Re: DHCP Snooping not working

Thanks for your suggestions

Saud, the DHCP service is working perfectly fine without the snooping, I
think I already mentioned that the FWSM is doing the relay here.

Tyson, the DHCP database is a valuable suggestion but that is the next step.
First have to populate the binding table somehow. The NTP requirement is
only for the DHCP snooping database (as mentioned in the documentation).

We are going to upgrade and see how it goes.

Regards

Farrukh

On Tue, Jan 19, 2010 at 12:51 AM, S Malik <ccie.09_at_gmail.com> wrote:

> What about the configuration of 65K switches. I hope you have "ip
> helper-add" configured. Moreover, is your DHCP server up? and is it propery
> configured with the IP address range as of vlan interface on 65K?
> DHCP server will assign the IP address in the range of subnet which is
> configured on vlan interface. Make sure DHCP server is configured for the
> same subnet as of vlan interface.
> Try to sniff and see what is happening.
>
>
>
> On Mon, Jan 18, 2010 at 9:12 AM, Tyson Scott <tscott_at_ipexpert.com> wrote:
>
>> Sadiq,
>>
>>
>>
>> I would still fix the time regardless of the information.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>>
>> Technical Instructor - IPexpert, Inc.
>>
>> Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com
>>
>>
>> Telephone: +1.810.326.1444, ext. 208
>>
>> Live Assistance, Please visit: <http://www.ipexpert.com/chat>
>>
>> www.ipexpert.com/chat
>>
>> eFax: +1.810.454.0130
>>
>>
>>
>>
>>
>> From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
>> Sent: Monday, January 18, 2010 9:08 AM
>> To: Tyson Scott
>> Cc: Farrukh Haroon; Cisco certification; Cisco certification
>> Subject: Re: DHCP Snooping not working
>>
>>
>>
>> Hi Tyson,
>>
>> Thats a good observation actually. However, the lease time on the switches
>> is not actually represented in terms of current time but in terms of
>> duration.
>>
>> So regardless of the current time and/or time zone the switch is, it would
>> always honor the lease time. See below, my switch is not configured with
>> the
>> right time at all, but my binding is still valid. PS: the DHCP server is
>> running accurate time.
>>
>> Thanks,
>> Sadiq
>>
>> 3KI3R28#sh ip dhcp snooping bind
>> MacAddress IpAddress Lease(sec) Type VLAN
>> Interface
>> ------------------ --------------- ---------- ------------- ----
>> --------------------
>> 00:15:17:1E:D0:E9 172.16.21.208 43053 dhcp-snooping 2021
>> GigabitEthernet1/0/2
>> Total number of bindings: 1
>>
>> 3KI3R28#sh clock
>> *01:10:15.683 gmt Fri Mar 5 1993
>> 3KI3R28#
>>
>>
>>
>> On Mon, Jan 18, 2010 at 1:46 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:
>>
>> Just some thoughts,
>>
>> Do you have NTP running? Are the clocks properly synchronized between the
>> Microsoft Servers and the 3560's?
>>
>> Before calling it a bug it may be a more restricted setting in the new
>> version of code that they are sticking to the strict lease times provided
>> by
>> the DHCP server. So if the clocks are not synchronized make sure they are
>> all synchronized to an accurate time server.
>>
>> Next as a recommendation I would add to the configuration to have the DHCP
>> snooping database stored so it can survive a reboot.
>>
>> So add the following
>>
>>
>> ip dhcp snooping vlan 101,104
>> no ip dhcp snooping information option
>> ip dhcp snooping
>>
>> !
>> ntp server x.x.x.x
>> clock timezone <zone> <offset>
>> ! if you have daylight savings time and it is configured on the servers
>> too
>> clock summer-time <zone> recurring
>> ! After time is synchronized
>> ip dhcp snooping database flash:
>>
>> Regards,
>>
>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> Technical Instructor - IPexpert, Inc.
>> Mailto: tscott_at_ipexpert.com
>> Telephone: +1.810.326.1444, ext. 208
>>
>> Live Assistance, Please visit: www.ipexpert.com/chat
>> eFax: +1.810.454.0130
>>
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Sadiq Yakasai
>>
>> Sent: Monday, January 18, 2010 7:08 AM
>> To: Farrukh Haroon
>> Cc: Cisco certification; Cisco certification
>> Subject: Re: DHCP Snooping not working
>>
>> Hey Farrukh,
>>
>> It could be a bug man. I have worked with both images (44 and 50) and both
>> work fine with DHCP snooping. I would say upgrade and see how it goes.
>>
>> Good luck!
>>
>> Sadiq
>>
>> On Mon, Jan 18, 2010 at 12:02 PM, Farrukh Haroon
>> <farrukhharoon_at_gmail.com>wrote:
>>
>> > Dear Sadiq
>> >
>> > I think I tried setting the access ports as trusted option, but it did
>> not
>> > help.
>> >
>> > For the software upgrade, I was planning on the following releases:
>> > 12.2(44)SE6 or 12.2(50)SE3
>> >
>> > Which one do you recommend?
>> >
>> > Regards
>> >
>> > Farrukh
>> >
>> >
>> > On Mon, Jan 18, 2010 at 2:41 PM, Farrukh Haroon
>> <farrukhharoon_at_gmail.com>wrote:
>> >
>> >> My mistake. I should have given more details.
>> >>
>> >> Users are connected to 6 3560 access-layer switches. Even tough they
>> are
>> >> L3-capable switches, they are running in L2 mode. The switches uplink
>> to
>> a
>> >> 6500 Series Core Switch.
>> >>
>> >> There is an FWSM Module on the core switch which acts as the DHCP relay
>> >> agent for all the user requests. The DHCP servers (Microsoft) are in a
>> >> dedicated servers VLAN connected to the core switch.
>> >>
>> >> Regards
>> >>
>> >> Farrukh
>> >>
>> >>
>> >> On Mon, Jan 18, 2010 at 2:26 PM, Sadiq Yakasai
>> <sadiqtanko_at_gmail.com>wrote:
>> >>
>> >>> Hi Farrukh,
>> >>>
>> >>> What if you trust the access ports? Does that change the outcome? What
>> >>> about moving on to a newer code?
>> >>>
>> >>> Is the debug above from the access switch? Whats your topology here
>> >>> please?
>> >>>
>> >>> Sadiq
>> >>>
>> >>> On Mon, Jan 18, 2010 at 11:22 AM, Farrukh Haroon <
>> >>> farrukhharoon_at_gmail.com> wrote:
>> >>>
>> >>>> Dear All
>> >>>>
>> >>>> We are facing a weird issue while trying to configure DHCP snooping.
>> >>>> Users are unable to get/renew IP Addresses after enabling DHCP
>> snooping.
>> >>>> The DHCP Snooping binding table is always empty.
>> >>>>
>> >>>> The configuration is pretty simple
>> >>>>
>> >>>> ip dhcp snooping vlan 101,104
>> >>>> no ip dhcp snooping information option
>> >>>> ip dhcp snooping
>> >>>>
>> >>>> All ports connected to DHCP servers and uplinks set as trusted.
>> >>>>
>> >>>> Switch Version: c3560-ipservices-mz.122-35.SE5
>> >>>>
>> >>>> I tried the same configuration with another 3560 Switch running an
>> >>>> older
>> >>>> version with no issues at all.
>> >>>>
>> >>>> This is the error we see on all the trusted ports, any ideas why
>> this
>> >>>> is
>> >>>> happenning:
>> >>>>
>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Setting if_input
>> to
>> >>>> Gi0/49 fo
>> >>>> r pak. Was not set
>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): *Clearing if_input
>> >>>> for
>> >>>> pak. W
>> >>>> as Gi0/49*
>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input):* Setting if_input
>> to
>> >>>> Gi0/49 fo
>> >>>> r pak. Was not set*
>> >>>>
>> >>>> Regards
>> >>>>
>> >>>> Farrukh
>> >>>>
>> >>>>
>> >>>> Blogs and organic groups at http://www.ccie.net
>> >>>>
>> >>>>
>> _______________________________________________________________________
>> >>>> Subscription information may be found at:
>> >>>> http://www.groupstudy.com/list/CCIELab.html
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>> --
>> >>> CCIE #19963
>> >>>
>> >>
>> >>
>> >
>>
>>
>> --
>> CCIE #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> CCIE #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Jan 19 2010 - 10:55:37 ART