10-29-2013 02:30 AM - edited 03-07-2019 04:18 PM
Hello Team
We have 2 tier architecture network setup wherein cat 6509 VSS (Running IOS 15.1(2)SY) is configured as the core and stacks of Cat 3750 Switches (running ios 15.0(2)SE) are configured at the access layer. DHCP servers are directly connected on VSS and providing ip addresses to DHCP clients connected on Cat 3750 Stack.Recently we had implemented DHCP snooping in the setup with following configuration done at the core and access layer.
********************************
Configuration for Core Switches
********************************
conf t
ip dhcp snooping
ip dhcp snooping vlan 2, 9, 11, 12, 13, 14, 15-19, 23, 24, 28-31, 33-36, 41, 42, 44,46,48, 49, 51, 55, 57, 58, 59 61-64, 67, 76-78, 80, 86-90, 91, 92, 251
ip dhcp snooping limit rate 100
interface Gi1/7/x ------------>> interface connected with DHCP server.
ip dhcp snooping trust
interface Gi2/7/x ------------>> interface connected with DHCP server.
ip dhcp snooping trust
int po10
ip dhcp snooping information option allow-untrusted—Connected to access stack
int po11
ip dhcp snooping information option allow-untrusted--- Connected to access stack
ip dhcp snooping database tftp://10.135.x.y/BindingDatabase/abc.dhcp====external tftp server for storing the binding database
ip dhcp snooping database timeout 30 seconds
ip dhcp snooping database write-delay 40 seconds
********************************
Configuration for floor access Switches
********************************
ip dhcp snooping
ip dhcp snooping limit rate 25
int po157===============connected to VSS
ip dhcp snooping trust
exit
After this implementation, new users were getting ip’s from the dhcp server without any issue.we observed the setup for 3-4 hours and the external TFTP server was getting the bindings also. Next day the users stopped getting ip’s from the dhcp server and during this event the tftp server file was not getting binding and looks like the binding was stopped after 4-5 hours of implementation as the file size not increased much.( Currently we have reverted back the setup by disabling dhcp snooping in the core. )
We were getting the following error during the issue on the core switch
%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPINFORM, MAC sa: 000b.8642.74e0
o 1478720: *Oct 21 2013 11:27:13.675: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT:
I have following queries on the same
Regards
Sameer
10-29-2013 02:45 AM
Can you post the whole config for the access switches?
10-30-2013 12:46 AM
Hi
Entire stack configuration is very big. i am putting down the relevant configuration below for your reference
switch 1 provision ws-c3750v2-48ps
switch 2 provision ws-c3750v2-48ps
switch 3 provision ws-c3750v2-48ps
switch 4 provision ws-c3750v2-48ps
switch 5 provision ws-c3750v2-48ps
switch 6 provision ws-c3750v2-48ps
switch 7 provision ws-c3750v2-48ps
system mtu routing 1500
ip domain-name uk.sterianet
!
!
ip dhcp snooping vlan 1-200
ip dhcp snooping information option allow-untrusted
!
archive
path tftp:10.135.2.148.txt
write-memory
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
interface Port-channel1
description ### Link To VSS ###
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet1/0/1--user port
switchport access vlan 10
switchport mode access
switchport voice vlan 20
power inline static
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
storm-control broadcast level 20.00
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
!
interface GigabitEthernet1/0/4---------------------trunk port
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
channel-protocol lacp
channel-group 1 mode active
ip dhcp snooping trust
interface GigabitEthernet6/0/4---------------------------trunk port
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
channel-protocol lacp
channel-group 1 mode active
ip dhcp snooping trust
!
interface Vlan2
ip address 10.135.2.148 255.255.0.0
!
ip default-gateway 10.135.2.1
ip http server
ip http secure-server
!
!
tftp-server flash:config.text
Kindly suggest..!
10-31-2013 07:55 AM
Hello expertgs
Ca you please suggest me on the same.Not understanding where the things are going worng as the snooping was working after implementation for 4-5 hours and after that the binding file upodates stopped and when the operation started next day,users stopped getting ip's..Is some timeout/delay is playing any role here.is something wrong with the tftp server or some limitation on the file size getting stored on external tftp server.
Please let me know your expert comments please..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide