Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17355
Views
9
Helpful
19
Replies

DHCP Snooping Issue.

Go to solution
Daniel Mckibbin
Level 1
Level 1

‎12-04-2010 05:27 PM - edited ‎03-06-2019 02:21 PM

Hey Guys,

I've been a member of Cisco for a long time, but have yet to use the forums. I've used other networking forums where I would provide help, but no-one would help me when I had an issue. My Goal is to give just as much as I take. Hopefully I can make Cisco forums my home!

Now for my problem! On my home network I'm trying to get DHCP snooping to work correctly.  The network clients are able to receive addresses from the DHCP server (3640 Router) and access resources and search the internet with no problem ,  but the DHCP snooping database bindings are not being entered (In 3550 with Layer 3 disabled). I need  them to be entered to be able to utilize DAI and ISG. What is going on? I  think it may be because my router is the DHCP server, and the database  is not being passed on to the switch. How would I be able to accomplish  this? I know if I were to move the DHCP configuration from the router to the switch it would work, but I don't want to go down the simple route and ignore problems that I come across.


Relevant configuration is as below:


Switch:

ip dhcp snooping vlan 100,200,300
ip dhcp snooping


LAN_SWITCH#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID                                           Local Interface     Holdtme    Capability  Platform  Port ID
Mckibbin_LAN.Daniels_Wireless   Fas 0/2                       165                   T            AIR-AP350 Fas 0
Internet_Router                              Fas 0/1             128                R S I           3640-A    Eth 1/1


interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200,300
switchport mode trunk
spanning-tree portfast trunk
ip dhcp snooping trust


!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200,300
switchport mode trunk
duplex full
ip dhcp snooping trust
end

The routers interface is set up for router on a stick with subinterfaces for each vlan.

Router


no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.1.1
ip dhcp excluded-address 172.16.2.2
ip dhcp excluded-address 172.16.1.33
ip dhcp excluded-address 172.16.1.2
ip dhcp excluded-address 172.16.1.3
ip dhcp excluded-address 172.16.1.4
!
ip dhcp pool wireless
import all
network 172.16.1.0 255.255.255.224
default-router 172.16.1.1
domain-name Daniels_Wireless
!
ip dhcp pool wired
import all
network 172.16.1.32 255.255.255.224
default-router 172.16.1.33
domain-name Daniels_Wired
!
Debug Output From Switch:


*Mar  7 16:44:11.932: DHCPSN: Found ingress pkt on Fa0/2 VLAN 200
*Mar  7 16:44:11.932: DHCPSN: DHCP packet being sent to PI snooping process
*Mar  7 16:44:11.932: DHCP_SNOOPING: received new DHCP packet from input interfa
ce (FastEthernet0/2)
*Mar  7 16:44:11.932: DHCP_SNOOPING: process new DHCP packet, message type: DHCP
REQUEST, input interface: Fa0/2, MAC da: 000d.28e2.c692, MAC sa: 4c0f.6e8f.a311,
IP da: 172.16.1.1, IP sa: 172.16.1.9, DHCP ciaddr: 172.16.1.9, DHCP yiaddr: 0.0
.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 4c0f.6e8f.a311
*Mar  7 16:44:11.932: DHCP_SNOOPING_SW: bridge packet send packet to port: FastE
thernet0/1, vlan 200.
*Mar  7 16:44:11.940: DHCPSN: Found ingress pkt on Fa0/1 VLAN 200
*Mar  7 16:44:11.940: DHCPSN: DHCP packet being sent to PI snooping process
*Mar  7 16:44:11.940: DHCP_SNOOPING: received new DHCP packet from input interfa
ce (FastEthernet0/1)
*Mar  7 16:44:11.940: DHCP_SNOOPING: process new DHCP packet, message type: DHCP
ACK, input interface: Fa0/1, MAC da: 4c0f.6e8f.a311, MAC sa: 000d.28e2.c692, IP
da: 172.16.1.9, IP sa: 172.16.1.1, DHCP ciaddr: 172.16.1.9, DHCP yiaddr: 172.16.
1.9, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 4c0f.6e8f.a311
*Mar  7 16:44:11.944: DHCP_SNOOPING: direct forward dhcp reply to output port: F
astEthernet0/2.


LAN_SWITCH#show ip dhcp snooping statistics
Packets Forwarded                                     = 300
Packets Dropped                                       = 1
Packets Dropped From untrusted ports                  = 0
LAN_SWITCH#
*Mar  7 16:48:49.364: DHCP_SNOOPING: checking expired snoop binding entries


LAN_SWITCH#show ip dhcp snooping b
LAN_SWITCH#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  ----------
----------
Total number of bindings: 0

I would appreciate any help. Thanks!

Daniel M.

Labels:
0 Helpful
19 Replies 19

Go to solution
Daniel Mckibbin
Level 1
Level 1
In response to cadet alain

‎12-07-2010 03:38 AM

I'm want to use it save memory on the router (I know it's still in RAM), and to allow hosts to continue using their DHCP learned addresses when the router reboots i.e. router relearns bindings by downloading file from tftp server. It sucessfully transfers but it fails much more than it suceeds, and it never is able to read the file off the server.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Daniel Mckibbin

‎12-07-2010 04:33 AM

Hi,

ok so you want to use the dhcp database to get sure the addresses of the hosts never change.In that case you can put this file directly on the router why absolutely want to put it on tftp server.Have you tried with it on the router only.

Regards.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
bnidacoc
Level 1
Level 1
In response to Daniel Mckibbin

‎12-09-2010 12:18 PM

Daniel,

IIRC, we always had to create a text with nothing but a CR in it at the destination location.  It seemed that the switches could never create that file from scratch.  I believe I read a long time ago, or was advised by TAC, not to save the database file to flash due to (according to the source) the limited write cycles of flash.  These files are writen to often.

Although, we have never used TFTP, we used FTP.

0 Helpful

Go to solution
Daniel Mckibbin
Level 1
Level 1
In response to bnidacoc

‎12-09-2010 01:33 PM

Would it be possible to post an example? I would have no clue on how to implement that.

0 Helpful

Go to solution
bnidacoc
Level 1
Level 1
In response to Daniel Mckibbin

‎12-10-2010 09:57 AM

ip dhcp snooping vlan 11
no ip dhcp snooping information option
ip dhcp snooping database ftp://USERNAME:PASSWORD@IP-ADDRESS/DHCPSnoop/HOSTNAME.dhcp
ip dhcp snooping

ip arp inspection vlan 11


interface FastEthernet2/7
switchport access vlan 11
switchport mode access
switchport port-security
switchport port-security limit rate invalid-source-mac 1
ip arp inspection limit rate 257
logging event trunk-status
spanning-tree portfast
spanning-tree bpduguard enable

0 Helpful
Customers Also Viewed These Support Documents