02-03-2017 07:22 AM - edited 03-08-2019 09:10 AM
So we have a customer who is migrating to Cisco from Avaya. The new Cisco core L3, 3650. New Access is 2960X. Migration scenario. Connect 3650 core to Avaya Core(L3). All L3 SVI interfaces on 3650 except management are shutdown. Install new access switches connect to Cisco core and move users to new access. Customer had a rogue dhcp server on there network discovered when we move that particular port to it's proper vlan. So I thought ok, lets configure dhcp snooping on the access switches. So for now the path from client to server is 2960x(po1)-3650(po60)-Avaya 5520-ISP router-MPLS-DHCP SERVER. The Avaya 5520 being the relay agent. All working great.
ip dhcp snooping vlan 1-250
ip dhcp snooping
interface Port-channel1
switchport mode trunk
switchport nonegotiate
ip dhcp snooping trust
interface GigabitEthernet1/0/48
switchport mode trunk
switchport nonegotiate
channel-group 1 mode passive
ip dhcp snooping trust
!
Core 3650 has defaults when it comes to snooping. In other words snooping is disabled, no snooping config whatsoever. dhcp relay has the following on all the SVI's.
interface Vlan50
description DataVLAN50
ip address 172.30.50.1 255.255.255.0
ip helper-address 10.240.8.20
ip helper-address 10.240.96.24
end
When we shut down the Avaya Core and enabled the SVI's on the Cisco clients were no longer able to get dhcp. We had to disable snooping on all the access switches. So there must be something that the 3650 is doing that the 5520 was not doing. Perhaps with the option 82 info that the access switches are adding to the requests. I have seen many posts regarding this and proper configuration or not. At this point I am thinking to set this up in a test environment on the customers network with a spare switch and test SVI to trouble shoot this. Looking for ideas on a resolution.
02-03-2017 07:44 AM
Hello
Try disabling option 82 rely check
no ip dhcp relay information check
res
Paul
02-03-2017 11:14 AM
Did you add the
ip dhcp snooping trust
in the etherchannel interface?
02-03-2017 11:47 AM
It's there in my original post.
02-03-2017 11:46 AM
So, no ip dhcp relay information check did not help. Then I tried ip dhcp relay information trust-all in global config mode. That works with or without disabling the information check. I expect that same command on the interfaces facing the access switches would achieve the same result.
I have the debugs from the snooping switch. I should have collected something from the relay switch but did not. The statistics on the snooping switch still show drops but not sure why.
I am going to attach the debugs and show dhcp snooping statistics command.
02-03-2017 12:46 PM
Hello Gary
So you trusted it instead which is another way and this worked correct?
res
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide