RE: DHCP Snooping not working

Sadiq,

I would still fix the time regardless of the information.

Regards,

Tyson Scott - CCIE #13513 R&S, Security, and SP

Technical Instructor - IPexpert, Inc.

Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit: <http://www.ipexpert.com/chat>
www.ipexpert.com/chat

eFax: +1.810.454.0130

From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
Sent: Monday, January 18, 2010 9:08 AM
To: Tyson Scott
Cc: Farrukh Haroon; Cisco certification; Cisco certification
Subject: Re: DHCP Snooping not working

Hi Tyson,

Thats a good observation actually. However, the lease time on the switches
is not actually represented in terms of current time but in terms of
duration.

So regardless of the current time and/or time zone the switch is, it would
always honor the lease time. See below, my switch is not configured with the
right time at all, but my binding is still valid. PS: the DHCP server is
running accurate time.

Thanks,
Sadiq

3KI3R28#sh ip dhcp snooping bind
MacAddress IpAddress Lease(sec) Type VLAN
Interface
------------------ --------------- ---------- ------------- ----
--------------------
00:15:17:1E:D0:E9 172.16.21.208 43053 dhcp-snooping 2021
GigabitEthernet1/0/2
Total number of bindings: 1

3KI3R28#sh clock
*01:10:15.683 gmt Fri Mar 5 1993
3KI3R28#

On Mon, Jan 18, 2010 at 1:46 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:

Just some thoughts,

Do you have NTP running? Are the clocks properly synchronized between the
Microsoft Servers and the 3560's?

Before calling it a bug it may be a more restricted setting in the new
version of code that they are sticking to the strict lease times provided by
the DHCP server. So if the clocks are not synchronized make sure they are
all synchronized to an accurate time server.

Next as a recommendation I would add to the configuration to have the DHCP
snooping database stored so it can survive a reboot.

So add the following

ip dhcp snooping vlan 101,104
no ip dhcp snooping information option
ip dhcp snooping

!
ntp server x.x.x.x
clock timezone <zone> <offset>
! if you have daylight savings time and it is configured on the servers too
clock summer-time <zone> recurring
! After time is synchronized
ip dhcp snooping database flash:

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Sadiq Yakasai

Sent: Monday, January 18, 2010 7:08 AM
To: Farrukh Haroon
Cc: Cisco certification; Cisco certification
Subject: Re: DHCP Snooping not working

Hey Farrukh,

It could be a bug man. I have worked with both images (44 and 50) and both
work fine with DHCP snooping. I would say upgrade and see how it goes.

Good luck!

Sadiq

On Mon, Jan 18, 2010 at 12:02 PM, Farrukh Haroon
<farrukhharoon_at_gmail.com>wrote:

> Dear Sadiq
>
> I think I tried setting the access ports as trusted option, but it did not
> help.
>
> For the software upgrade, I was planning on the following releases:
> 12.2(44)SE6 or 12.2(50)SE3
>
> Which one do you recommend?
>
> Regards
>
> Farrukh
>
>
> On Mon, Jan 18, 2010 at 2:41 PM, Farrukh Haroon
<farrukhharoon_at_gmail.com>wrote:
>
>> My mistake. I should have given more details.
>>
>> Users are connected to 6 3560 access-layer switches. Even tough they are
>> L3-capable switches, they are running in L2 mode. The switches uplink to
a
>> 6500 Series Core Switch.
>>
>> There is an FWSM Module on the core switch which acts as the DHCP relay
>> agent for all the user requests. The DHCP servers (Microsoft) are in a
>> dedicated servers VLAN connected to the core switch.
>>
>> Regards
>>
>> Farrukh
>>
>>
>> On Mon, Jan 18, 2010 at 2:26 PM, Sadiq Yakasai
<sadiqtanko_at_gmail.com>wrote:
>>
>>> Hi Farrukh,
>>>
>>> What if you trust the access ports? Does that change the outcome? What
>>> about moving on to a newer code?
>>>
>>> Is the debug above from the access switch? Whats your topology here
>>> please?
>>>
>>> Sadiq
>>>
>>> On Mon, Jan 18, 2010 at 11:22 AM, Farrukh Haroon <
>>> farrukhharoon_at_gmail.com> wrote:
>>>
>>>> Dear All
>>>>
>>>> We are facing a weird issue while trying to configure DHCP snooping.
>>>> Users are unable to get/renew IP Addresses after enabling DHCP
snooping.
>>>> The DHCP Snooping binding table is always empty.
>>>>
>>>> The configuration is pretty simple
>>>>
>>>> ip dhcp snooping vlan 101,104
>>>> no ip dhcp snooping information option
>>>> ip dhcp snooping
>>>>
>>>> All ports connected to DHCP servers and uplinks set as trusted.
>>>>
>>>> Switch Version: c3560-ipservices-mz.122-35.SE5
>>>>
>>>> I tried the same configuration with another 3560 Switch running an
>>>> older
>>>> version with no issues at all.
>>>>
>>>> This is the error we see on all the trusted ports, any ideas why this
>>>> is
>>>> happenning:
>>>>
>>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Setting if_input to
>>>> Gi0/49 fo
>>>> r pak. Was not set
>>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): *Clearing if_input
>>>> for
>>>> pak. W
>>>> as Gi0/49*
>>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input):* Setting if_input to
>>>> Gi0/49 fo
>>>> r pak. Was not set*
>>>>
>>>> Regards
>>>>
>>>> Farrukh
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> CCIE #19963
>>>
>>
>>
>

--
CCIE #19963
Blogs and organic groups at http://www.ccie.net