Re: dhcp snooping issue

csaba.papp · ‎01-17-2008

Hi,

I activated dhcp snooping on my test envirament (C3550 Software C3550-I9Q3L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)

The first IP request coming from a desktop was successful. It got a valid ip. The release worked also fine.

The new ip request and the all other failed.

Here is the debug log (I included my comments)

'Ipconfig /renew

001483: *Mar 10 01:14:38: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/9)

001484: *Mar 10 01:14:38: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST

001485: *Mar 10 01:14:38: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

001486: *Mar 10 01:14:38: DHCP_SNOOPING_SW: bridge packet send packet to port: GigabitEthernet0/1.

001487: *Mar 10 01:14:38: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/1)

001488: *Mar 10 01:14:38: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK

001489: *Mar 10 01:14:38: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet0/9.

'the desktop successfully got IP

'ipconfig /release

001490: *Mar 10 01:15:00: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/

001491: *Mar 10 01:15:00: DHCP_SNOOPING: process new DHCP packet, message type: DHCPRELEASE

001492: *Mar 10 01:15:00: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

001493: *Mar 10 01:15:00: DHCP_SNOOPING_SW: bridge packet send packet to port: GigabitEthernet0/1.

'succesfully ip release

'ipconfig /renew

001494: *Mar 10 01:15:05: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/9)

001495: *Mar 10 01:15:05: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER

001496: *Mar 10 01:15:05: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

001497: *Mar 10 01:15:05: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (100)

001498: *Mar 10 01:15:09: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/9)

001499: *Mar 10 01:15:09: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER

001500: *Mar 10 01:15:09: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

001501: *Mar 10 01:15:09: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN

Thanks for help.

Csaba

skarundi · ‎01-18-2008

the switch is running really old code. I'd suggest upgrading to at least 12.2(25)SE.

May be a bug with dhcp snooping.

csaba.papp · ‎01-18-2008

Karundi thanks for your message.

I upgraded the IOS to 12.2(25)SEB4, but no progress. The issue persist.

Here is the log

00:08:13: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/2)

00:08:13: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa0/2, MAC da: ffff.ffff.ffff, Msa: 0015.c54f.73f5, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, Dgiaddr: 0.0.0.0, DHCP chaddr: 0015.c54f.73f5

00:08:13: DHCP_SNOOPING: add relay information option.

00:08:13: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

00:08:13: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x1E 0x0 0x1 0x2 0x8 0x0 0x6 0x0 0x11 0xBB 0x6C 0x22 0x80

00:08:13: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (30)

00:08:13: DHCP_SNOOPING_SW: bridge packet send packet to port: FastEthernet0/1.

00:08:13: DHCP_SNOOPING_SW: bridge packet send packet to port: FastEthernet0/3.

00:08:29: DHCPSN: DHCP packet being sent to PI snooping process

00:08:29: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/2)

.......................................................

Switch#sh ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

30

Insertion of option 82 is enabled

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Interface Trusted Rate limit (pps)

------------------------ ------- ----------------

FastEthernet0/1 yes unlimited

FastEthernet0/3 yes unlimited

skarundi · ‎01-18-2008

the message "packet is flooded to ingress vlan" means that the dhcp discover frame is forwarded out faethernet 0/1 and fa0/3.

Can you confirm that your dhcp server or dhcp relay agent which should be connected to either fa0/1 or fa0/3 got the frame ?

igor_kiselev · ‎01-18-2008

Can you first try disabling Option 82 insertion

(global mode)

no ip dhcp snooping information option

see if it works now ...

andrew.butterworth · ‎01-18-2008

Unless your DHCP server understand the Option 82 stuff you need to disable it. Windows 2000/2003 DHCP Server doesn't work with option 82 enabled

HTH

Andy

csaba.papp · ‎01-21-2008

Hi,

I disabled the option 82 end it solved the problem. My dhcp server is Windows 2000.

I tested a Windows 2008 dhcp server and it seems that it supports this option.

Here is the logs.

'ipconfig /release

02:17:56: DHCPSN: DHCP packet being sent to PI snooping process

02:17:56: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/2)

02:17:56: DHCP_SNOOPING: process new DHCP packet, message type: DHCPRELEASE, input interface: Fa0/2, MAC da: 0012.3f4d.f3d3, MAC s

a: 0015.c54f.73f5, IP da: 10.18.16.2, IP sa: 10.18.16.90, DHCP ciaddr: 10.18.16.90, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DH

CP giaddr: 0.0.0.0, DHCP chaddr: 0015.c54f.73f5

02:17:56: DHCP_SNOOPING: add relay information option.

02:17:56: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

02:17:56: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x1E 0x0 0x1 0x2 0x8 0x0 0x6 0x0 0x11 0xBB 0x6C 0x22 0x80

02:17:56: DHCP_SNOOPING_SW: bridge packet send packet to port: FastEthernet0/3.

'ipconfig /renew

02:18:43: DHCPSN: DHCP packet being sent to PI snooping process

02:18:43: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/2)

02:18:43: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa0/2, MAC da: ffff.ffff.ffff, MAC

sa: 0015.c54f.73f5, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP

giaddr: 0.0.0.0, DHCP chaddr: 0015.c54f.73f5

02:18:43: DHCP_SNOOPING: add relay information option.

02:18:43: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format

02:18:43: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:

0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x1E 0x0 0x1 0x2 0x8 0x0 0x6 0x0 0x11 0xBB 0x6C 0x22 0x80

02:18:43: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (30)

02:18:43: DHCP_SNOOPING_SW: bridge packet send packet to port: FastEthernet0/3.

02:18:44: DHCPSN: DHCP packet being sent to PI snooping process

02:18:44: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/3)

02:18:44: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Fa0/3, MAC da: ffff.ffff.ffff, MAC sa:

0012.3f4d.f3d3, IP da: 255.255.255.255, IP sa: 10.18.16.2, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.18.16.90, DHCP siaddr: 10.18.16.

2, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0015.c54f.73f5

02:18:44: DHCP_SNOOPING: direct forward dhcp reply to output port: FastEthernet0/2.

............

Thank you for all who replayed to my post.