Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Networking
- Switching
- DHCP Snooping Information option and VRF
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
1723
Views
0
Helpful
3
Replies
DHCP Snooping Information option and VRF
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2017 05:09 PM - edited 03-08-2019 09:13 AM
Hi gurus
Sorry if I have posted this before but I cannot find it. I have successfully implemented DHCP snooping throughout a network with hundreds of switches and am having a funny issue when the interface on the router is in a VRF. In all my network I am generating packets with DHCP Option 82 and am trusting this using a combination of ip dhcp relay information trusted on the L3 interfaces and ip dhcp snooping information option allow-untrusted at appropriate L2 connection points. Generally this is working well throughout the network. The DHCP server is central so there is always an ip-helper on the L3 interface. I don't think it is necessarily relevant, but in these instances we also route back to the central site via a tunnel.
In the instances where the L3 interface is in a VRF, the DHCP process on the router receives and relays the DHCP request and receives a reply. This is then forwarded back to the switch. The switch never seems to see this reply unless I enter the 'no ip dhcp snooping information option' command on the switch - in which case everything works perfectly.
I am intrigued as to why I need this statement only on devices when the routed interface for a network is in a VRF.
Basically the topology is a single router (2921 in each case) connected via an 802.1q trunk to a switch (I have an integrated service module in one of the routers and a 4506 both exhibiting this issue). On the router with the integrated SM, I am using VLAN interfaces whereas the connection to the 4506 has sub-interfaces on the trunk.
Here is some relevant info.
Debug ip dhcp server packet from router
Feb 7 08:52:36 WAST: DHCPD: message is from trusted interface Vlan125
Feb 7 08:52:36 WAST: DHCPD: client's VPN is Corp.
Feb 7 08:52:36 WAST: DHCPD: No option 125
Feb 7 08:52:36 WAST: DHCPD: setting giaddr to 10.22.6.254.
Feb 7 08:52:36 WAST: DHCPD: BOOTREQUEST from 0188.1dfc.3ab2.74 forwarded to 10.3.64.96.
Feb 7 08:52:36 WAST: DHCPD: BOOTREQUEST from 0188.1dfc.3ab2.74 forwarded to 10.3.64.97.
Feb 7 08:52:36 WAST: DHCPD: client's VPN is .
Feb 7 08:52:36 WAST: DHCPD: No option 125
Feb 7 08:52:36 WAST: DHCPD: forwarding BOOTREPLY to client 881d.fc3a.b274.
Feb 7 08:52:36 WAST: DHCPD: Setting giaddr to 10.22.6.254
Feb 7 08:52:36 WAST: DHCPD: no option 125
Feb 7 08:52:36 WAST: DHCPD: broadcasting BOOTREPLY to client 881d.fc3a.b274.
Feb 7 08:52:39 WAST: DHCPD: message is from trusted interface Vlan125
Feb 7 08:52:39 WAST: DHCPD: client's VPN is Corp.
Feb 7 08:52:39 WAST: DHCPD: No option 125
Feb 7 08:52:39 WAST: DHCPD: setting giaddr to 10.22.6.254.
Feb 7 08:52:39 WAST: DHCPD: BOOTREQUEST from 0188.1dfc.3ab2.74 forwarded to 10.3.64.96.
Feb 7 08:52:39 WAST: DHCPD: BOOTREQUEST from 0188.1dfc.3ab2.74 forwarded to 10.3.64.97.
Feb 7 08:52:39 WAST: DHCPD: client's VPN is .
Feb 7 08:52:39 WAST: DHCPD: No option 125
Feb 7 08:52:39 WAST: DHCPD: forwarding BOOTREPLY to client 881d.fc3a.b274.
Feb 7 08:52:39 WAST: DHCPD: Setting giaddr to 10.22.6.254
Feb 7 08:52:39 WAST: DHCPD: no option 125
Feb 7 08:52:39 WAST: DHCPD: broadcasting BOOTREPLY to client 881d.fc3a.b274.
Debug ip dhcp snooping packet on switch
(apologies that the timezone display in the debug packets is different)
#do sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
125
DHCP snooping is operational on following VLANs:
125
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 5835.d92d.bb80 (MAC)
Option 82 on untrusted port is allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet0/17 yes yes unlimited
Custom circuit-ids:
#
Feb 7 00:52:36.308: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/13 for pak. Was not set
Feb 7 00:52:36.308: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Fa0/13
Feb 7 00:52:36.308: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/13 for pak. Was not set
Feb 7 00:52:36.308: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/13)
Feb 7 00:52:36.308: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa0/13, MAC da: ffff.ffff.ffff, MAC sa: 881d.fc3a.b274, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 881d.fc3a.b274
Feb 7 00:52:36.308: DHCP_SNOOPING: add relay information option.
Feb 7 00:52:36.308: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format
Feb 7 00:52:36.308: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format
Feb 7 00:52:36.308: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x7D 0x1 0xD 0x2 0x8 0x0 0x6 0x58 0x35 0xD9 0x2D 0xBB 0x80
Feb 7 00:52:36.308: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (125)
Feb 7 00:52:39.856: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/13 for pak. Was not set
Feb 7 00:52:39.856: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Fa0/13
Feb 7 00:52:39.856: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/13 for pak. Was not set
Feb 7 00:52:39.856: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/13)
Feb 7 00:52:39.856: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa0/13, MAC da: ffff.ffff.ffff, MAC sa: 881d.fc3a.b274, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 881d.fc3a.b274
Feb 7 00:52:39.856: DHCP_SNOOPING: add relay information option.
Feb 7 00:52:39.856: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format
Feb 7 00:52:39.856: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format
Feb 7 00:52:39.856: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x7D 0x1 0xD 0x2 0x8 0x0 0x6 0x58 0x35 0xD9 0x2D 0xBB 0x80
Feb 7 00:52:39.856: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (125)
Feb 7 00:52:43.857: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/13 for pak. Was not set
Feb 7 00:52:43.857: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Fa0/13
Feb 7 00:52:43.857: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/13 for pak. Was not set
Feb 7 00:52:43.857: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/13)
Feb 7 00:52:43.857: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa0/13, MAC da: ffff.ffff.ffff, MAC sa: 881d.fc3a.b274, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 881d.fc3a.b274
Feb 7 00:52:43.857: DHCP_SNOOPING: add relay information option.
Feb 7 00:52:43.857: DHCP_SNOOPING_SW: Encoding opt82 CID in vlan-mod-port format
Feb 7 00:52:43.857: DHCP_SNOOPING_SW: Encoding opt82 RID in MAC address format
Feb 7 00:52:43.857: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x7D 0x1 0xD 0x2 0x8 0x0 0x6 0x58 0x35 0xD9 0x2D 0xBB 0x80
Feb 7 00:52:43.857: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (125)
#sh ip dhcp snoop statistics
Packets Forwarded = 598
Packets Dropped = 0
Packets Dropped From untrusted ports = 0
And when it works (after no ip dhpc snooping information option command inserted on switch)
Feb 7 08:53:36 WAST: DHCPD: client's VPN is Corp.
Feb 7 08:53:36 WAST: DHCPD: No option 125
Feb 7 08:53:36 WAST: DHCPD: setting giaddr to 10.22.6.254.
Feb 7 08:53:36 WAST: DHCPD: BOOTREQUEST from 0188.1dfc.3ab2.74 forwarded to 10.3.64.96.
Feb 7 08:53:36 WAST: DHCPD: BOOTREQUEST from 0188.1dfc.3ab2.74 forwarded to 10.3.64.97.
Feb 7 08:53:36 WAST: DHCPD: client's VPN is .
Feb 7 08:53:36 WAST: DHCPD: No option 125
Feb 7 08:53:36 WAST: DHCPD: forwarding BOOTREPLY to client 881d.fc3a.b274.
Feb 7 08:53:36 WAST: DHCPD: no option 125
Feb 7 08:53:36 WAST: DHCPD: broadcasting BOOTREPLY to client 881d.fc3a.b274.
Feb 7 08:53:36 WAST: DHCPD: client's VPN is Corp.
Feb 7 08:53:36 WAST: DHCPD: No option 125
Feb 7 08:53:36 WAST: DHCPD: Finding a relay for client 0188.1dfc.3ab2.74 on interface Vlan125.
Feb 7 08:53:36 WAST: DHCPD: setting giaddr to 10.22.6.254.
Feb 7 08:53:36 WAST: DHCPD: BOOTREQUEST from 0188.1dfc.3ab2.74 forwarded to 10.3.64.96.
Feb 7 08:53:36 WAST: DHCPD: BOOTREQUEST from 0188.1dfc.3ab2.74 forwarded to 10.3.64.97.
Feb 7 08:53:36 WAST: DHCPD: client's VPN is .
Feb 7 08:53:36 WAST: DHCPD: No option 125
Feb 7 08:53:36 WAST: DHCPD: forwarding BOOTREPLY to client 881d.fc3a.b274.
Feb 7 08:53:36 WAST: DHCPD: no option 125
Feb 7 08:53:36 WAST: DHCPD: broadcasting BOOTREPLY to client 881d.fc3a.b274.
#sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
125
DHCP snooping is operational on following VLANs:
125
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 5835.d92d.bb80 (MAC)
Option 82 on untrusted port is allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet0/17 yes yes unlimited
Custom circuit-ids:
Feb 7 00:53:36.484: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/13 for pak. Was not set
Feb 7 00:53:36.484: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Fa0/13
Feb 7 00:53:36.484: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/13 for pak. Was not set
Feb 7 00:53:36.484: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/13)
Feb 7 00:53:36.484: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa0/13, MAC da: ffff.ffff.ffff, MAC sa: 881d.fc3a.b274, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 881d.fc3a.b274
Feb 7 00:53:36.484: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (125)
Feb 7 00:53:36.492: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/17 for pak. Was not set
Feb 7 00:53:36.492: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Gi0/17
Feb 7 00:53:36.492: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/17 for pak. Was not set
Feb 7 00:53:36.492: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/17)
Feb 7 00:53:36.492: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Gi0/17, MAC da: ffff.ffff.ffff, MAC sa: 6c9c.edb8.2ad3, IP da: 255.255.255.255, IP sa: 10.22.6.254, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.22.6.120, DHCP siaddr: 10.3.64.97, DHCP giaddr: 10.22.6.254, DHCP chaddr: 881d.fc3a.b274
Feb 7 00:53:36.492: DHCP_SNOOPING: direct forward dhcp replyto output port: FastEthernet0/13.
Feb 7 00:53:36.501: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/13 for pak. Was not set
Feb 7 00:53:36.501: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Fa0/13
Feb 7 00:53:36.501: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/13 for pak. Was not set
Feb 7 00:53:36.501: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/13)
Feb 7 00:53:36.501: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Fa0/13, MAC da: ffff.ffff.ffff, MAC sa: 881d.fc3a.b274, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 881d.fc3a.b274
Feb 7 00:53:36.501: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (125)
Feb 7 00:53:36.509: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/17 for pak. Was not set
Feb 7 00:53:36.509: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Gi0/17
Feb 7 00:53:36.509: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/17 for pak. Was not set
Feb 7 00:53:36.509: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/17)
Feb 7 00:53:36.509: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Gi0/17, MAC da: ffff.ffff.ffff, MAC sa: 6c9c.edb8.2ad3, IP da: 255.255.255.255, IP sa: 10.22.6.254, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.22.6.120, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.22.6.254, DHCP chaddr: 881d.fc3a.b274
Feb 7 00:53:36.509: DHCP_SNOOPING: direct forward dhcp replyto output port: FastEthernet0/13
Any suggestions welcomed
Labels:
- Labels:
-
Other Switching
3 Replies 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2017 06:09 PM
Hi
have you disabled the option 82?
no ip dhcp snooping information option
no ip dhcp snooping information option allow-untrusted
>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2017 06:51 PM
Yes and that makes the DHCP process work but is not the desired configuration. The second set of debug output lines show that.
I want to understand why DHCP ACK and OFFERs are not accepted or processed by the switch when ip dhcp snooping information option is set to on. This works everywhere else in the network except in the locations where the L3 interfaces is in a VRF. It is that particular situation that I am trying to understand.
Router L3 Interface
interface Vlan125
vrf forwarding Corp
ip dhcp relay information trusted
ip address 10.22.6.254 255.255.255.0
ip helper-address 10.3.64.96
ip helper-address 10.3.64.97
Router Link to Switch
interface GigabitEthernet1/1
description Internal switch interface connected to EtherSwitch Service Module
switchport mode trunk
ip dhcp relay information trusted
ip dhcp snooping information option allow-untrusted
Switch Config
ip dhcp snooping vlan 125
no ip dhcp snooping information option (makes the process work). When this is reversed, the process doesn't work - why?
ip dhcp snooping
interface GigabitEthernet0/17
description Internal Link to Router
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2017 09:08 PM
OK, finally I have found a semi answer to this. It seems to be related to bug CSCud71172 which is attributed to 3750 switches but obviously a problem on all platforms (inc 4500, 3560).
Apart from disabling Option-82 generation, the fix is to trust the downstream interface on any intermediate switches (between the device and the L3 interface) using 'ip dhcp snooping trust'
This, obviously, is OK for downstream switches but not for end-user interfaces. Still working on that one
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents