Solved: Re: DHCP Snooping issue with multiple hops

andrew.schaefer · ‎04-11-2018

I have read through most of the posts here, and for some reason I still cannot get this DHCP snooping issue resolved. I had originally turned off Option 82 on all of the switches at the site, but after reading through @Peter Paluch's posts on it, I re-enabled it. I used the option ip dhcp snooping information option allow-untrusted instead on SW1 but I'm still seeing dropped DHCP packets when watching the debug logs. Here is a picture of the network layout.

I have a client device connected to SW3 (lower left) and am seeing all of the dropped DHCP packets on SW1 which is connected directly to the router handing out DHCP. I have set "ip dhcp snooping trusted" on the following ports:

SW1 port g0/6

SW2 port g0/1

SW3 port gi0/1

I also added the following command to the router "ip dhcp relay information trust-all"

I'm happy to provide configs for any of these if needed or output of debug logs.

andrew.schaefer · ‎04-13-2018

This was a super frustrating one. It was related to a bug in the version of IOS that was running on the switches.

CSCug52922 (Catalyst Switches 2960, 3560, and 3750) The DHCP Snooping or the IP Device Tracking (IPDT) feature does not work when you upgrade the switch to Cisco IOS release 15.0(2) SE5. The host IP address is not displayed when you run the sh auth sess int det command. There is no workaround.

View solution in original post

Francesco Molino · ‎04-11-2018

Hi

Can you share your logs and configs for SW1, SW2 and SW3?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

andrew.schaefer · ‎04-12-2018

Yes, attached are the 3 sanitized configs for the switches and the log messages from the "debug ip dhcp snooping packet detail" command on SW1. I didn't see any output from SW2 or SW3 which were running the same debugs at the time.

Francesco Molino · ‎04-12-2018

Can you add the following command on SW1:

ip dhcp relay information trust-all

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

andrew.schaefer · ‎04-12-2018

Even after adding that command it's not working. The output of the debug makes it look like the DHCP offer from the router is getting passed on from SW1 to SW2 (where this AP is plugged in directly) but the client doesn't get the IP assigned.

Apr 12 22:00:09 CDT: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/6)
Apr 12 22:00:09 CDT: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Gi0/6, MAC da: xxxx.xxxx.cd12, MAC sa: xxxx.xxxx.6db1, IP da: 10.1.1.132, IP sa: 10.1.1.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.1.1.132, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: xxxx.xxxx.cd12

Apr 12 22:00:09 CDT: DHCP_SNOOPING_SW: opt82 data indicates local packet
Apr 12 22:00:09 CDT: DHCP_SNOOPING: remove relay information option.
Apr 12 22:00:09 CDT: DHCP_SNOOPING: direct forward dhcp reply to output port: GigabitEthernet0/26

Francesco Molino · ‎04-13-2018

Sorry, the command I gave you is for your dhcp server. And it's not SW1 but the router dhcp server.
configure this command to your router DHCP and normally everything should work.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

andrew.schaefer · ‎04-13-2018

That command is already on my DHCP server after having read through previous threads.

andrew.schaefer · ‎04-13-2018

It's definitely still an issue somewhere. I temporarily disabled DHCP snooping on SW1 and the AP attached to SW2 picked up an IP address. I tried to get the AP on SW3 to pick up an IP and it would not. I tried disabling DHCP snooping on SW2 but there's a rogue DHCP server which is handing out bad IPs. The strange thing is "debug ip dhcp snooping packet" doesn't show any activity on SW2 or SW3, the only time I saw anything was on SW1.

Francesco Molino · ‎04-13-2018

Ok. I reproduced your config into a lab and everything is working. The only difference would be the dhcp server because I don't have your router config. I just focused on DHCP server, SW1 and SW2.

Can you run debug ip dhcp server packet on you router and share the output?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

andrew.schaefer · ‎04-13-2018

This was a super frustrating one. It was related to a bug in the version of IOS that was running on the switches.

CSCug52922 (Catalyst Switches 2960, 3560, and 3750) The DHCP Snooping or the IP Device Tracking (IPDT) feature does not work when you upgrade the switch to Cisco IOS release 15.0(2) SE5. The host IP address is not displayed when you run the sh auth sess int det command. There is no workaround.