Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2650
Views
0
Helpful
9
Replies

DHCP Snooping issue with multiple hops

Go to solution
andrew.schaefer
Level 1
Level 1

‎04-11-2018 09:06 AM - edited ‎03-08-2019 02:36 PM

I have read through most of the posts here, and for some reason I still cannot get this DHCP snooping issue resolved. I had originally turned off Option 82 on all of the switches at the site, but after reading through @Peter Paluch's posts on it, I re-enabled it. I used the option ip dhcp snooping information option allow-untrusted instead on SW1 but I'm still seeing dropped DHCP packets when watching the debug logs. Here is a picture of the network layout.

dhcp snooping example.jpg

 

 

I have a client device connected to SW3 (lower left) and am seeing all of the dropped DHCP packets on SW1 which is connected directly to the router handing out DHCP. I have set "ip dhcp snooping trusted" on the following ports:

SW1 port g0/6

SW2 port g0/1

SW3 port gi0/1


I also added the following command to the router "ip dhcp relay information trust-all"

 

I'm happy to provide configs for any of these if needed or output of debug logs.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.schaefer
Level 1
Level 1
In response to andrew.schaefer

‎04-13-2018 08:52 AM

This was a super frustrating one. It was related to a bug in the version of IOS that was running on the switches. 

 

CSCug52922 (Catalyst Switches 2960, 3560, and 3750) The DHCP Snooping or the IP Device Tracking (IPDT) feature does not work when you upgrade the switch to Cisco IOS release 15.0(2) SE5. The host IP address is not displayed when you run the sh auth sess int det command. There is no workaround.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎04-11-2018 07:48 PM - edited ‎04-11-2018 07:49 PM

Hi

Can you share your logs and configs for SW1, SW2 and SW3?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
andrew.schaefer
Level 1
Level 1
In response to Francesco Molino

‎04-12-2018 07:01 AM

Yes, attached are the 3 sanitized configs for the switches and the log messages from the "debug ip dhcp snooping packet detail" command on SW1. I didn't see any output from SW2 or SW3 which were running the same debugs at the time.

Preview file
10 KB
Preview file
9 KB
Preview file
5 KB
Preview file
6 KB
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to andrew.schaefer

‎04-12-2018 07:22 PM

Can you add the following command on SW1:

ip dhcp relay information trust-all

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
andrew.schaefer
Level 1
Level 1
In response to Francesco Molino

‎04-12-2018 08:13 PM

Even after adding that command it's not working. The output of the debug makes it look like the DHCP offer from the router is getting passed on from SW1 to SW2 (where this AP is plugged in directly) but the client doesn't get the IP assigned.

 

Apr 12 22:00:09 CDT: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/6)
Apr 12 22:00:09 CDT: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Gi0/6, MAC da: xxxx.xxxx.cd12, MAC sa: xxxx.xxxx.6db1, IP da: 10.1.1.132, IP sa: 10.1.1.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.1.1.132, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: xxxx.xxxx.cd12

Apr 12 22:00:09 CDT: DHCP_SNOOPING_SW: opt82 data indicates local packet
Apr 12 22:00:09 CDT: DHCP_SNOOPING: remove relay information option.
Apr 12 22:00:09 CDT: DHCP_SNOOPING: direct forward dhcp reply to output port: GigabitEthernet0/26

 

 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to andrew.schaefer

‎04-13-2018 06:19 AM

Sorry, the command I gave you is for your dhcp server. And it's not SW1 but the router dhcp server.
configure this command to your router DHCP and normally everything should work.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
andrew.schaefer
Level 1
Level 1
In response to Francesco Molino

‎04-13-2018 06:20 AM

That command is already on my DHCP server after having read through previous threads.

0 Helpful

Go to solution
andrew.schaefer
Level 1
Level 1
In response to Francesco Molino

‎04-13-2018 06:18 AM

It's definitely still an issue somewhere. I temporarily disabled DHCP snooping on SW1 and the AP attached to SW2 picked up an IP address. I tried to get the AP on SW3 to pick up an IP and it would not. I tried disabling DHCP snooping on SW2 but there's a rogue DHCP server which is handing out bad IPs. The strange thing is "debug ip dhcp snooping packet" doesn't show any activity on SW2 or SW3, the only time  I saw anything was on SW1.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to andrew.schaefer

‎04-13-2018 06:25 AM

Ok. I reproduced your config into a lab and everything is working. The only difference would be the dhcp server because I don't have your router config. I just focused on DHCP server, SW1 and SW2.

Can you run debug ip dhcp server packet on you router and share the output?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
andrew.schaefer
Level 1
Level 1
In response to andrew.schaefer

‎04-13-2018 08:52 AM

This was a super frustrating one. It was related to a bug in the version of IOS that was running on the switches. 

 

CSCug52922 (Catalyst Switches 2960, 3560, and 3750) The DHCP Snooping or the IP Device Tracking (IPDT) feature does not work when you upgrade the switch to Cisco IOS release 15.0(2) SE5. The host IP address is not displayed when you run the sh auth sess int det command. There is no workaround.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card