybe if maybe it has something to do with rate limiting?!?!?!?!

!

ip dhcp snooping vlan 2-3,5,50-51,101-102,104,500-503

no ip dhcp snooping information option

ip dhcp snooping

!

interface FastEthernet0/34

switchport access vlan 2

switchport mode access

switchport nonegotiate

switchport voice vlan 3

storm-control broadcast level 5.00

spanning-tree portfast

!

0 Helpful

marcinwojcik
Level 1
Level 1
In response to cltrenholm

‎10-17-2011 06:20 AM

Hi

You have the snooping on VLAN 3 which is your voice. I would configure "ip dhcp snooping trust" on the core switch interface connected to the gateway. Did you do it?

0 Helpful

cltrenholm
Level 1
Level 1
In response to marcinwojcik

‎10-17-2011 06:23 AM

The core switch doesn't have dhcp snooping enabled on it, just the edge switches; 3560s.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to cltrenholm

‎10-17-2011 06:21 AM

Hi,

Did you put the trunk links on all switches going to the dhcp server as trusted ports?

have you got storm-control enabled on all switches and did you verify if it was engaging?

Can you do  port-mirroring to sniff what is happening, have you run debug ip dhcp server events and debug ip dhcp server packets on the DHCP server?

Are you sure this VLAN is not pruned on one of the trunk links going to server?

Alain.

Don't forget to rate helpful posts.
0 Helpful

cltrenholm
Level 1
Level 1
In response to cadet alain

‎10-17-2011 06:28 AM

The trunk links are all set to "trust" and all edge switches have have storm-control enabled and functioning. The 3560s don't support port mirroring I don't believe and I can only do the debugs if I have it enabled when the issue is occurring. The pproblem here is that I can only enable it during off hours which is becoming a bit difficult as this will be my 4th crack at it. I haven't looked into pruning but I can't see how it would be pruned as the VLAN is functioning fine previous to the implementation and I don't do any pruning on the trunk links at all.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to cltrenholm

‎10-17-2011 06:34 AM

Hi,

port-mirroring aka SPAN or RSPAN is supported on 3560.

Are you assigning manual leases to the phones?

Alain.

Don't forget to rate helpful posts.
0 Helpful

Belevtsov
Level 1
Level 1
In response to cadet alain

‎09-23-2013 04:45 AM

Thnx! It works.

0 Helpful

steve.dutky
Level 1
Level 1

‎09-29-2012 11:07 AM

I have a similar problem:

I have a 2960 poe leaf switch with ip phones and a voice gateway/dhcp server all riding vlan 10; and trunked to autonomous access points with ssid's to vlan 11,12, 13 and to an upstream 3560 which in turn is trunked to an external dhcp server for vlans 11, 12, 13.

I'm seeing the voice gateway offering vlan10 ip addresses to wifi clients.

1.  I undestood that seperate vlans were independent broadcast domains.  How is it that dhcp broadcasts cross over?

2.  Could I fix this by configuring dhcp snooping on vlans 11,12, 13 on both the 2950 ( trusting the trunk interface to the 3560) and the 3560 (trusting the trunk interface connected to the external dhcp server)?  Would this allow the voice gateway to offer dhcp to the ip phones?  Would the ip phones see offers from the external dhcp server?

Any help appreciated: thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card