Re: DHCP Snooping not working from Farrukh Haroon on 2010-01-19 (Ccielab archives 01/2010)

From: Farrukh Haroon <farrukhharoon_at_gmail.com>
Date: Tue, 19 Jan 2010 12:19:42 +0300

Hello Swap

This is the FWSM config

dhcprelay server 10.11.10.4 Internal_Service_Zone
dhcprelay server 10.11.15.4 Voice-Servers-Zone
dhcprelay enable Data_Services_Zone
dhcprelay enable Voice_Services_Zone
dhcprelay setroute Internal_Service_Zone
dhcprelay setroute Voice-Servers-Zone
dhcprelay timeout 15

Regards
Farrukh

On Tue, Jan 19, 2010 at 11:24 AM, swap m <ccie19804_at_gmail.com> wrote:

> how is the FWSM configured in regard to Option82? enabled ..disabled?
>
> you can try a debug on FWSM to verify DHCP relay activity.
>
> Swap
> #19804
>
> On Tue, Jan 19, 2010 at 12:18 PM, Farrukh Haroon <farrukhharoon_at_gmail.com>wrote:
>
>> Hello Joe
>>
>> Thanks for your response. When Option82 was enabled, I found other errors
>> in
>> the debug. I googled the errors and found out that windows 2k3 and lower
>> don't support it (the newer version does I believe). As soon as I
>> disabled,
>> the option82 related errors went away.
>>
>> The DHCP snooping should work even if I just enable it on the access layer
>> switches.I tested this on another environment and it worked.
>>
>> The core switch debugs seem to be normal. If it still does not work after
>> the upgrade, I will post them here.
>>
>> Regards
>>
>> Farrukh
>>
>> On Tue, Jan 19, 2010 at 11:06 AM, Joe Astorino <jastorino_at_ipexpert.com
>> >wrote:
>>
>> > Hello all,
>> >
>> > sorry I am late to the party! Have you tried looking at possible
>> > issues with DHCP option 82 insertion happening on the switch? Have
>> > you looked at any DHCP packet debugs on the device doing the relay?
>> >
>> > On Tue, Jan 19, 2010 at 2:55 AM, Farrukh Haroon <
>> farrukhharoon_at_gmail.com>
>> > wrote:
>> > > Thanks for your suggestions
>> > >
>> > > Saud, the DHCP service is working perfectly fine without the snooping,
>> I
>> > > think I already mentioned that the FWSM is doing the relay here.
>> > >
>> > > Tyson, the DHCP database is a valuable suggestion but that is the next
>> > step.
>> > > First have to populate the binding table somehow. The NTP requirement
>> is
>> > > only for the DHCP snooping database (as mentioned in the
>> documentation).
>> > >
>> > > We are going to upgrade and see how it goes.
>> > >
>> > > Regards
>> > >
>> > > Farrukh
>> > >
>> > > On Tue, Jan 19, 2010 at 12:51 AM, S Malik <ccie.09_at_gmail.com> wrote:
>> > >
>> > >> What about the configuration of 65K switches. I hope you have "ip
>> > >> helper-add" configured. Moreover, is your DHCP server up? and is it
>> > propery
>> > >> configured with the IP address range as of vlan interface on 65K?
>> > >> DHCP server will assign the IP address in the range of subnet which
>> is
>> > >> configured on vlan interface. Make sure DHCP server is configured for
>> > the
>> > >> same subnet as of vlan interface.
>> > >> Try to sniff and see what is happening.
>> > >>
>> > >>
>> > >>
>> > >> On Mon, Jan 18, 2010 at 9:12 AM, Tyson Scott <tscott_at_ipexpert.com>
>> > wrote:
>> > >>
>> > >>> Sadiq,
>> > >>>
>> > >>>
>> > >>>
>> > >>> I would still fix the time regardless of the information.
>> > >>>
>> > >>>
>> > >>>
>> > >>> Regards,
>> > >>>
>> > >>>
>> > >>>
>> > >>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> > >>>
>> > >>> Technical Instructor - IPexpert, Inc.
>> > >>>
>> > >>> Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com
>> > >>>
>> > >>>
>> > >>> Telephone: +1.810.326.1444, ext. 208
>> > >>>
>> > >>> Live Assistance, Please visit: <http://www.ipexpert.com/chat>
>> > >>>
>> > >>> www.ipexpert.com/chat
>> > >>>
>> > >>> eFax: +1.810.454.0130
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>> From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
>> > >>> Sent: Monday, January 18, 2010 9:08 AM
>> > >>> To: Tyson Scott
>> > >>> Cc: Farrukh Haroon; Cisco certification; Cisco certification
>> > >>> Subject: Re: DHCP Snooping not working
>> > >>>
>> > >>>
>> > >>>
>> > >>> Hi Tyson,
>> > >>>
>> > >>> Thats a good observation actually. However, the lease time on the
>> > switches
>> > >>> is not actually represented in terms of current time but in terms of
>> > >>> duration.
>> > >>>
>> > >>> So regardless of the current time and/or time zone the switch is, it
>> > would
>> > >>> always honor the lease time. See below, my switch is not configured
>> > with
>> > >>> the
>> > >>> right time at all, but my binding is still valid. PS: the DHCP
>> server
>> > is
>> > >>> running accurate time.
>> > >>>
>> > >>> Thanks,
>> > >>> Sadiq
>> > >>>
>> > >>> 3KI3R28#sh ip dhcp snooping bind
>> > >>> MacAddress IpAddress Lease(sec) Type VLAN
>> > >>> Interface
>> > >>> ------------------ --------------- ---------- ------------- ----
>> > >>> --------------------
>> > >>> 00:15:17:1E:D0:E9 172.16.21.208 43053 dhcp-snooping
>> 2021
>> > >>> GigabitEthernet1/0/2
>> > >>> Total number of bindings: 1
>> > >>>
>> > >>> 3KI3R28#sh clock
>> > >>> *01:10:15.683 gmt Fri Mar 5 1993
>> > >>> 3KI3R28#
>> > >>>
>> > >>>
>> > >>>
>> > >>> On Mon, Jan 18, 2010 at 1:46 PM, Tyson Scott <tscott_at_ipexpert.com>
>> > wrote:
>> > >>>
>> > >>> Just some thoughts,
>> > >>>
>> > >>> Do you have NTP running? Are the clocks properly synchronized
>> between
>> > the
>> > >>> Microsoft Servers and the 3560's?
>> > >>>
>> > >>> Before calling it a bug it may be a more restricted setting in the
>> new
>> > >>> version of code that they are sticking to the strict lease times
>> > provided
>> > >>> by
>> > >>> the DHCP server. So if the clocks are not synchronized make sure
>> they
>> > are
>> > >>> all synchronized to an accurate time server.
>> > >>>
>> > >>> Next as a recommendation I would add to the configuration to have
>> the
>> > DHCP
>> > >>> snooping database stored so it can survive a reboot.
>> > >>>
>> > >>> So add the following
>> > >>>
>> > >>>
>> > >>> ip dhcp snooping vlan 101,104
>> > >>> no ip dhcp snooping information option
>> > >>> ip dhcp snooping
>> > >>>
>> > >>> !
>> > >>> ntp server x.x.x.x
>> > >>> clock timezone <zone> <offset>
>> > >>> ! if you have daylight savings time and it is configured on the
>> servers
>> > >>> too
>> > >>> clock summer-time <zone> recurring
>> > >>> ! After time is synchronized
>> > >>> ip dhcp snooping database flash:
>> > >>>
>> > >>> Regards,
>> > >>>
>> > >>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> > >>> Technical Instructor - IPexpert, Inc.
>> > >>> Mailto: tscott_at_ipexpert.com
>> > >>> Telephone: +1.810.326.1444, ext. 208
>> > >>>
>> > >>> Live Assistance, Please visit: www.ipexpert.com/chat
>> > >>> eFax: +1.810.454.0130
>> > >>>
>> > >>>
>> > >>>
>> > >>> -----Original Message-----
>> > >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>> Behalf
>> > Of
>> > >>> Sadiq Yakasai
>> > >>>
>> > >>> Sent: Monday, January 18, 2010 7:08 AM
>> > >>> To: Farrukh Haroon
>> > >>> Cc: Cisco certification; Cisco certification
>> > >>> Subject: Re: DHCP Snooping not working
>> > >>>
>> > >>> Hey Farrukh,
>> > >>>
>> > >>> It could be a bug man. I have worked with both images (44 and 50)
>> and
>> > both
>> > >>> work fine with DHCP snooping. I would say upgrade and see how it
>> goes.
>> > >>>
>> > >>> Good luck!
>> > >>>
>> > >>> Sadiq
>> > >>>
>> > >>> On Mon, Jan 18, 2010 at 12:02 PM, Farrukh Haroon
>> > >>> <farrukhharoon_at_gmail.com>wrote:
>> > >>>
>> > >>> > Dear Sadiq
>> > >>> >
>> > >>> > I think I tried setting the access ports as trusted option, but it
>> > did
>> > >>> not
>> > >>> > help.
>> > >>> >
>> > >>> > For the software upgrade, I was planning on the following
>> releases:
>> > >>> > 12.2(44)SE6 or 12.2(50)SE3
>> > >>> >
>> > >>> > Which one do you recommend?
>> > >>> >
>> > >>> > Regards
>> > >>> >
>> > >>> > Farrukh
>> > >>> >
>> > >>> >
>> > >>> > On Mon, Jan 18, 2010 at 2:41 PM, Farrukh Haroon
>> > >>> <farrukhharoon_at_gmail.com>wrote:
>> > >>> >
>> > >>> >> My mistake. I should have given more details.
>> > >>> >>
>> > >>> >> Users are connected to 6 3560 access-layer switches. Even tough
>> they
>> > >>> are
>> > >>> >> L3-capable switches, they are running in L2 mode. The switches
>> > uplink
>> > >>> to
>> > >>> a
>> > >>> >> 6500 Series Core Switch.
>> > >>> >>
>> > >>> >> There is an FWSM Module on the core switch which acts as the DHCP
>> > relay
>> > >>> >> agent for all the user requests. The DHCP servers (Microsoft) are
>> in
>> > a
>> > >>> >> dedicated servers VLAN connected to the core switch.
>> > >>> >>
>> > >>> >> Regards
>> > >>> >>
>> > >>> >> Farrukh
>> > >>> >>
>> > >>> >>
>> > >>> >> On Mon, Jan 18, 2010 at 2:26 PM, Sadiq Yakasai
>> > >>> <sadiqtanko_at_gmail.com>wrote:
>> > >>> >>
>> > >>> >>> Hi Farrukh,
>> > >>> >>>
>> > >>> >>> What if you trust the access ports? Does that change the
>> outcome?
>> > What
>> > >>> >>> about moving on to a newer code?
>> > >>> >>>
>> > >>> >>> Is the debug above from the access switch? Whats your topology
>> here
>> > >>> >>> please?
>> > >>> >>>
>> > >>> >>> Sadiq
>> > >>> >>>
>> > >>> >>> On Mon, Jan 18, 2010 at 11:22 AM, Farrukh Haroon <
>> > >>> >>> farrukhharoon_at_gmail.com> wrote:
>> > >>> >>>
>> > >>> >>>> Dear All
>> > >>> >>>>
>> > >>> >>>> We are facing a weird issue while trying to configure DHCP
>> > snooping.
>> > >>> >>>> Users are unable to get/renew IP Addresses after enabling DHCP
>> > >>> snooping.
>> > >>> >>>> The DHCP Snooping binding table is always empty.
>> > >>> >>>>
>> > >>> >>>> The configuration is pretty simple
>> > >>> >>>>
>> > >>> >>>> ip dhcp snooping vlan 101,104
>> > >>> >>>> no ip dhcp snooping information option
>> > >>> >>>> ip dhcp snooping
>> > >>> >>>>
>> > >>> >>>> All ports connected to DHCP servers and uplinks set as
>> trusted.
>> > >>> >>>>
>> > >>> >>>> Switch Version: c3560-ipservices-mz.122-35.SE5
>> > >>> >>>>
>> > >>> >>>> I tried the same configuration with another 3560 Switch
>> running
>> > an
>> > >>> >>>> older
>> > >>> >>>> version with no issues at all.
>> > >>> >>>>
>> > >>> >>>> This is the error we see on all the trusted ports, any ideas
>> why
>> > >>> this
>> > >>> >>>> is
>> > >>> >>>> happenning:
>> > >>> >>>>
>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Setting
>> > if_input
>> > >>> to
>> > >>> >>>> Gi0/49 fo
>> > >>> >>>> r pak. Was not set
>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): *Clearing
>> > if_input
>> > >>> >>>> for
>> > >>> >>>> pak. W
>> > >>> >>>> as Gi0/49*
>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input):* Setting
>> > if_input
>> > >>> to
>> > >>> >>>> Gi0/49 fo
>> > >>> >>>> r pak. Was not set*
>> > >>> >>>>
>> > >>> >>>> Regards
>> > >>> >>>>
>> > >>> >>>> Farrukh
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>> Blogs and organic groups at http://www.ccie.net
>> > >>> >>>>
>> > >>> >>>>
>> > >>>
>> _______________________________________________________________________
>> > >>> >>>> Subscription information may be found at:
>> > >>> >>>> http://www.groupstudy.com/list/CCIELab.html
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>
>> > >>> >>>
>> > >>> >>> --
>> > >>> >>> CCIE #19963
>> > >>> >>>
>> > >>> >>
>> > >>> >>
>> > >>> >
>> > >>>
>> > >>>
>> > >>> --
>> > >>> CCIE #19963
>> > >>>
>> > >>>
>> > >>> Blogs and organic groups at http://www.ccie.net
>> > >>>
>> > >>>
>> _______________________________________________________________________
>> > >>> Subscription information may be found at:
>> > >>> http://www.groupstudy.com/list/CCIELab.html
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>> --
>> > >>> CCIE #19963
>> > >>>
>> > >>>
>> > >>> Blogs and organic groups at http://www.ccie.net
>> > >>>
>> > >>>
>> _______________________________________________________________________
>> > >>> Subscription information may be found at:
>> > >>> http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> >
>> > --
>> > Regards,
>> >
>> > Joe Astorino CCIE #24347 (R&S)
>> > Sr. Technical Instructor - IPexpert
>> > Mailto: jastorino_at_ipexpert.com
>> > Telephone: +1.810.326.1444
>> > Live Assistance, Please visit: www.ipexpert.com/chat
>> > eFax: +1.810.454.0130
>> >
>> > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
>> > (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
>> > Security & Service Provider) Certification Training with locations
>> > throughout the United States, Europe and Australia. Be sure to check
>> > out our online communities at www.ipexpert.com/communities and our
>> > public website at www.ipexpert.com
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Jan 19 2010 - 12:19:42 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART