cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2158
Views
0
Helpful
1
Replies

dhcp snooping opt82 problem

stavros
Level 1
Level 1

Hello,

We have setup dhcp snooping with option 82 insertion to authenticate clients based on their vlan-id. Requests on certain random vlans seem to work ok, but when for other vlans the switch thinks that the opt82 data is not local. This seems wrong as the opt82 dump according to the switch for both the insertion and DHCPOFFER (from the dhcp server) are identical. (The opt82 "remote-id" mac addess matches the switch mac address.)

If the client has the ip address set statically they have network access ok. So its just something with the dhcp...

Is this an IOS bug here, but maybe someone can clear this up here...

IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA14, RELEASE SOFTWARE (fc1)

debug on switch

Nov 23 17:26:35.553 ACDT: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/10)
Nov 23 17:26:35.553 ACDT: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER
Nov 23 17:26:35.553 ACDT: DHCP_SNOOPING: add relay information option.
Nov 23 17:26:35.557 ACDT: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format
Nov 23 17:26:35.557 ACDT: DHCP_SNOOPING: binary dump of relay info option, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x8D 0x0 0x9 0x2 0x8 0x0 0x6 0x0 0x16 0x9D 0x5 0xB9 0x80
Nov 23 17:26:35.557 ACDT: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (141)
Nov 23 17:26:35.561 ACDT: DHCP_SNOOPING_SW: bridge packet send packet to port: FastEthernet0/3.
Nov 23 17:26:36.705 ACDT: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/3)
Nov 23 17:26:36.705 ACDT: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER
Nov 23 17:26:36.705 ACDT: DHCP_SNOOPING: binary dump of option 82, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x8D 0x0 0x9 0x2 0x8 0x0 0x6 0x0 0x16 0x9D 0x5 0xB9 0x80
Nov 23 17:26:36.709 ACDT: DHCP_SNOOPING: binary dump of extracted circuit id, length: 8 data:
0x1 0x6 0x0 0x4 0x0 0x8D 0x0 0x9
Nov 23 17:26:36.709 ACDT: DHCP_SNOOPING: binary dump of extracted remote id, length: 10 data:
0x2 0x8 0x0 0x6 0x0 0x16 0x9D 0x5 0xB9 0x80
Nov 23 17:26:36.709 ACDT: DHCP_SNOOPING_SW: opt82 data indicates not a local packet
Nov 23 17:26:36.713 ACDT: DHCP_SNOOPING: can't parse option 82 data of the message,it is either in wrong format or not inserted by local switch
Nov 23 17:26:36.713 ACDT: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
Nov 23 17:26:36.713 ACDT: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 001e.ec2f.0011
Nov 23 17:26:36.713 ACDT: DHCP_SNOOPING: can't find output interface for dhcp reply. the message is dropped.

Relevant Config:
ip dhcp snooping vlan 100 400
ip dhcp snooping vlan 2006
ip dhcp snooping

!

interface FastEthernet0/3
description dhcp srv RTR trunk
switchport mode trunk
ip dhcp snooping trust
!
!
interface FastEthernet0/9
description ---PBN_OLTM_Slot_7---
switchport trunk allowed vlan 100-400,2006
switchport mode trunk
speed 100
duplex full
!
interface FastEthernet0/10
description ---PBN_OLTM_Slot_8---
switchport trunk allowed vlan 100-400,2006
switchport mode trunk
speed 100
duplex full
!

switch#sh mac address-table | in 80

All 0016.9d05.b980 STATIC CPU

switch#sh ip dhcp snoo bin
Option 82 on untrusted port is not allowed
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------- ---- --------------------
00:15:F2:A5:48:F3 x.x.59.156 1794 dynamic 105 FastEthernet0/9
00:60:64:3D:FC:92 x.x.59.152 1198 dynamic 111 FastEthernet0/9
00:60:64:3D:FA:DF x.x.59.131 1736 dynamic 104 FastEthernet0/9
00:60:64:19:D8:C5 x.x.59.133 1246 dynamic 103 FastEthernet0/9
00:15:58:7A:8F:2E x.x.59.139 1120 dynamic 109 FastEthernet0/9
00:60:64:3D:FC:90 x.x.59.132 1216 dynamic 102 FastEthernet0/9
00:60:64:3D:FE:B1 x.x.59.137 1223 dynamic 106 FastEthernet0/9


switch#sh ip dhcp sn
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100-400,2006
Insertion of option 82 is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/3 yes unlimited

switch#sh int fa0/10

FastEthernet0/10 is up, line protocol is up (connected)

Hardware is Fast Ethernet, address is 0016.9d05.b98a (bia 0016.9d05.b98a)

Description: ---PBN_OLTM_Slot_8---

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, media type is 100BaseTX

input flow-control is unsupported output flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 3000 bits/sec, 3 packets/sec

61698 packets input, 10771359 bytes, 0 no buffer

Received 2112 broadcasts (1394 multicast)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 1394 multicast, 0 pause input

0 input packets with dribble condition detected

108651 packets output, 98533566 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out

1 Reply 1

Peter Paluch
Cisco Employee
Cisco Employee

Hi Stavros,

This is very strange. Does this problem appear randomly, or is it 100% reproducible for clients on a particular VLAN?

Also, is it by any means possible that the DHCPOFFER message arrives on a different VLAN than on which the DISCOVER was received?

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: