Re: DHCP Snooping not working

Hi Tyson,

Thats a good observation actually. However, the lease time on the switches
is not actually represented in terms of current time but in terms of
duration.

So regardless of the current time and/or time zone the switch is, it would
always honor the lease time. See below, my switch is not configured with the
right time at all, but my binding is still valid. PS: the DHCP server is
running accurate time.

Thanks,
Sadiq

3KI3R28#sh ip dhcp snooping bind
MacAddress IpAddress Lease(sec) Type VLAN
Interface
------------------ --------------- ---------- ------------- ----
--------------------
00:15:17:1E:D0:E9 172.16.21.208 43053 dhcp-snooping 2021
GigabitEthernet1/0/2
Total number of bindings: 1

3KI3R28#sh clock
*01:10:15.683 gmt Fri Mar 5 1993
3KI3R28#

On Mon, Jan 18, 2010 at 1:46 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:

> Just some thoughts,
>
> Do you have NTP running? Are the clocks properly synchronized between the
> Microsoft Servers and the 3560's?
>
> Before calling it a bug it may be a more restricted setting in the new
> version of code that they are sticking to the strict lease times provided
> by
> the DHCP server. So if the clocks are not synchronized make sure they are
> all synchronized to an accurate time server.
>
> Next as a recommendation I would add to the configuration to have the DHCP
> snooping database stored so it can survive a reboot.
>
> So add the following
>
> ip dhcp snooping vlan 101,104
> no ip dhcp snooping information option
> ip dhcp snooping
> !
> ntp server x.x.x.x
> clock timezone <zone> <offset>
> ! if you have daylight savings time and it is configured on the servers too
> clock summer-time <zone> recurring
> ! After time is synchronized
> ip dhcp snooping database flash:
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Technical Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
> Telephone: +1.810.326.1444, ext. 208
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Sadiq Yakasai
> Sent: Monday, January 18, 2010 7:08 AM
> To: Farrukh Haroon
> Cc: Cisco certification; Cisco certification
> Subject: Re: DHCP Snooping not working
>
> Hey Farrukh,
>
> It could be a bug man. I have worked with both images (44 and 50) and both
> work fine with DHCP snooping. I would say upgrade and see how it goes.
>
> Good luck!
>
> Sadiq
>
> On Mon, Jan 18, 2010 at 12:02 PM, Farrukh Haroon
> <farrukhharoon_at_gmail.com>wrote:
>
> > Dear Sadiq
> >
> > I think I tried setting the access ports as trusted option, but it did
> not
> > help.
> >
> > For the software upgrade, I was planning on the following releases:
> > 12.2(44)SE6 or 12.2(50)SE3
> >
> > Which one do you recommend?
> >
> > Regards
> >
> > Farrukh
> >
> >
> > On Mon, Jan 18, 2010 at 2:41 PM, Farrukh Haroon
> <farrukhharoon_at_gmail.com>wrote:
> >
> >> My mistake. I should have given more details.
> >>
> >> Users are connected to 6 3560 access-layer switches. Even tough they are
> >> L3-capable switches, they are running in L2 mode. The switches uplink to
> a
> >> 6500 Series Core Switch.
> >>
> >> There is an FWSM Module on the core switch which acts as the DHCP relay
> >> agent for all the user requests. The DHCP servers (Microsoft) are in a
> >> dedicated servers VLAN connected to the core switch.
> >>
> >> Regards
> >>
> >> Farrukh
> >>
> >>
> >> On Mon, Jan 18, 2010 at 2:26 PM, Sadiq Yakasai
> <sadiqtanko_at_gmail.com>wrote:
> >>
> >>> Hi Farrukh,
> >>>
> >>> What if you trust the access ports? Does that change the outcome? What
> >>> about moving on to a newer code?
> >>>
> >>> Is the debug above from the access switch? Whats your topology here
> >>> please?
> >>>
> >>> Sadiq
> >>>
> >>> On Mon, Jan 18, 2010 at 11:22 AM, Farrukh Haroon <
> >>> farrukhharoon_at_gmail.com> wrote:
> >>>
> >>>> Dear All
> >>>>
> >>>> We are facing a weird issue while trying to configure DHCP snooping.
> >>>> Users are unable to get/renew IP Addresses after enabling DHCP
> snooping.
> >>>> The DHCP Snooping binding table is always empty.
> >>>>
> >>>> The configuration is pretty simple
> >>>>
> >>>> ip dhcp snooping vlan 101,104
> >>>> no ip dhcp snooping information option
> >>>> ip dhcp snooping
> >>>>
> >>>> All ports connected to DHCP servers and uplinks set as trusted.
> >>>>
> >>>> Switch Version: c3560-ipservices-mz.122-35.SE5
> >>>>
> >>>> I tried the same configuration with another 3560 Switch running an
> >>>> older
> >>>> version with no issues at all.
> >>>>
> >>>> This is the error we see on all the trusted ports, any ideas why this
> >>>> is
> >>>> happenning:
> >>>>
> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Setting if_input
> to
> >>>> Gi0/49 fo
> >>>> r pak. Was not set
> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): *Clearing if_input
> >>>> for
> >>>> pak. W
> >>>> as Gi0/49*
> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input):* Setting if_input
> to
> >>>> Gi0/49 fo
> >>>> r pak. Was not set*
> >>>>
> >>>> Regards
> >>>>
> >>>> Farrukh
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> CCIE #19963
> >>>
> >>
> >>
> >
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net