DHCP Snooping Issue on Cat 6509-VSS

sameermunj · ‎10-29-2013

Hello Team

We have 2 tier architecture network setup wherein cat 6509 VSS (Running IOS 15.1(2)SY) is configured as the core and stacks of Cat 3750 Switches (running ios 15.0(2)SE) are configured at the access layer. DHCP servers are directly connected on VSS and providing ip addresses to DHCP clients connected on Cat 3750 Stack.Recently we had implemented DHCP snooping in the setup with following configuration done at the core and access layer.

********************************

Configuration for Core Switches

********************************

conf t

ip dhcp snooping

ip dhcp snooping vlan 2, 9, 11, 12, 13, 14, 15-19, 23, 24, 28-31, 33-36, 41, 42, 44,46,48, 49, 51, 55, 57, 58, 59 61-64, 67, 76-78, 80, 86-90, 91, 92, 251

ip dhcp snooping limit rate 100

interface Gi1/7/x ------------>> interface connected with DHCP server.

ip dhcp snooping trust

interface Gi2/7/x ------------>> interface connected with DHCP server.

ip dhcp snooping trust

int po10

ip dhcp snooping information option allow-untrusted—Connected to access stack

int po11

ip dhcp snooping information option allow-untrusted--- Connected to access stack

ip dhcp snooping database tftp://10.135.x.y/BindingDatabase/abc.dhcp====external tftp server for storing the binding database

ip dhcp snooping database timeout 30 seconds

ip dhcp snooping database write-delay 40 seconds

********************************

Configuration for floor access Switches

********************************

ip dhcp snooping

ip dhcp snooping limit rate 25

int po157===============connected to VSS

ip dhcp snooping trust

exit

After this implementation, new users were getting ip’s from the dhcp server without any issue.we observed the setup for 3-4 hours and the external TFTP server was getting the bindings also. Next day the users stopped getting ip’s from the dhcp server and during this event the tftp server file was not getting binding and looks like the binding was stopped after 4-5 hours of implementation as the file size not increased much.( Currently we have reverted back the setup by disabling dhcp snooping in the core. )

We were getting the following error during the issue on the core switch

%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPINFORM, MAC sa: 000b.8642.74e0

o 1478720: *Oct 21 2013 11:27:13.675: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT:

I have following queries on the same

Is something wrong from configuration perspective
Are the delay , timeout values are playing any role here for the TFTP
Is the external tftp server has any role out here
Whats the wayout to make it working.

Regards

Sameer

devils_advocate · ‎10-29-2013

Can you post the whole config for the access switches?

sameermunj · ‎10-30-2013

Hi

Entire stack configuration is very big. i am putting down the relevant configuration below for your reference

switch 1 provision ws-c3750v2-48ps
switch 2 provision ws-c3750v2-48ps
switch 3 provision ws-c3750v2-48ps
switch 4 provision ws-c3750v2-48ps
switch 5 provision ws-c3750v2-48ps
switch 6 provision ws-c3750v2-48ps
switch 7 provision ws-c3750v2-48ps
system mtu routing 1500
ip domain-name uk.sterianet
!
!
ip dhcp snooping vlan 1-200
ip dhcp snooping information option allow-untrusted
!

archive
path tftp:10.135.2.148.txt
write-memory
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending

interface Port-channel1
description ### Link To VSS ###
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet1/0/1--user port
switchport access vlan 10
switchport mode access
switchport voice vlan 20
power inline static
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
storm-control broadcast level 20.00
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
!

interface GigabitEthernet1/0/4---------------------trunk port
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
channel-protocol lacp
channel-group 1 mode active
ip dhcp snooping trust

interface GigabitEthernet6/0/4---------------------------trunk port
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
channel-protocol lacp
channel-group 1 mode active
ip dhcp snooping trust

!
interface Vlan2
ip address 10.135.2.148 255.255.0.0
!
ip default-gateway 10.135.2.1
ip http server
ip http secure-server
!
!

tftp-server flash:config.text

Kindly suggest..!

sameermunj · ‎10-31-2013

Hello expertgs

Ca you please suggest me on the same.Not understanding where the things are going worng as the snooping was working after implementation for 4-5 hours and after that the binding file upodates stopped and when the operation started next day,users stopped getting ip's..Is some timeout/delay is playing any role here.is something wrong with the tftp server or some limitation on the file size getting stored on external tftp server.

Please let me know your expert comments please..