07-31-2014 06:15 AM - edited 03-07-2019 08:13 PM
We have a 3750x with an Etherchannel connection to a Debian server and a single diskless client. The server is supplying DHCP, iSCSI and other services to support the diskless Windows 7 client. The fact that the client is diskless may be a red herring.
We have configured DHCP snooping and ARP inspection to prevent unwanted connections to the network. Everything appears to work correctly with the client booting OK and the DHCP snooping proving the required security.
Unfortunately, after a few minutes the DHCP binding table (which was originally correct) changes to show an IP address of 0.0.0.0 Shortly thereafter we get ARP inspection errors and no more packets are routed to the client which, without its iSCSI disk locks up and then re-boots.
DHCP snooping errors are shown below.
Can anyone suggest what we may be doing wrong?
Thanks,
Richard Simpson
*Mar 6 20:57:58.439: DHCP_SNOOPING: process new DHCP packet, message type: DHCP
INFORM, input interface: Gi1/0/22, MAC da: ffff.ffff.ffff, MAC sa: d067.e550.50d
e, IP da: 255.255.255.255, IP sa: 192.168.10.90, DHCP ciaddr: 192.168.10.90, DHC
P yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: d067
.e550.50de
*Mar 6 20:57:58.448: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFF
F.FFFF.FFFF, packet is flooded to ingress VLAN: (11)
*Mar 6 20:57:58.448: DHCP_SNOOPING: process new DHCP packet, message type: DHCP
ACK, input interface: Po5, MAC da: d067.e550.50de, MAC sa: c81f.66c7.ccdb, IP da
: 192.168.10.90, IP sa: 192.168.10.1, DHCP ciaddr: 192.168.10.90, DHCP yiaddr: 0
.0.0.0, DHCP siaddr: 192.168.10.1, DHCP giaddr: 0.0.0.0, DHCP chaddr: d067.e550.
50de
*Mar 6 20:57:58.448: DHCP_SNOOPING: direct forward dhcp replyto output port: Gi
gabitEthernet1/0/22.
MainSwitch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ----------
----------
D0:67:E5:50:50:DE 0.0.0.0 86251 dhcp-snooping 11 GigabitEt
hernet1/0/22
Total number of bindings: 1
*Mar 6 21:55:48.043: DHCP_SNOOPING: process new DHCP packet, message type: DHCP
INFORM, input interface: Gi1/0/22, MAC da: ffff.ffff.ffff, MAC sa: d067.e550.50d
e, IP da: 255.255.255.255, IP sa: 192.168.10.90, DHCP ciaddr: 192.168.10.90, DHC
P yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: d067
.e550.50de
*Mar 6 21:55:48.052: DHCP_SNOOPING: add relay information option.
*Mar 6 21:55:48.052: DHCP_SNOOPING: binary dump of relay info option, length: 2
0 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x16 0x2 0x8 0x0 0x6 0x10 0x5 0xCA 0xDE 0x
C3 0x0
*Mar 6 21:55:48.052: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFF
F.FFFF.FFFF, packet is flooded to ingress VLAN: (11)
*Mar 6 21:55:48.052: DHCP_SNOOPING: binary dump of option 82, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x16 0x2 0x8 0x0 0x6 0x10 0x5 0xCA 0xDE 0x
C3 0x0
*Mar 6 21:55:48.052: DHCP_SNOOPING: binary dump of extracted circuit id, length
: 8 data:
0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x16
*Mar 6 21:55:48.052: DHCP_SNOOPING: binary dump of extracted remote id, length:
10 data:
0x2 0x8 0x0 0x6 0x10 0x5 0xCA 0xDE 0xC3 0x0
*Mar 6 21:55:48.052: DHCP_SNOOPING: process new DHCP packet, message type: DHCP
ACK, input interface: Po5, MAC da: d067.e550.50de, MAC sa: c81f.66c7.ccdb, IP da
: 192.168.10.90, IP sa: 192.168.10.1, DHCP ciaddr: 192.168.10.90, DHCP yiaddr: 0
.0.0.0, DHCP siaddr: 192.168.10.1, DHCP giaddr: 0.0.0.0, DHCP chaddr: d067.e550.
50de
*Mar 6 21:55:48.052: DHCP_SNOOPING: remove relay information option.
*Mar 6 21:55:48.052: DHCP_SNOOPING: direct forward dhcp replyto output port: Gi
gabitEthernet1/0/22.
MainSwitch#
MainSwitch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ----------
----------
D0:67:E5:50:50:DE 0.0.0.0 84819 dhcp-snooping 11 GigabitEt
hernet1/0/22
Total number of bindings: 1
*Mar 6 22:15:06.904: DHCP_SNOOPING: process new DHCP packet, message type: DHCP
INFORM, input interface: Gi1/0/22, MAC da: ffff.ffff.ffff, MAC sa: d067.e550.50d
e, IP da: 255.255.255.255, IP sa: 192.168.10.90, DHCP ciaddr: 192.168.10.90, DHC
P yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: d067
.e550.50de
*Mar 6 22:15:06.904: DHCP_SNOOPING: add relay information option.
*Mar 6 22:15:06.904: DHCP_SNOOPING: binary dump of relay info option, length: 2
0 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x16 0x2 0x8 0x0 0x6 0x10 0x5 0xCA 0xDE 0x
C3 0x0
*Mar 6 22:15:06.904: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFF
F.FFFF.FFFF, packet is flooded to ingress VLAN: (11)
*Mar 6 22:15:06.913: DHCP_SNOOPING: binary dump of option 82, length: 20 data:
0x52 0x12 0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x16 0x2 0x8 0x0 0x6 0x10 0x5 0xCA 0xDE 0x
C3 0x0
*Mar 6 22:15:06.913: DHCP_SNOOPING: binary dump of extracted circuit id, length
: 8 data:
0x1 0x6 0x0 0x4 0x0 0xB 0x1 0x16
*Mar 6 22:15:06.913: DHCP_SNOOPING: binary dump of extracted remote id, length:
10 data:
0x2 0x8 0x0 0x6 0x10 0x5 0xCA 0xDE 0xC3 0x0
*Mar 6 22:15:06.913: DHCP_SNOOPING: process new DHCP packet, message type: DHCP
ACK, input interface: Po5, MAC da: d067.e550.50de, MAC sa: c81f.66c7.ccdb, IP da
: 192.168.10.90, IP sa: 192.168.10.1, DHCP ciaddr: 192.168.10.90, DHCP yiaddr: 0
.0.0.0, DHCP siaddr: 192.168.10.1, DHCP giaddr: 0.0.0.0, DHCP chaddr: d067.e550.
50de
*Mar 6 22:15:06.913: DHCP_SNOOPING: remove relay information option.
*Mar 6 22:15:06.913: DHCP_SNOOPING: direct forward dhcp replyto output port: Gi
gabitEthernet1/0/22.show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ----------
----------
D0:67:E5:50:50:DE 0.0.0.0 86286 dhcp-snooping 11 GigabitEt
hernet1/0/22
Total number of bindings: 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide