12-08-2024 09:24 PM
I am trying to capture an issue with DHCP on access port on a Cisco C9300-48UN 17.09.04a.
But I am only seeing the client packets (even when DHCP works).
Just see the discover, request, inform of the client.
But when I ping the client, I see both directions echo requests and replies.
Also I see both directions of TCP sessions and also see both directions of UDP like NTP and DNS.
But the interestig thing in this case is DHCP (UDP ports 67 and 68).
Tried it with ACL permit ip any any.
monitor capture mymon interface FiveGigabitEthernet1/0/24 both access-list myacl start
Even when the client is shutdown, the switchport is still connected. I can wake-up the client with WOL.
I also see the WOL in my capture.
Any suggestions?
Thanks.
12-08-2024 09:33 PM - edited 12-08-2024 09:34 PM
Suggestion for ACL
c9300(config)#ip access-list extended DHCP
c9300(config-ext-nacl)#permit udp any any eq 68
c9300(config-ext-nacl)#permit udp any any eq 67
c9300(config-ext-nacl)#end
c9300#show access-lists DHCP
Extended IP access list DHCP
10 permit udp any any eq bootpc
20 permit udp any any eq bootps
12-08-2024 09:50 PM
started with ips of the DHCP-servers, then added UDP, then ICMP, then IP any any...
Extended IP access list myacl
10 permit ip host 192.168.8.56 any
20 permit ip host 192.168.8.57 any
30 permit ip any host 192.168.8.56
40 permit ip any host 192.168.8.57
50 permit udp any any eq bootps
60 permit udp any any eq bootpc
70 permit icmp any any
80 permit ip any any
12-08-2024 09:58 PM
Try to apply the capture to layer3 interface instead but I agree it should work.
12-09-2024 12:03 AM
can I see your monitor config ?
did you use
ingress
both
egress ???
the best is use both
and use ACL only for udp bootps/bootpc
MHM
12-08-2024 09:34 PM
I have experienced this in the past and typically move my capture up stream to the SVI. Captures on the 9k platform are a bit finicky and don’t always show every bit on the wire.
12-09-2024 12:32 AM
By the way. It is the same on other C9300 switch.
And it is also the same when using traditional monitor port and capture to notebook or PC.
monitor session 1 source interface ...
monitor session 1 destination interface ...
I just see the client direction of DHCP-packets.
12-09-2024 12:39 AM
again which direction you use ? ingress egress or both, cisco recommend using both
and are you sure the client get IP for DHCP server , it can issue with server to reply to dhcp request
MHM
12-09-2024 10:40 AM
Of course I'm using BOTH directions.
And it is not an issue with the server, because I even do not see the server packets, when DHCP is working.
Most of the clients work fine, just an issue with one and I thought I could capture this easily. But of course not with Cisco.
12-09-2024 10:47 AM
I send you PM check it
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide