cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
483
Views
0
Helpful
9
Replies

monitor capture C9300 only seeing client DHCP packets

chrismes
Level 1
Level 1

I am trying to capture an issue with DHCP on access port on a Cisco C9300-48UN 17.09.04a.
But I am only seeing the client packets (even when DHCP works).
Just see the discover, request, inform of the client.
But when I ping the client, I see both directions echo requests and replies.
Also I see both directions of TCP sessions and also see both directions of UDP like NTP and DNS.
But the interestig thing in this case is DHCP (UDP ports 67 and 68).
Tried it with ACL permit ip any any.
monitor capture mymon interface FiveGigabitEthernet1/0/24 both access-list myacl start
Even when the client is shutdown, the switchport is still connected. I can wake-up the client with WOL.
I also see the WOL in my capture.
Any suggestions?
Thanks.

9 Replies 9

@chrismes 

Suggestion for ACL

c9300(config)#ip access-list extended DHCP
c9300(config-ext-nacl)#permit udp any any eq 68
c9300(config-ext-nacl)#permit udp any any eq 67
c9300(config-ext-nacl)#end

c9300#show access-lists DHCP
Extended IP access list DHCP
    10 permit udp any any eq bootpc
    20 permit udp any any eq bootps

 

started with ips of the DHCP-servers, then added UDP, then ICMP, then IP any any...

Extended IP access list myacl
10 permit ip host 192.168.8.56 any
20 permit ip host 192.168.8.57 any
30 permit ip any host 192.168.8.56
40 permit ip any host 192.168.8.57
50 permit udp any any eq bootps
60 permit udp any any eq bootpc
70 permit icmp any any
80 permit ip any any

Try to apply the capture to layer3 interface instead but I agree it should work.

can I see your monitor config ? 
did you use 
ingress 
both 
egress ???

the best is use both 
and use ACL only for udp bootps/bootpc

MHM

I have experienced this in the past and typically move my capture up stream to the SVI. Captures on the 9k platform are a bit finicky and don’t always show every bit on the wire.

chrismes
Level 1
Level 1

By the way. It is the same on other C9300 switch.
And it is also the same when using traditional monitor port and capture to notebook or PC.
monitor session 1 source interface ...
monitor session 1 destination interface ...
I just see the client direction of DHCP-packets. 

again which direction you use ? ingress egress or both, cisco recommend using both 

and are you sure the client get IP for DHCP server , it can issue with server to reply to dhcp request

MHM

chrismes
Level 1
Level 1

Of course I'm using BOTH directions.
And it is not an issue with the server, because I even do not see the server packets, when DHCP is working.
Most of the clients work fine, just an issue with one and I thought I could capture this easily. But of course not with Cisco.

I send you PM check it

MHM

Review Cisco Networking for a $25 gift card