Solved: Re: DHCP Snooping Issue.

Daniel Mckibbin · ‎12-04-2010

Hey Guys,

I've been a member of Cisco for a long time, but have yet to use the forums. I've used other networking forums where I would provide help, but no-one would help me when I had an issue. My Goal is to give just as much as I take. Hopefully I can make Cisco forums my home!

Now for my problem! On my home network I'm trying to get DHCP snooping to work correctly. The network clients are able to receive addresses from the DHCP server (3640 Router) and access resources and search the internet with no problem , but the DHCP snooping database bindings are not being entered (In 3550 with Layer 3 disabled). I need them to be entered to be able to utilize DAI and ISG. What is going on? I think it may be because my router is the DHCP server, and the database is not being passed on to the switch. How would I be able to accomplish this? I know if I were to move the DHCP configuration from the router to the switch it would work, but I don't want to go down the simple route and ignore problems that I come across.

Relevant configuration is as below:

Switch:

ip dhcp snooping vlan 100,200,300
ip dhcp snooping

LAN_SWITCH#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID                                           Local Interface     Holdtme    Capability Platform Port ID
Mckibbin_LAN.Daniels_Wireless   Fas 0/2                       165                   T            AIR-AP350 Fas 0
Internet_Router                              Fas 0/1             128                R S I           3640-A    Eth 1/1

interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200,300
switchport mode trunk
spanning-tree portfast trunk
ip dhcp snooping trust

!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200,300
switchport mode trunk
duplex full
ip dhcp snooping trust
end

The routers interface is set up for router on a stick with subinterfaces for each vlan.

Router

no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.1.1
ip dhcp excluded-address 172.16.2.2
ip dhcp excluded-address 172.16.1.33
ip dhcp excluded-address 172.16.1.2
ip dhcp excluded-address 172.16.1.3
ip dhcp excluded-address 172.16.1.4
!
ip dhcp pool wireless
import all
network 172.16.1.0 255.255.255.224
default-router 172.16.1.1
domain-name Daniels_Wireless
!
ip dhcp pool wired
import all
network 172.16.1.32 255.255.255.224
default-router 172.16.1.33
domain-name Daniels_Wired
!
Debug Output From Switch:

*Mar 7 16:44:11.932: DHCPSN: Found ingress pkt on Fa0/2 VLAN 200
*Mar 7 16:44:11.932: DHCPSN: DHCP packet being sent to PI snooping process
*Mar 7 16:44:11.932: DHCP_SNOOPING: received new DHCP packet from input interfa
ce (FastEthernet0/2)
*Mar 7 16:44:11.932: DHCP_SNOOPING: process new DHCP packet, message type: DHCP
REQUEST, input interface: Fa0/2, MAC da: 000d.28e2.c692, MAC sa: 4c0f.6e8f.a311,
IP da: 172.16.1.1, IP sa: 172.16.1.9, DHCP ciaddr: 172.16.1.9, DHCP yiaddr: 0.0
.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 4c0f.6e8f.a311
*Mar 7 16:44:11.932: DHCP_SNOOPING_SW: bridge packet send packet to port: FastE
thernet0/1, vlan 200.
*Mar 7 16:44:11.940: DHCPSN: Found ingress pkt on Fa0/1 VLAN 200
*Mar 7 16:44:11.940: DHCPSN: DHCP packet being sent to PI snooping process
*Mar 7 16:44:11.940: DHCP_SNOOPING: received new DHCP packet from input interfa
ce (FastEthernet0/1)
*Mar 7 16:44:11.940: DHCP_SNOOPING: process new DHCP packet, message type: DHCP
ACK, input interface: Fa0/1, MAC da: 4c0f.6e8f.a311, MAC sa: 000d.28e2.c692, IP
da: 172.16.1.9, IP sa: 172.16.1.1, DHCP ciaddr: 172.16.1.9, DHCP yiaddr: 172.16.
1.9, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 4c0f.6e8f.a311
*Mar 7 16:44:11.944: DHCP_SNOOPING: direct forward dhcp reply to output port: F
astEthernet0/2.

LAN_SWITCH#show ip dhcp snooping statistics
Packets Forwarded                                     = 300
Packets Dropped                                       = 1
Packets Dropped From untrusted ports                  = 0
LAN_SWITCH#
*Mar 7 16:48:49.364: DHCP_SNOOPING: checking expired snoop binding entries

LAN_SWITCH#show ip dhcp snooping b
LAN_SWITCH#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ----------
----------
Total number of bindings: 0

I would appreciate any help. Thanks!

Daniel M.

cadet alain · ‎12-06-2010

Hi,

I have ip dhcp snooping trust configured on FastEthernet0/2, because it is a trunk link

Your clients are on f0/2 so there shouldn't be a dhcp server on this interface so it must be not trusted, the only interfaces

you must configure as trusted are the ones going to your DHCP server-it has nothing to do with th role of the port(trunk or access).

If I were to enable DAI with the DHCP snooping bindings database empty would it cause all sorts of trouble?

As DAI is using DHCP snooping database there could be some problems , I think all your ARP will be considered spoofing.

Maybe your DHCP snooping database is corrupt.

Regards.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎12-05-2010

Hi,

Your dhcp requests are coming from fa0/2 so remove ip dhcp snooping trust on this interface and tell us what happens.

Regards.

Don't forget to rate helpful posts.

Mohamed Sobair · ‎12-05-2010

Hi,

The Switch needs to insert option 82 in the DHCP packet and relay it to the DHCP server.

Please add the following command on the Switch:

ip dhcp snooping information option

Let us know the results from the DHCP snooping Database,

HTH

Mohamed

Daniel Mckibbin · ‎12-05-2010

Thanks guys, but my issue still persists. I have ip dhcp snooping trust configured on FastEthernet0/2, because it is a trunk link. Without that statement clients don't receive ip addresses. Should it be configured on the AP end of Fa 0/2 instead of the switch end? I know switch uplinks should be trusted, and that would be a trunk uplink. That's something to try, but is it possible on an AP?

I've tried having the information option enabled, I even tried again, but still no luck. I also attempted sending the DHCP database file to a tftp server and then pulling the DHCP database file off the TFTP server with the switch to build the DHCP snooping database with the ip dhcp snooping database command. When I issued the show ip dhcp snooping database command the transfer was successful, but the dhcp snooping binding table was empty. Is this normal? Is there a way to view that database file in RAM to determine whether the bindings are there? If I were to enable DAI with the DHCP snooping bindings database empty would it cause all sorts of trouble?

The weird thing is when I rebooted my router it tried to download the dhcp bindings that it uploaded to the tftp server. The tftp server was showing that it was completing sucessfully, but the router logs kept saying that it failed. The actual output that I got is below:

*Dec 5 2010 04:12:17 MST: %DHCPD-3-READ_ERROR: DHCP could not read bindings from tftp://172.16.1.66/dhcp_database.
*Dec 5 2010 04:13:17 MST: %DHCPD-3-READ_ERROR: DHCP could not read bindings from tftp://172.16.1.66/dhcp_database.
*Dec 5 2010 04:14:17 MST: %DHCPD-3-READ_ERROR: DHCP could not read bindings from tftp://172.16.1.66/dhcp_database.
*Dec 5 2010 04:15:17 MST: %DHCPD-3-READ_ERROR: DHCP could not read bindings from tftp://172.16.1.66/dhcp_database.
.Dec 5 2010 04:19:20 MST: %DHCPD-3-READ_ERROR: DHCP could not read bindings from tftp://172.16.1.66/dhcp_database.

What would cause this?

Thanks Guys, Hopefully we can get this solved!

cadet alain · ‎12-06-2010

Hi,

I have ip dhcp snooping trust configured on FastEthernet0/2, because it is a trunk link

Your clients are on f0/2 so there shouldn't be a dhcp server on this interface so it must be not trusted, the only interfaces

you must configure as trusted are the ones going to your DHCP server-it has nothing to do with th role of the port(trunk or access).

If I were to enable DAI with the DHCP snooping bindings database empty would it cause all sorts of trouble?

As DAI is using DHCP snooping database there could be some problems , I think all your ARP will be considered spoofing.

Maybe your DHCP snooping database is corrupt.

Regards.

Don't forget to rate helpful posts.

Mohamed Sobair · ‎12-06-2010

Hi,

The uplink ports along with your interface towrds the routers , all these ports should be trusted.

The DHCP snooping inofrmation option also has to be enabled , as the Switch needs to inser option 82 in the DHCP packet.

Coming to the TFTP server, can you confirm the tftp server is reachable and you can access the file dhcp_database?

Look into this file, do you see any entries?

HTH

Mohamed

Daniel Mckibbin · ‎12-06-2010

You guys are awesome thanks! The problem was resolved by removing the ip dhcp trust statement from Fa 0/2.

LAN_SWITCH# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ----------
----------
4C:0F:6E:8F:A3:11 172.16.1.6 86281 dhcp-snooping 200 FastEther
net0/2
Total number of bindings: 1

The reason I had it there was because for some reason I wasn't able to get an IP address via DHCP before. Now it's working fine without it.

The DHCP database on the router is still having trouble reading and writing from the TFTP server. As you can see it has been successfull before and there is connectivity. It has never had a successfull read though. I don't have a firewall running on this device.

Internet_Router#show ip dhcp database
URL      : tftp://172.16.1.66/dhcp_database
Read     : Never
Written : Dec 05 2010 11:23 PM
Status   : Last write failed because of a protocol error.
Delay    : 300 seconds
Timeout : 300 seconds
Failures : 849
Successes: 2

Internet_Router#ping 172.16.1.66

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.66, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms

Connectivity is consistent as well:

Internet_Router#show ip sla monitor statistics 2
Round trip time (RTT) Index 2
Latest RTT: 1 ms
Latest operation start time: .00:01:36.997 MST Tue Dec 7 2010
Latest operation return code: OK
Number of successes: 81
Number of failures: 0
Operation time to live: Forever

Perhaps I should try another TFTP server? I'm using solarwinds.

Mohamed Sobair · ‎12-07-2010

Daniel,

Isn't F0/2 is your uplink , the DHCP snooping trust should be configured at the port connecting the Server (Router) as well as all Uplinks between switches to the client. I am wondering why removing it from f0/2 fixes the issue.

Could you please let us know what F0/2 is connecting?

Regards,

Mohamed

Daniel Mckibbin · ‎12-07-2010

Mohamed,

Fa 0/2 is connected to a Cisco 350 wireless AP. The trunk to the router is on Fa 0/1 which still has the ip dhcp snooping trust command configured.

cadet alain · ‎12-07-2010

Hi,

For your tftp server dhcp database have you got this command in your config?

http://www.cisco.com/en/US/docs/ios/12_1/iproute/command/reference/1rddhcp.html#wp1017959

Don't forget to rate helpful posts.

Daniel Mckibbin · ‎12-07-2010

Yes I do, and it is reachable with no access lists blocking tftp.

cadet alain · ‎12-07-2010

Hi,

Can you sniff with wireshark or other and allow logging on tftp server

Can you try changing your timeout on tftp server.

Regards.

Don't forget to rate helpful posts.

cadet alain · ‎12-07-2010

Hi,

You copied your dhcp database from flash to tftp? if so create dhcp database into nvram and then copy to tftp server and use this one

Tell me what happens.

Don't forget to rate helpful posts.

Daniel Mckibbin · ‎12-07-2010

Why would the DHCP database be in flash? Isn't it stored in RAM. I'm not understanding. Wouldn't copying the DHCP database to NVRAM defeat the purpose of sending it to a tftp server?

cadet alain · ‎12-07-2010

You can put it where you want but I thought you had it on the router then copied to tftp.

Regards.

Don't forget to rate helpful posts.