Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1488
Views
0
Helpful
7
Replies

DHCP Snooping not working on WS-C3850-24XU-L 3.7.4E

mmaeeuser
Level 1
Level 1

‎01-27-2017 01:37 PM - edited ‎03-08-2019 09:05 AM

Hello all,

I'm a long time user of DHCP Snooping on Cisco switches.  We use the Option 82 information to differentiate DHCP clients based on the circuit-id and remote-id information added to the DISCOVER request.

As the proud owner of a new 3850-24XU switch, I find myself frustrated that DHCP Snooping does not appear to be working at all.  The same configuration has worked fine on 5 different Catalyst switches over the last 8 years.  The following is more detail.

I have boiled the configuration down to a minimum while trying to debug this.  I have a single port (te1/0/1) facing the the DHCP client, and a single port (te1/0/24) facing the DHCP server.

When the client initiates the DHCP exchange, I see the DISCOVER message make it to the server, the server then responds with an OFFER, but the OFFER is never delivered to the client.

I have configured the server facing interface for trust, and all Trace and Debug logs appear to show things working correctly.  However, the OFFER is being dropped for some reason.

I have tried adding trust to both interfaces, turning off the "information option", and setting "information option allow-untrusted", turning off hwaddr/giaddr verify.  None of which I should have to do (or want to do).  The only thing that allows the DHCP exchange to work is "no ip dhcp snooping", which of course won't work for me.

ABMDE# show ip dhcp snooping

Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is operational on following VLANs:
1
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: ABMDESW (hostname)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
TenGigabitEthernet1/0/24   yes        yes             unlimited
  Custom circuit-ids:

I've attached the statistics output from a single DHCP attempt, and the Debug output for dhcp-snooping.

As you can see from the last line, it appears the packet is delivered to the correct interface, but I can assure you it never egresses.  I've beat on this for a while, trying various combinations of options, but no matter what, I can only get the OFFER to transit the switch if I turn off DHCP snooping all-together.

Any help would be much appreciated.

Craig

Labels:
Preview file
5 KB
Preview file
4 KB
0 Helpful
7 Replies 7

Georg Pauwen
VIP
VIP

‎01-27-2017 02:29 PM

Hello,

the config looks good actually. What is the output of:

show ip dhcp snooping binding

0 Helpful

mmaeeuser
Level 1
Level 1
In response to Georg Pauwen

‎01-27-2017 02:54 PM

The output of this command is always empty.  No binding entries, unlike on the other switches I have that have an entry for each client.

I suspect this is because the OFFER get's dropped, no REQUEST or ACK ever occur, so the binding is never setup.

Craig

0 Helpful

Georg Pauwen
VIP
VIP
In response to mmaeeuser

‎01-27-2017 11:46 PM

Hello,

I checked the Feature Navigator, and strangely enough, 3.7.4E is not listed at all for DHCP Snooping. 3.7.0E, 3.7.1E, and 3.7.2E are ( LAN Base). 

You might just want to try one of these versions...

0 Helpful

mmaeeuser
Level 1
Level 1
In response to Georg Pauwen

‎01-27-2017 10:09 PM

So I ran across this thread,

https://lists.gt.net/cisco/nsp/194463

The final post points to a bug that recommends moving from lanbase to ipbase.  That's very unfortunate, as it would be a major headache for me to get an upgrade license.  Any chance Cisco would provide me one free of charge, since their software is broken, and what I paid for should work?

0 Helpful

paul driver
VIP
VIP

‎01-27-2017 03:11 PM

Hello

interface Vlan1
ip address 192.168.25.254 255.255.255.0
ip default-gateway 192.168.25.1

sa: 10.1.7.1, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.101.1.1, DHCP siaddr: 10.0.0.4


I dont see any relay address, How is this switch attached to this server?

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

mmaeeuser
Level 1
Level 1
In response to paul driver

‎01-27-2017 03:26 PM

The DHCP server is connected to te1/0/24.  However, the server has multiple IP addresses on that interface.  Two of them are 192.168.25.2/24, and 10.1.7.1/8.  The 10.0.0.4 address in the OFFER, is the "next-server" address for the PXE client booting from te1/0/1.  The DHCP server is bound to 10.1.7.1.

I'm not using relay.  Both interfaces in this example are connected directly to hosts.  One a PXE boot client, and the other a DHCP server.

Craig

0 Helpful

paul driver
VIP
VIP
In response to mmaeeuser

‎01-28-2017 02:48 AM

Hello

Can you try the following:

no ip dhcp snooping information option format remote-id hostname

default int rang gig1/0/1 , gig1/0/24
int rang gig1/0/1 , gig1/0/24
switchport host
spanning-tree port type edge
no shut

int gig1/0/24
ip dhcp snooping trust

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card