RE: DHCP Snooping not working

Just some thoughts,

Do you have NTP running? Are the clocks properly synchronized between the
Microsoft Servers and the 3560's?

Before calling it a bug it may be a more restricted setting in the new
version of code that they are sticking to the strict lease times provided by
the DHCP server. So if the clocks are not synchronized make sure they are
all synchronized to an accurate time server.

Next as a recommendation I would add to the configuration to have the DHCP
snooping database stored so it can survive a reboot.

So add the following

ip dhcp snooping vlan 101,104
no ip dhcp snooping information option
ip dhcp snooping
!
ntp server x.x.x.x
clock timezone <zone> <offset>
! if you have daylight savings time and it is configured on the servers too
clock summer-time <zone> recurring
! After time is synchronized
ip dhcp snooping database flash:

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Sadiq Yakasai
Sent: Monday, January 18, 2010 7:08 AM
To: Farrukh Haroon
Cc: Cisco certification; Cisco certification
Subject: Re: DHCP Snooping not working

Hey Farrukh,

It could be a bug man. I have worked with both images (44 and 50) and both
work fine with DHCP snooping. I would say upgrade and see how it goes.

Good luck!

Sadiq

On Mon, Jan 18, 2010 at 12:02 PM, Farrukh Haroon
<farrukhharoon_at_gmail.com>wrote:

> Dear Sadiq
>
> I think I tried setting the access ports as trusted option, but it did not
> help.
>
> For the software upgrade, I was planning on the following releases:
> 12.2(44)SE6 or 12.2(50)SE3
>
> Which one do you recommend?
>
> Regards
>
> Farrukh
>
>
> On Mon, Jan 18, 2010 at 2:41 PM, Farrukh Haroon
<farrukhharoon_at_gmail.com>wrote:
>
>> My mistake. I should have given more details.
>>
>> Users are connected to 6 3560 access-layer switches. Even tough they are
>> L3-capable switches, they are running in L2 mode. The switches uplink to
a
>> 6500 Series Core Switch.
>>
>> There is an FWSM Module on the core switch which acts as the DHCP relay
>> agent for all the user requests. The DHCP servers (Microsoft) are in a
>> dedicated servers VLAN connected to the core switch.
>>
>> Regards
>>
>> Farrukh
>>
>>
>> On Mon, Jan 18, 2010 at 2:26 PM, Sadiq Yakasai
<sadiqtanko_at_gmail.com>wrote:
>>
>>> Hi Farrukh,
>>>
>>> What if you trust the access ports? Does that change the outcome? What
>>> about moving on to a newer code?
>>>
>>> Is the debug above from the access switch? Whats your topology here
>>> please?
>>>
>>> Sadiq
>>>
>>> On Mon, Jan 18, 2010 at 11:22 AM, Farrukh Haroon <
>>> farrukhharoon_at_gmail.com> wrote:
>>>
>>>> Dear All
>>>>
>>>> We are facing a weird issue while trying to configure DHCP snooping.
>>>> Users are unable to get/renew IP Addresses after enabling DHCP
snooping.
>>>> The DHCP Snooping binding table is always empty.
>>>>
>>>> The configuration is pretty simple
>>>>
>>>> ip dhcp snooping vlan 101,104
>>>> no ip dhcp snooping information option
>>>> ip dhcp snooping
>>>>
>>>> All ports connected to DHCP servers and uplinks set as trusted.
>>>>
>>>> Switch Version: c3560-ipservices-mz.122-35.SE5
>>>>
>>>> I tried the same configuration with another 3560 Switch running an
>>>> older
>>>> version with no issues at all.
>>>>
>>>> This is the error we see on all the trusted ports, any ideas why this
>>>> is
>>>> happenning:
>>>>
>>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Setting if_input to
>>>> Gi0/49 fo
>>>> r pak. Was not set
>>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): *Clearing if_input
>>>> for
>>>> pak. W
>>>> as Gi0/49*
>>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input):* Setting if_input to
>>>> Gi0/49 fo
>>>> r pak. Was not set*
>>>>
>>>> Regards
>>>>
>>>> Farrukh
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> CCIE #19963
>>>
>>
>>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net