RE: Issues with Multicast traffic and DHCP snooping on 3560E

From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Tue Dec 11 2007 - 19:11:24 ART

Thanks group,
I've tracked down the problem to my test bed machines... now it works.

Anyway, I'm observing a high CPU increase (around 30%) after activating DAI and DHCP snooping. I understand that these are CPU-using features, but still with only a couple of hosts, I was expecting something less.

Has anyone observed that too?

Gustavo Novais

 

-----Original Message-----
From: Antonio Soares [mailto:amsoares@netcabo.pt]
Sent: terga-feira, 11 de Dezembro de 2007 21:39
To: Gustavo Novais; 'Cisco certification'
Subject: RE: Issues with Multicast traffic and DHCP snooping on 3560E

Please post the revelant config to see if we can help.

Regards,

Antonio Soares
CCIE #18473 (R&S),CCNP,CCIP,JNCIA-ER,JNCIS-ER
http://pwp.netcabo.pt/amsoares/

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Gustavo Novais
Sent: segunda-feira, 10 de Dezembro de 2007 12:28
To: Cisco certification
Subject: Issues with Multicast traffic and DHCP snooping on 3560E

Hi Group,

I've working a bit on implementing some LAN switch security features like
port-security, DHCP snooping, Dynamic ARP inspection, and IP Source Guard,
and I'm observing a behaviour that I'd like to correlate with any of you
that has had the same experience, eventually.

I have a single switch configured with DHCP snooping DAI, IP Source Guard
and Port Security.

DHCP snooping is enabled on vlans A,B,C, and so are IPSg and DAI.
Multicast will be enabled on vlans X and Y.

The multicast config is as simple as it gets with several interfaces Vlan,
configured with PIM Dense mode, being a source on one vlan and a listener on
other vlan. I do have IGMP Snooping active.

None of the vlans involved in multicast (X,Y) have the security
functionalities enabled.

Any way, we disable globally the DHCP snooping with no ip dhcp snooping and
no ip arp inspection.

Then I fire up a multicast stream between vlans X and Y and I start seeing
the stream perfectly.

As soon as I turn on dhcp snooping (not on vlans X and Y) the video stream
freezes.

The strange thing is that the vlans X and Y shouldn't be affected by DHCP
Snooping... but they are...

Obviously, when I try to fire up a mcast stream between vlan A and B, with
securities in place, I don't ever start to see the stream. As soon as DHCP
snooping is off, no problem...

Has anyone ever faced this issue? What was the workaround?

I'm thinking that internally the DHCP snooping process does not like to have
the CAM manipulated in order to forward the mcast traffic to the proper
receivers, but shouldn't there be a knob of some sort to allow multicast
traffic through the port?

Any help is appreciated.

Gustavo Novais

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST