01-18-2010 03:21 AM - edited 03-06-2019 09:19 AM
Dear All
We are facing a weird issue while trying to configure DHCP snooping.
Users are unable to get/renew IP Addresses after enabling DHCP snooping.
The DHCP Snooping binding table is always empty.
The configuration is pretty simple
ip dhcp snooping vlan 101,104
no ip dhcp snooping information option
ip dhcp snooping
All ports connected to DHCP servers and uplinks set as trusted.
Switch Version: c3560-ipservices-mz.122-35.SE5
I tried the same configuration with another 3560 Switch running an older version with no issues at all.
This is the error we see on all the trusted ports, any ideas why this is happenning:
Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/49 fo
r pak. Was not set
Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. W
as Gi0/49
Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/49 fo
r pak. Was not set
Some more details about the setup:
Users are connected to 6 3560 access-layer switches. Even tough they are L3-capable switches, they are running in L2 mode. The switches uplink to a 6500 Series Core Switch.
There is an FWSM Module on the core switch which acts as the DHCP relay agent for all the user requests. The DHCP servers (Microsoft) are in a dedicated servers VLAN connected to the core switch.
Regards
Farrukh
Message was edited by: Farrukh Haroon
Solved! Go to Solution.
01-27-2010 12:32 AM
Hello Farrukh,
Depending on the setup / network topo it could normal.Does it actually causing any issues?
Both messages are related to vlan 2.
Do you actualy have DHCP server in this VLAN? Do you have ip helper-address set on int vlan2 for this switch?
What message means is that the dest mac ffff.ffff.ffff is not
in the MAT table as it is the broadcast address.
The packet is flooded into the Vlan2, which is what you expect for a broadcast packet.
The first packets is DHCPRequest from client connected to vlan2, Gi0/49:
-----
DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (2)
DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST,
input interface: Gi0/49, MAC da: ffff.ffff.ffff, MAC sa:
0018.de0e.ee28, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr:
-----
So if you do not have DHCP relay setup on this switch in vlan2 this is normal -
This indicates that the switch just flooded
the DHCP discover packet in vlan 2.
For the second one, which comes on Gi0/25:
This is DHCPINFORM comes as l2/l3 broadcast
from some client w alreay assigned IP (mac=000f.fe95.7115, IP=10.1.1.60) in vlan2.
---
The server responds to a DHCPINFORM message by sending a DHCPACK message directly to the address given in the 'ciaddr' field of the DHCPINFORM message. The server MUST NOT send a lease expiration time to the client and SHOULD NOT fill in 'yiaddr'. The server includes other parameters in the DHCPACK message as defined in section 4.3.1.
---
Again it just gets flooded in vlan 2.
But the message from the client was come on DHCP trusted snooping port,
which suppose to lead to the DHCP server (which should not lead to any client normally).
So it will not be added in binding table.
-----
DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input
interface: Gi0/25, MAC da: ffff.ffff.ffff, MAC sa: 000f.fe95.7115, IP
da: 255.255.255.255, IP sa: 10.1.1.60, DHCP ciaddr: 10.1.1.60, DHCP
yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP
chaddr: 000f.fe95.7115
DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (2)
----
Thanks,
Sergey
01-26-2010 06:27 AM
Hello Farrukh,
It could be a hit of bugs like:
CSCsi94450 DHCP snooping : broadcast requests are not sent over the trusted port
and/or
CSCsd65833 CAT4500: dhcp snooping bindings out of sync:IP_SOURCE_GUARD_DENY_PACK
If possible you migth try to consider an upgrade to releases above 12.2(44)SE.
Regards,
Sergey
01-26-2010 12:51 PM
Hello
Thank you for your reply. We actually upgraded to 12.2(50)SE3 already. The DHCP snooping binding table is populated now. But we still see the following errors on some switches:
DHCP_SNOOPING: bridge a BOOTP packet or an unknown msg type dhcp packet, op code = 1
DHCP_SNOOPING: intercepted DHCPACK with no DHCPOPT_LEASE_TIME option field, packet is still forwarded but no snooping binding update is performed.
DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (2)
DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi0/49, MAC da: ffff.ffff.ffff, MAC sa: 0018.de0e.ee28, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0
----------------
DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/25 for pak. Was not set
DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/25)
DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Gi0/25, MAC da: ffff.ffff.ffff, MAC sa: 000f.fe95.7115, IP da: 255.255.255.255, IP sa: 10.1.1.60, DHCP ciaddr: 10.1.1.60, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 000f.fe95.7115
DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (2)
DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/25 for pak. Was not set
DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak. Was Gi0/25
! Gig 0/25 is a 'trusted' uplink port
-------
Regards
Farrukh
01-27-2010 12:32 AM
Hello Farrukh,
Depending on the setup / network topo it could normal.Does it actually causing any issues?
Both messages are related to vlan 2.
Do you actualy have DHCP server in this VLAN? Do you have ip helper-address set on int vlan2 for this switch?
What message means is that the dest mac ffff.ffff.ffff is not
in the MAT table as it is the broadcast address.
The packet is flooded into the Vlan2, which is what you expect for a broadcast packet.
The first packets is DHCPRequest from client connected to vlan2, Gi0/49:
-----
DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (2)
DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST,
input interface: Gi0/49, MAC da: ffff.ffff.ffff, MAC sa:
0018.de0e.ee28, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr:
-----
So if you do not have DHCP relay setup on this switch in vlan2 this is normal -
This indicates that the switch just flooded
the DHCP discover packet in vlan 2.
For the second one, which comes on Gi0/25:
This is DHCPINFORM comes as l2/l3 broadcast
from some client w alreay assigned IP (mac=000f.fe95.7115, IP=10.1.1.60) in vlan2.
---
The server responds to a DHCPINFORM message by sending a DHCPACK message directly to the address given in the 'ciaddr' field of the DHCPINFORM message. The server MUST NOT send a lease expiration time to the client and SHOULD NOT fill in 'yiaddr'. The server includes other parameters in the DHCPACK message as defined in section 4.3.1.
---
Again it just gets flooded in vlan 2.
But the message from the client was come on DHCP trusted snooping port,
which suppose to lead to the DHCP server (which should not lead to any client normally).
So it will not be added in binding table.
-----
DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input
interface: Gi0/25, MAC da: ffff.ffff.ffff, MAC sa: 000f.fe95.7115, IP
da: 255.255.255.255, IP sa: 10.1.1.60, DHCP ciaddr: 10.1.1.60, DHCP
yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP
chaddr: 000f.fe95.7115
DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (2)
----
Thanks,
Sergey
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide