cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1180
Views
0
Helpful
5
Replies

ip dhcp snooping, was working before changing the relay agent.

Garry Cross
Level 1
Level 1

So we have a customer who is migrating to Cisco from Avaya. The new Cisco core L3, 3650. New Access is 2960X. Migration scenario. Connect 3650 core to Avaya Core(L3). All L3 SVI interfaces on 3650 except management are shutdown. Install new access switches connect to Cisco core and move users to new access. Customer had a rogue dhcp server on there network discovered when we move that particular port to it's proper vlan. So I thought ok, lets configure dhcp snooping on the access switches. So for now the path from client to server is 2960x(po1)-3650(po60)-Avaya 5520-ISP router-MPLS-DHCP SERVER. The Avaya 5520 being the relay agent. All working great. 

ip dhcp snooping vlan 1-250
ip dhcp snooping
interface Port-channel1

switchport mode trunk
switchport nonegotiate
ip dhcp snooping trust
interface GigabitEthernet1/0/48
 switchport mode trunk
 switchport nonegotiate
 channel-group 1 mode passive
 ip dhcp snooping trust
!
Core 3650 has defaults when it comes to snooping. In other words snooping is disabled, no snooping config whatsoever. dhcp relay has the following on all the SVI's.

interface Vlan50
description DataVLAN50
ip address 172.30.50.1 255.255.255.0
ip helper-address 10.240.8.20
ip helper-address 10.240.96.24
end

When we shut down the Avaya Core and enabled the SVI's on the Cisco clients were no longer able to get dhcp. We had to disable snooping on all the access switches. So there must be something that the 3650 is doing that the 5520 was not doing. Perhaps with the option 82 info that the access switches are adding to the requests. I have seen many posts regarding this and proper configuration or not. At this point I am thinking to set this up in a test environment on the customers network with a spare switch and test SVI to trouble shoot this. Looking for ideas on a resolution. 

5 Replies 5

Hello

Try disabling option 82 rely check

no ip dhcp relay information check

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Did you add the

ip dhcp snooping trust

in the etherchannel interface?

It's there in my original post.

So, no ip dhcp relay information check did not help. Then I tried ip dhcp relay information trust-all in global config mode. That works with or without disabling the information check. I expect that same command on the interfaces facing the access switches would achieve the same result.

I have the debugs from the snooping switch. I should have collected something from the relay switch but did not. The statistics on the snooping switch still show drops but not sure why.

I am going to attach the debugs and show dhcp snooping statistics command.

Hello Gary

So you trusted it instead which is another way and this worked correct?

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: