how is the FWSM configured in regard to Option82? enabled ..disabled?
you can try a debug on FWSM to verify DHCP relay activity.
Swap
#19804
On Tue, Jan 19, 2010 at 12:18 PM, Farrukh Haroon <farrukhharoon_at_gmail.com>wrote:
> Hello Joe
>
> Thanks for your response. When Option82 was enabled, I found other errors
> in
> the debug. I googled the errors and found out that windows 2k3 and lower
> don't support it (the newer version does I believe). As soon as I disabled,
> the option82 related errors went away.
>
> The DHCP snooping should work even if I just enable it on the access layer
> switches.I tested this on another environment and it worked.
>
> The core switch debugs seem to be normal. If it still does not work after
> the upgrade, I will post them here.
>
> Regards
>
> Farrukh
>
> On Tue, Jan 19, 2010 at 11:06 AM, Joe Astorino <jastorino_at_ipexpert.com
> >wrote:
>
> > Hello all,
> >
> > sorry I am late to the party! Have you tried looking at possible
> > issues with DHCP option 82 insertion happening on the switch? Have
> > you looked at any DHCP packet debugs on the device doing the relay?
> >
> > On Tue, Jan 19, 2010 at 2:55 AM, Farrukh Haroon <farrukhharoon_at_gmail.com
> >
> > wrote:
> > > Thanks for your suggestions
> > >
> > > Saud, the DHCP service is working perfectly fine without the snooping,
> I
> > > think I already mentioned that the FWSM is doing the relay here.
> > >
> > > Tyson, the DHCP database is a valuable suggestion but that is the next
> > step.
> > > First have to populate the binding table somehow. The NTP requirement
> is
> > > only for the DHCP snooping database (as mentioned in the
> documentation).
> > >
> > > We are going to upgrade and see how it goes.
> > >
> > > Regards
> > >
> > > Farrukh
> > >
> > > On Tue, Jan 19, 2010 at 12:51 AM, S Malik <ccie.09_at_gmail.com> wrote:
> > >
> > >> What about the configuration of 65K switches. I hope you have "ip
> > >> helper-add" configured. Moreover, is your DHCP server up? and is it
> > propery
> > >> configured with the IP address range as of vlan interface on 65K?
> > >> DHCP server will assign the IP address in the range of subnet which is
> > >> configured on vlan interface. Make sure DHCP server is configured for
> > the
> > >> same subnet as of vlan interface.
> > >> Try to sniff and see what is happening.
> > >>
> > >>
> > >>
> > >> On Mon, Jan 18, 2010 at 9:12 AM, Tyson Scott <tscott_at_ipexpert.com>
> > wrote:
> > >>
> > >>> Sadiq,
> > >>>
> > >>>
> > >>>
> > >>> I would still fix the time regardless of the information.
> > >>>
> > >>>
> > >>>
> > >>> Regards,
> > >>>
> > >>>
> > >>>
> > >>> Tyson Scott - CCIE #13513 R&S, Security, and SP
> > >>>
> > >>> Technical Instructor - IPexpert, Inc.
> > >>>
> > >>> Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com
> > >>>
> > >>>
> > >>> Telephone: +1.810.326.1444, ext. 208
> > >>>
> > >>> Live Assistance, Please visit: <http://www.ipexpert.com/chat>
> > >>>
> > >>> www.ipexpert.com/chat
> > >>>
> > >>> eFax: +1.810.454.0130
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
> > >>> Sent: Monday, January 18, 2010 9:08 AM
> > >>> To: Tyson Scott
> > >>> Cc: Farrukh Haroon; Cisco certification; Cisco certification
> > >>> Subject: Re: DHCP Snooping not working
> > >>>
> > >>>
> > >>>
> > >>> Hi Tyson,
> > >>>
> > >>> Thats a good observation actually. However, the lease time on the
> > switches
> > >>> is not actually represented in terms of current time but in terms of
> > >>> duration.
> > >>>
> > >>> So regardless of the current time and/or time zone the switch is, it
> > would
> > >>> always honor the lease time. See below, my switch is not configured
> > with
> > >>> the
> > >>> right time at all, but my binding is still valid. PS: the DHCP server
> > is
> > >>> running accurate time.
> > >>>
> > >>> Thanks,
> > >>> Sadiq
> > >>>
> > >>> 3KI3R28#sh ip dhcp snooping bind
> > >>> MacAddress IpAddress Lease(sec) Type VLAN
> > >>> Interface
> > >>> ------------------ --------------- ---------- ------------- ----
> > >>> --------------------
> > >>> 00:15:17:1E:D0:E9 172.16.21.208 43053 dhcp-snooping 2021
> > >>> GigabitEthernet1/0/2
> > >>> Total number of bindings: 1
> > >>>
> > >>> 3KI3R28#sh clock
> > >>> *01:10:15.683 gmt Fri Mar 5 1993
> > >>> 3KI3R28#
> > >>>
> > >>>
> > >>>
> > >>> On Mon, Jan 18, 2010 at 1:46 PM, Tyson Scott <tscott_at_ipexpert.com>
> > wrote:
> > >>>
> > >>> Just some thoughts,
> > >>>
> > >>> Do you have NTP running? Are the clocks properly synchronized
> between
> > the
> > >>> Microsoft Servers and the 3560's?
> > >>>
> > >>> Before calling it a bug it may be a more restricted setting in the
> new
> > >>> version of code that they are sticking to the strict lease times
> > provided
> > >>> by
> > >>> the DHCP server. So if the clocks are not synchronized make sure
> they
> > are
> > >>> all synchronized to an accurate time server.
> > >>>
> > >>> Next as a recommendation I would add to the configuration to have the
> > DHCP
> > >>> snooping database stored so it can survive a reboot.
> > >>>
> > >>> So add the following
> > >>>
> > >>>
> > >>> ip dhcp snooping vlan 101,104
> > >>> no ip dhcp snooping information option
> > >>> ip dhcp snooping
> > >>>
> > >>> !
> > >>> ntp server x.x.x.x
> > >>> clock timezone <zone> <offset>
> > >>> ! if you have daylight savings time and it is configured on the
> servers
> > >>> too
> > >>> clock summer-time <zone> recurring
> > >>> ! After time is synchronized
> > >>> ip dhcp snooping database flash:
> > >>>
> > >>> Regards,
> > >>>
> > >>> Tyson Scott - CCIE #13513 R&S, Security, and SP
> > >>> Technical Instructor - IPexpert, Inc.
> > >>> Mailto: tscott_at_ipexpert.com
> > >>> Telephone: +1.810.326.1444, ext. 208
> > >>>
> > >>> Live Assistance, Please visit: www.ipexpert.com/chat
> > >>> eFax: +1.810.454.0130
> > >>>
> > >>>
> > >>>
> > >>> -----Original Message-----
> > >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> > Of
> > >>> Sadiq Yakasai
> > >>>
> > >>> Sent: Monday, January 18, 2010 7:08 AM
> > >>> To: Farrukh Haroon
> > >>> Cc: Cisco certification; Cisco certification
> > >>> Subject: Re: DHCP Snooping not working
> > >>>
> > >>> Hey Farrukh,
> > >>>
> > >>> It could be a bug man. I have worked with both images (44 and 50) and
> > both
> > >>> work fine with DHCP snooping. I would say upgrade and see how it
> goes.
> > >>>
> > >>> Good luck!
> > >>>
> > >>> Sadiq
> > >>>
> > >>> On Mon, Jan 18, 2010 at 12:02 PM, Farrukh Haroon
> > >>> <farrukhharoon_at_gmail.com>wrote:
> > >>>
> > >>> > Dear Sadiq
> > >>> >
> > >>> > I think I tried setting the access ports as trusted option, but it
> > did
> > >>> not
> > >>> > help.
> > >>> >
> > >>> > For the software upgrade, I was planning on the following releases:
> > >>> > 12.2(44)SE6 or 12.2(50)SE3
> > >>> >
> > >>> > Which one do you recommend?
> > >>> >
> > >>> > Regards
> > >>> >
> > >>> > Farrukh
> > >>> >
> > >>> >
> > >>> > On Mon, Jan 18, 2010 at 2:41 PM, Farrukh Haroon
> > >>> <farrukhharoon_at_gmail.com>wrote:
> > >>> >
> > >>> >> My mistake. I should have given more details.
> > >>> >>
> > >>> >> Users are connected to 6 3560 access-layer switches. Even tough
> they
> > >>> are
> > >>> >> L3-capable switches, they are running in L2 mode. The switches
> > uplink
> > >>> to
> > >>> a
> > >>> >> 6500 Series Core Switch.
> > >>> >>
> > >>> >> There is an FWSM Module on the core switch which acts as the DHCP
> > relay
> > >>> >> agent for all the user requests. The DHCP servers (Microsoft) are
> in
> > a
> > >>> >> dedicated servers VLAN connected to the core switch.
> > >>> >>
> > >>> >> Regards
> > >>> >>
> > >>> >> Farrukh
> > >>> >>
> > >>> >>
> > >>> >> On Mon, Jan 18, 2010 at 2:26 PM, Sadiq Yakasai
> > >>> <sadiqtanko_at_gmail.com>wrote:
> > >>> >>
> > >>> >>> Hi Farrukh,
> > >>> >>>
> > >>> >>> What if you trust the access ports? Does that change the outcome?
> > What
> > >>> >>> about moving on to a newer code?
> > >>> >>>
> > >>> >>> Is the debug above from the access switch? Whats your topology
> here
> > >>> >>> please?
> > >>> >>>
> > >>> >>> Sadiq
> > >>> >>>
> > >>> >>> On Mon, Jan 18, 2010 at 11:22 AM, Farrukh Haroon <
> > >>> >>> farrukhharoon_at_gmail.com> wrote:
> > >>> >>>
> > >>> >>>> Dear All
> > >>> >>>>
> > >>> >>>> We are facing a weird issue while trying to configure DHCP
> > snooping.
> > >>> >>>> Users are unable to get/renew IP Addresses after enabling DHCP
> > >>> snooping.
> > >>> >>>> The DHCP Snooping binding table is always empty.
> > >>> >>>>
> > >>> >>>> The configuration is pretty simple
> > >>> >>>>
> > >>> >>>> ip dhcp snooping vlan 101,104
> > >>> >>>> no ip dhcp snooping information option
> > >>> >>>> ip dhcp snooping
> > >>> >>>>
> > >>> >>>> All ports connected to DHCP servers and uplinks set as trusted.
> > >>> >>>>
> > >>> >>>> Switch Version: c3560-ipservices-mz.122-35.SE5
> > >>> >>>>
> > >>> >>>> I tried the same configuration with another 3560 Switch running
> > an
> > >>> >>>> older
> > >>> >>>> version with no issues at all.
> > >>> >>>>
> > >>> >>>> This is the error we see on all the trusted ports, any ideas
> why
> > >>> this
> > >>> >>>> is
> > >>> >>>> happenning:
> > >>> >>>>
> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Setting
> > if_input
> > >>> to
> > >>> >>>> Gi0/49 fo
> > >>> >>>> r pak. Was not set
> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): *Clearing
> > if_input
> > >>> >>>> for
> > >>> >>>> pak. W
> > >>> >>>> as Gi0/49*
> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input):* Setting
> > if_input
> > >>> to
> > >>> >>>> Gi0/49 fo
> > >>> >>>> r pak. Was not set*
> > >>> >>>>
> > >>> >>>> Regards
> > >>> >>>>
> > >>> >>>> Farrukh
> > >>> >>>>
> > >>> >>>>
> > >>> >>>> Blogs and organic groups at http://www.ccie.net
> > >>> >>>>
> > >>> >>>>
> > >>>
> _______________________________________________________________________
> > >>> >>>> Subscription information may be found at:
> > >>> >>>> http://www.groupstudy.com/list/CCIELab.html
> > >>> >>>>
> > >>> >>>>
> > >>> >>>>
> > >>> >>>>
> > >>> >>>>
> > >>> >>>>
> > >>> >>>>
> > >>> >>>>
> > >>> >>>
> > >>> >>>
> > >>> >>> --
> > >>> >>> CCIE #19963
> > >>> >>>
> > >>> >>
> > >>> >>
> > >>> >
> > >>>
> > >>>
> > >>> --
> > >>> CCIE #19963
> > >>>
> > >>>
> > >>> Blogs and organic groups at http://www.ccie.net
> > >>>
> > >>>
> _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> CCIE #19963
> > >>>
> > >>>
> > >>> Blogs and organic groups at http://www.ccie.net
> > >>>
> > >>>
> _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> > --
> > Regards,
> >
> > Joe Astorino CCIE #24347 (R&S)
> > Sr. Technical Instructor - IPexpert
> > Mailto: jastorino_at_ipexpert.com
> > Telephone: +1.810.326.1444
> > Live Assistance, Please visit: www.ipexpert.com/chat
> > eFax: +1.810.454.0130
> >
> > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
> > (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
> > Security & Service Provider) Certification Training with locations
> > throughout the United States, Europe and Australia. Be sure to check
> > out our online communities at www.ipexpert.com/communities and our
> > public website at www.ipexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jan 19 2010 - 12:24:10 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART