Solved: Re: DHCP snooping isn't snooping!

mrjdh · ‎06-02-2019

Hello all,

Please could someone explain what I'm missing here? DHCP snooping doesn't appear to be inspecting DHCP packets for a PVLAN setup.

VLAN 150 - Primary VLAN

VLAN 152 - Secondary VLAN, Community

DHCP snooping is enabled on both switches (Catalyst 3560's), for both the primary and secondary VLAN. No additional settings have been configured for DHCP snooping.

- I have ALS01 connected to DLS01 via an LACP etherchannel link, using 802.1q.

- I have a Windows 10 laptop running DHCPWIZ, with a DHCP range of 192.168.150.17-27. This laptop is connected to fa0/45 on DLS01.

- I have another Windows 10 laptop connected to f0/48 on ALS01.

- In testing;

- the interface connected to the DHCP server was configured with 'ip dhcp snooping trust'.

- Port channel 2 originating at the ALS01 end was also configured with 'ip dhcp snooping trust'.

The laptop was able to retrieve an IP address via DHCP successfully, with the first address from the pool, of 192.168.150.17.

I then removed the trusted interfaces on both DLS01 and ALS01, and the laptop was still able to retrieve an IP address. No entries were ever present when running 'show ip dhcp snooping binding' on either DLS01 or ALS01.

Configs below (surplus config omitted)

DLS01
============================================
ip dhcp snooping vlan 150,152
!
#TRUNK LINK TO ALS01
interface Port-channel2
switchport trunk encapsulation dot1q
switchport mode trunk
!
#INTERFACE CONNECTING TO DHCP SERVER
interface FastEthernet0/45
switchport private-vlan host-association 150 152
switchport mode private-vlan host
!
vlan 150
private-vlan primary
private-vlan association 151-152

ALS01
==============================================
ip dhcp snooping vlan 150,152
!
vlan 150
private-vlan primary
private-vlan association 151-152
!
#TRUNK LINK TO DLS01
interface Port-channel2
switchport trunk encapsulation dot1q
switchport mode trunk
!
#INTERFACE CONNECTING TO CLIENT LAPTOP
interface FastEthernet0/48
switchport private-vlan host-association 150 152
switchport mode private-vlan host

How is the laptop still able to retrieve an address?

Many thanks.

Mark Malone · ‎06-05-2019

Hi
is it enabled globally too when your testing this , not just for vlans , just ip dhcp snooping .. in global config ?Just to confirm it should be , an its definitely enabled in primary private vlan thats a must too reading below PDF

ip dhcp snooping
ip dhcp snooping vlan 150,152

I dont see any specific snooping bugs in your release but im starting to think an upgrade on the switches may be worth a shot too to rule out software if possible , some of these early v15 releases were a bit buggy , its not like this is heavy where there may be many mistakes and the fact debugs dont show anything is very strange , trust server port , trust uplinks and set the clients to rate limit to prevent man in middle attacks but tahts not essential last part just good practice

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1-2/XE_340/configuration/guide/config/dhcp.pdf

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/15-0_2_se/release/notes/OL25301.html

Enabling DHCP Snooping on Private VLAN
DHCP snooping can be enabled on private VLANs, which provide isolation between Layer 2 ports within the same VLAN. If DHCP snooping is enabled (or disabled), the configuration is propagated to both the primary VLAN and its associated secondary VLANs. You cannot enable (or disable) DHCP snooping on a primary VLAN without reflecting this configuration change on the secondary VLANs. Configuring DHCP snooping on a secondary VLAN is still allowed, but it does not take effect if the associated primary VLAN is already configured. If the associated primary VLAN is configured, the effective DHCP snooping mode on the secondary VLAN is derived from the corresponding primary VLAN. Manually configuring DHCP snooping on a secondary VLAN causes the switch to issue this warning message:DHCP Snooping configuration may not take effect on secondary vlan XX

View solution in original post

Mark Malone · ‎06-02-2019

Hi
Did you apply trust to all the uplinks in path too ?

mrjdh · ‎06-03-2019

Thanks for the reply Mark.

Yes, 'ip dhcp snooping trust' had been applied to another uplink/trunk also, running from ALS01, over to DLS02.

During testing, I removed cables supporting this connection to DLS02, to leave only the uplink to DLS01.

Still no snooping.

When running 'show ip dhcp snooping', the table correctly identified ports that had been configured as trusted.

When running 'show ip dhcp snooping binding' on either DLS01 or ALS01, no leases were recorded, despite the laptop receiving an IP address from the pool.

Mark Malone · ‎06-03-2019

hmm you should see something like this below , really thats all i have enabled and its working , not much in it with configuration sounds like you have it all in place , i wonder if its an issue with running pvt vlans , i dont use them but i see a post stating some points to get it working ,maybe check this make sure you are set the same , also what image are you running on in case there is a known caveat raised against it we can check,

xxxxxxxxxxxxxxx#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
2C:31:24:6A:47:36 172.28.10.129 133774 dhcp-snooping 10 GigabitEthernet1/2/17

!
interface GigabitEthernet1/2/17
description
switchport access vlan 11
switchport mode access
switchport voice vlan 10
ip access-group PERMIT-ANY in
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 11
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
no snmp trap link-status
auto qos trust
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
service-policy input AutoQos-4.0-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping limit rate 7

interface Port-channel11
description xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
switchport
switchport mode trunk
ip dhcp snooping trust

would help if i posted the link i saw :)

https://community.cisco.com/t5/switching/pvlan-w-dhcp-snooping/td-p/797753

mrjdh · ‎06-03-2019

Thanks again Mark. I'm glad you pointed out that link, I shouted 'Eureka!' to my wife after reading https://community.cisco.com/t5/switching/pvlan-w-dhcp-snooping/m-p/797754/highlight/true#M31506

The excitement was squashed around 10 seconds later!

I'll verify the exact image when I get home this afternoon.

Thanks for your help so far.

Mark Malone · ‎06-03-2019

Yes please do and post your final config just the relevant bits thats setup
And these commands too please see what its saying , i just want to see what it shows compared to our working setup it may point us to something
Also do you see anything relevant to dhcp or snooping in --show logg

show ip dhcp snooping stati
show ip dhcp snooping bin
show ip dhcp snooping

mrjdh · ‎06-03-2019

Will do. Now I recall, nothing was generated when 'debug ip dhcp snooping event' or 'debug ip dhcp snooping packet' had been punched in. Very odd.

Mark Malone · ‎06-03-2019

Ye you should be seeing something in debugs , bad or good something should pop up , make sure terminal monitor is enabled if coming in through vty or logging console is enabled too if direct to switch

mrjdh · ‎06-04-2019

Hi Mark,

I've removed DLS02 from the mix altogether, to leave only the LACP Etherchannel link between DLS01 and ALS01.

- Laptop running DHCP server is sitting in fa0/45 on DLS01, interface NOT marked as trusted.

- Etherchannel/port channel link on ALS01 NOT marked as trusted.

- Laptop client is sitting in fa0/48 in ALS01.

- Debug level configured for console logging (am direct to both switches).

- Debug enabled for DHCP snooping packets and events, nothing being recorded at all.

- Running (C3560-IPSERVICESK9-M), Version 15.0(2)SE9, RELEASE SOFTWARE (fc1) on both switches.

Baffled! Occasional display of 'DHCP_SNOOPING: checking expired snoop binding entries' displayed on both switches following enabling of DHCP snooping.

DLS01

===================================

hostname DLS01
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip routing
!
!
!
ip dhcp snooping vlan 150,152
!
!
spanning-tree vlan 150 priority 0
!
vlan internal allocation policy ascending
!
vlan 150
private-vlan primary
private-vlan association 151-152
!
vlan 151
private-vlan isolated
!
vlan 152
private-vlan community
!
interface Port-channel2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/45
switchport private-vlan host-association 150 152
switchport mode private-vlan host

ALS01

==================================

hostname ALS01
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip routing
!
!
!
ip dhcp snooping vlan 150,152
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 150
private-vlan primary
private-vlan association 151-152
!
vlan 151
private-vlan isolated
!
vlan 152
private-vlan community
!
interface FastEthernet0/48
switchport private-vlan host-association 150 152
switchport mode private-vlan host
!

Mark Malone · ‎06-05-2019

Hi
is it enabled globally too when your testing this , not just for vlans , just ip dhcp snooping .. in global config ?Just to confirm it should be , an its definitely enabled in primary private vlan thats a must too reading below PDF

ip dhcp snooping
ip dhcp snooping vlan 150,152

I dont see any specific snooping bugs in your release but im starting to think an upgrade on the switches may be worth a shot too to rule out software if possible , some of these early v15 releases were a bit buggy , its not like this is heavy where there may be many mistakes and the fact debugs dont show anything is very strange , trust server port , trust uplinks and set the clients to rate limit to prevent man in middle attacks but tahts not essential last part just good practice

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1-2/XE_340/configuration/guide/config/dhcp.pdf

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/15-0_2_se/release/notes/OL25301.html

Enabling DHCP Snooping on Private VLAN
DHCP snooping can be enabled on private VLANs, which provide isolation between Layer 2 ports within the same VLAN. If DHCP snooping is enabled (or disabled), the configuration is propagated to both the primary VLAN and its associated secondary VLANs. You cannot enable (or disable) DHCP snooping on a primary VLAN without reflecting this configuration change on the secondary VLANs. Configuring DHCP snooping on a secondary VLAN is still allowed, but it does not take effect if the associated primary VLAN is already configured. If the associated primary VLAN is configured, the effective DHCP snooping mode on the secondary VLAN is derived from the corresponding primary VLAN. Manually configuring DHCP snooping on a secondary VLAN causes the switch to issue this warning message:DHCP Snooping configuration may not take effect on secondary vlan XX

mrjdh · ‎06-05-2019

Ah cheez...Mark - I didn't have it enabled globally. Doh!!
Bit miffed as I remember the point at which I added the specific line in my SWITCH notes.
Thanks for working through with me, appreciated. Apologies if it was a little waste of time!

Mark Malone · ‎06-05-2019

Ah no not at all , glad you got it sorted , thats the main thing :)