Solved: DHCP snooping with port-security

glogloglik · ‎08-07-2019

Hello,

we are trying to configure our 2960 (C2960-LANBASEK9-M, Version 12.2(50)SE4) with DHCP snooping on ports, the configuration on ASW is:

ip dhcp snooping 
ip dhcp snooping vlan 2,3
ip dhcp snooping information option allow-untrusted

interfaces which connect users:

interface FastEthernet0/2
  switchport access vlan 2
  switchport mode access
  switchport port-security maximum 4
  switchport port-security
  authentication event fail action authorize vlan 3
  authentication event no-response action authorize vlan 3
  authentication port-control auto
  dot1x pae authenticator

Plus the trunk port is set as trusted port.

I am not using any routing, DHCP server is connected via the VLAN all the way to the access switches (for both VLANs), so I believe the information option allow-untrusted is unnecessary. But it does not work either way.

Debug:

%AUTHMGR-5-SUCCESS: Authorization succeeded for client (xxxx.xxxx.xxxx) on Interface Fa0/2
DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/2 for pak. Was not set
DHCPSNOOP(hlfm_packet_filter_or_learn): packet with mac xxxx.xxxx.xxxx vlan 2 on interface Fa0/2 is not known by port security, dropped
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa0/2 for pak. Was not set
DHCPSNOOP(hlfm_packet_filter_or_learn): packet with mac xxxx.xxxx.xxxx vlan 2 on interface Fa0/2 is not known by port security, dropped

And the DHCPSNOOP messages repeat over and over and that is all.

However when I set switchport port-security mac-address sticky or turn port-security off altogether, it works just as expected. I really do not know what the issue is because I have seen it work with port-security before.

glogloglik · ‎08-11-2019

Thanks to everyone who tried to help me, we solved the problem by upgrading the access 2960 switches with 12.2(55)SE12 version. Although I did not find for our previous version any DHCP snooping bugs but I guess there is still some problem there.. Upgraded and worked like it should at first try!

View solution in original post

paul driver · ‎08-07-2019

Hello

@glogloglik wrote:

Hello,
ip dhcp snooping 
ip dhcp snooping vlan 2,3
ip dhcp snooping information option allow-untrusted
I am not using any routing, DHCP server is connected via the VLAN all the way to the access switches (for both VLANs), so I believe the information option allow-untrusted is unnecessary. But it does not work either way.

So how are the two vlans communicating, you need L3 reachable from both vlans if your dhcp server is residing on either of the other vlan

What make/model are the switches?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

glogloglik · ‎08-07-2019

Sorry, the VLANs are routable from the same server which is running as DHCP server. I meant that the DHCP server has interface in these VLANs and they are allowed via trunks across the infrastructure (it is old solution we will get rid of). To the DHCP server there are three switches in the way which do not have DHCP snooping enabled on them.
They are WS-C2960-48TT-L, version 12.2(50)SE4, image C2960-LANBASEK9-M

paul driver · ‎08-07-2019

Hello

So what device is doing the routing? is it teh server or a switch

Can you post a simple topology of your setup for clarification?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

glogloglik · ‎08-07-2019

Please see the attachment. I hope it is sufficient.

paul driver · ‎08-07-2019

Hello

so what decide is that doing the routing - router/switch or server?

if router or switch please post the configuration of it if applicable -

Also just to confirm you are not receiving any dhcp allocation to hosts attached on end host switch correct?

is ip routing disabled on all downstream switches ?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

glogloglik · ‎08-07-2019

Hello,

the routing for these VLANs is doing the Linux router at the top. The Cisco switch underneath is routing for OTHER VLANs but these two only pass through the switch via trunks (these two VLANs are the only part of old infrastructure we will get rid of). Only the Linux router has interface in these VLANs and lets them communicate with each other and with internet. We use no DHCP Relay agents for these VLANs on the switches between ASW and DHCP server.

The ASW at the bottom is the one users are connected to and it is the only switch with DHCP snooping enabled.

When I enable DHCP snooping with port-security I can see no DHCPREQUESTs are going on that Linux router. When I disable port-security suddenly I can see the whole process of obtaining the IP adress from a user.

paul driver · ‎08-07-2019

Hello

I assume you have trusted the uplink(s) on the access switch that has snooping activated on, Does this work without any dot1tx applied to the ports?

On the access witch can you enable a debug for dhcp and post the results, all append the beow commands and test again.

ip dhcp relay information option
no ip dhcp relay information check

Can you run the below commands and post the results on a failure of dhcp allocation.

debug ip dhcp server packet
debug ip dhcp server events
debug ip udp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

pieterh · ‎08-08-2019

port-security is local (mac-address) on the switch, but you are also using dot1x authentication on this port

because of this you need a pre-auth-acl for dhcp-packets to be forwarded.

either pushed by the authentication server for ports that are yet unauthenticated or as a default-acl on the port.

check port-security function with dot-1x disabled first.

glogloglik · ‎08-09-2019

Ok, thank you, I will do that on Sunday, right now we have disabled the DHCP snooping so users can use the Internet.

glogloglik · ‎08-11-2019

Thanks to everyone who tried to help me, we solved the problem by upgrading the access 2960 switches with 12.2(55)SE12 version. Although I did not find for our previous version any DHCP snooping bugs but I guess there is still some problem there.. Upgraded and worked like it should at first try!