06-22-2014 11:44 PM - edited 03-07-2019 07:48 PM
We have 3560G(IP Base 15.0.2.SE4) as core and 2960's on access.
We enable DHCP snooping on all switches with uplinks on 2960's and links to DHCP servers on 3560 configured as "trusted". All worked fine.
Then we enabled link aggregation(two gigs between 3560 and each of 2960's) and our users stopped to receive IP-addresses. We tried all type of link aggregation(pagp, lacp, etherchannel) with no result. We disabled DHCP snooping on 3560 and users received they IP-addresses.
Does DHCP snooping works through aggregated links?
06-23-2014 02:09 AM
Hello
Have you trusted the port-channel also?
res
Paul
06-23-2014 02:12 AM
Of course. On access uplink.
06-23-2014 02:24 AM
Hello
When you say access uplink do you mean - the physical interfaces or the logical interface of the port-channel or both?
res
Paul
06-23-2014 02:28 AM
I mean port-channel interface of 2960.
#sh run int po1
Building configuration...
Current configuration : 78 bytes
!
interface Port-channel1
switchport mode trunk
ip dhcp snooping trust
end
#sh run int gi0/1
Building configuration...
Current configuration : 108 bytes
!
interface GigabitEthernet0/1
switchport mode trunk
channel-group 1 mode on
ip dhcp snooping trust
end
06-23-2014 02:44 AM
Hello
As long as interfaces are trusted the snooping database does nothing else.
but listens on the the untrusted ports and snoops the ip & macs.
Also the snooping D/B will not be populated with existing clients,it will populate next time dhcp renews
So to confirm -
3560 - dhcp server(s) located ( dhcp snooping + vlan enabled -Access port and aggregation links to 2960 trusted )
2960 - dhcp snooping + vlan enabled ( aggregation links to 3560 trusted)
res
Paul
06-23-2014 02:54 AM
No, downlinks from 3560 to 2960's isn't trusted because where are no dhcp servers on 2960's. When downlinks are just two gigs without port-channel - all works fine.
#sh run int gi0/51
Building configuration...
Current configuration : 152 bytes
!
interface GigabitEthernet0/51
description downlink-to-2960-01
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 7 mode on
end
1#sh run int po7
Building configuration...
Current configuration : 92 bytes
!
interface Port-channel7
switchport trunk encapsulation dot1q
switchport mode trunk
end
#sh run int gi0/3
Building configuration...
Current configuration : 185 bytes
!
interface GigabitEthernet0/3
description DHCP server
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
end
06-23-2014 06:41 AM
Hey,
Have you tried collecting packet captures on the port-channel and checked the DHCP (DORA) process, also check the logs for both the boxes for any syslog related to snooping.
HTH.
Regards,
RS
10-29-2014 06:57 AM
I experience the same issue. It seems to be related to the software version of 15.0(2)SE4
with ip dhcp snooping enabled it seems that if the packet is coming in via a port-channel, then requests,and informs are seen etnering the switch and are forwarded. (i see them on the next switch too). Discovers enter the switch, but don't seem to be forwarded. (i don't see them anymore on the next switch)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide