Re: DHCP Snooping not working from Joe Astorino on 2010-01-19 (Ccielab archives 01/2010)

From: Joe Astorino <jastorino_at_ipexpert.com>
Date: Tue, 19 Jan 2010 04:20:52 -0500

The issue could be related to how your DHCP relay interprets seeing
option 82 if it is indeed being inserted. You see, on some switches
running DHCP snooping what will happen is they will insert option 82
with the giaddr field set to 0.0.0.0 which the relay may drop. I am
not sure if you have done this,but you might need to either tell the
switch to NOT insert option 82, or tell the relay that you don't care
if the giaddr field is 0.0.0.0

On Tue, Jan 19, 2010 at 3:24 AM, swap m <ccie19804_at_gmail.com> wrote:
> how is the FWSM configured in regard to Option82? enabled ..disabled?
>
> you can try a debug on FWSM to verify DHCP relay activity.
> Swap
> #19804
> On Tue, Jan 19, 2010 at 12:18 PM, Farrukh Haroon <farrukhharoon_at_gmail.com>
> wrote:
>>
>> Hello Joe
>>
>> Thanks for your response. When Option82 was enabled, I found other errors
>> in
>> the debug. I googled the errors and found out that windows 2k3 and lower
>> don't support it (the newer version does I believe). As soon as I
>> disabled,
>> the option82 related errors went away.
>>
>> The DHCP snooping should work even if I just enable it on the access layer
>> switches.I tested this on another environment and it worked.
>>
>> The core switch debugs seem to be normal. If it still does not work after
>> the upgrade, I will post them here.
>>
>> Regards
>>
>> Farrukh
>>
>> On Tue, Jan 19, 2010 at 11:06 AM, Joe Astorino
>> <jastorino_at_ipexpert.com>wrote:
>>
>> > Hello all,
>> >
>> > sorry I am late to the party! Have you tried looking at possible
>> > issues with DHCP option 82 insertion happening on the switch? Have
>> > you looked at any DHCP packet debugs on the device doing the relay?
>> >
>> > On Tue, Jan 19, 2010 at 2:55 AM, Farrukh Haroon
>> > <farrukhharoon_at_gmail.com>
>> > wrote:
>> > > Thanks for your suggestions
>> > >
>> > > Saud, the DHCP service is working perfectly fine without the snooping,
>> > > I
>> > > think I already mentioned that the FWSM is doing the relay here.
>> > >
>> > > Tyson, the DHCP database is a valuable suggestion but that is the next
>> > step.
>> > > First have to populate the binding table somehow. The NTP requirement
>> > > is
>> > > only for the DHCP snooping database (as mentioned in the
>> > > documentation).
>> > >
>> > > We are going to upgrade and see how it goes.
>> > >
>> > > Regards
>> > >
>> > > Farrukh
>> > >
>> > > On Tue, Jan 19, 2010 at 12:51 AM, S Malik <ccie.09_at_gmail.com> wrote:
>> > >
>> > >> What about the configuration of 65K switches. I hope you have "ip
>> > >> helper-add" configured. Moreover, is your DHCP server up? and is it
>> > propery
>> > >> configured with the IP address range as of vlan interface on 65K?
>> > >> DHCP server will assign the IP address in the range of subnet which
>> > >> is
>> > >> configured on vlan interface. Make sure DHCP server is configured for
>> > the
>> > >> same subnet as of vlan interface.
>> > >> Try to sniff and see what is happening.
>> > >>
>> > >>
>> > >>
>> > >> On Mon, Jan 18, 2010 at 9:12 AM, Tyson Scott <tscott_at_ipexpert.com>
>> > wrote:
>> > >>
>> > >>> Sadiq,
>> > >>>
>> > >>>
>> > >>>
>> > >>> I would still fix the time regardless of the information.
>> > >>>
>> > >>>
>> > >>>
>> > >>> Regards,
>> > >>>
>> > >>>
>> > >>>
>> > >>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> > >>>
>> > >>> Technical Instructor - IPexpert, Inc.
>> > >>>
>> > >>> Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com
>> > >>>
>> > >>>
>> > >>> Telephone: +1.810.326.1444, ext. 208
>> > >>>
>> > >>> Live Assistance, Please visit: <http://www.ipexpert.com/chat>
>> > >>>
>> > >>> www.ipexpert.com/chat
>> > >>>
>> > >>> eFax: +1.810.454.0130
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>> From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
>> > >>> Sent: Monday, January 18, 2010 9:08 AM
>> > >>> To: Tyson Scott
>> > >>> Cc: Farrukh Haroon; Cisco certification; Cisco certification
>> > >>> Subject: Re: DHCP Snooping not working
>> > >>>
>> > >>>
>> > >>>
>> > >>> Hi Tyson,
>> > >>>
>> > >>> Thats a good observation actually. However, the lease time on the
>> > switches
>> > >>> is not actually represented in terms of current time but in terms of
>> > >>> duration.
>> > >>>
>> > >>> So regardless of the current time and/or time zone the switch is, it
>> > would
>> > >>> always honor the lease time. See below, my switch is not configured
>> > with
>> > >>> the
>> > >>> right time at all, but my binding is still valid. PS: the DHCP
>> > >>> server
>> > is
>> > >>> running accurate time.
>> > >>>
>> > >>> Thanks,
>> > >>> Sadiq
>> > >>>
>> > >>> 3KI3R28#sh ip dhcp snooping bind
>> > >>> MacAddress IpAddress Lease(sec) Type VLAN
>> > >>> Interface
>> > >>> ------------------ --------------- ---------- ------------- ----
>> > >>> --------------------
>> > >>> 00:15:17:1E:D0:E9 172.16.21.208 43053 dhcp-snooping
>> > >>> 2021
>> > >>> GigabitEthernet1/0/2
>> > >>> Total number of bindings: 1
>> > >>>
>> > >>> 3KI3R28#sh clock
>> > >>> *01:10:15.683 gmt Fri Mar 5 1993
>> > >>> 3KI3R28#
>> > >>>
>> > >>>
>> > >>>
>> > >>> On Mon, Jan 18, 2010 at 1:46 PM, Tyson Scott <tscott_at_ipexpert.com>
>> > wrote:
>> > >>>
>> > >>> Just some thoughts,
>> > >>>
>> > >>> Do you have NTP running? Are the clocks properly synchronized
>> > >>> between
>> > the
>> > >>> Microsoft Servers and the 3560's?
>> > >>>
>> > >>> Before calling it a bug it may be a more restricted setting in the
>> > >>> new
>> > >>> version of code that they are sticking to the strict lease times
>> > provided
>> > >>> by
>> > >>> the DHCP server. So if the clocks are not synchronized make sure
>> > >>> they
>> > are
>> > >>> all synchronized to an accurate time server.
>> > >>>
>> > >>> Next as a recommendation I would add to the configuration to have
>> > >>> the
>> > DHCP
>> > >>> snooping database stored so it can survive a reboot.
>> > >>>
>> > >>> So add the following
>> > >>>
>> > >>>
>> > >>> ip dhcp snooping vlan 101,104
>> > >>> no ip dhcp snooping information option
>> > >>> ip dhcp snooping
>> > >>>
>> > >>> !
>> > >>> ntp server x.x.x.x
>> > >>> clock timezone <zone> <offset>
>> > >>> ! if you have daylight savings time and it is configured on the
>> > >>> servers
>> > >>> too
>> > >>> clock summer-time <zone> recurring
>> > >>> ! After time is synchronized
>> > >>> ip dhcp snooping database flash:
>> > >>>
>> > >>> Regards,
>> > >>>
>> > >>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> > >>> Technical Instructor - IPexpert, Inc.
>> > >>> Mailto: tscott_at_ipexpert.com
>> > >>> Telephone: +1.810.326.1444, ext. 208
>> > >>>
>> > >>> Live Assistance, Please visit: www.ipexpert.com/chat
>> > >>> eFax: +1.810.454.0130
>> > >>>
>> > >>>
>> > >>>
>> > >>> -----Original Message-----
>> > >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> > Of
>> > >>> Sadiq Yakasai
>> > >>>
>> > >>> Sent: Monday, January 18, 2010 7:08 AM
>> > >>> To: Farrukh Haroon
>> > >>> Cc: Cisco certification; Cisco certification
>> > >>> Subject: Re: DHCP Snooping not working
>> > >>>
>> > >>> Hey Farrukh,
>> > >>>
>> > >>> It could be a bug man. I have worked with both images (44 and 50)
>> > >>> and
>> > both
>> > >>> work fine with DHCP snooping. I would say upgrade and see how it
>> > >>> goes.
>> > >>>
>> > >>> Good luck!
>> > >>>
>> > >>> Sadiq
>> > >>>
>> > >>> On Mon, Jan 18, 2010 at 12:02 PM, Farrukh Haroon
>> > >>> <farrukhharoon_at_gmail.com>wrote:
>> > >>>
>> > >>> > Dear Sadiq
>> > >>> >
>> > >>> > I think I tried setting the access ports as trusted option, but it
>> > did
>> > >>> not
>> > >>> > help.
>> > >>> >
>> > >>> > For the software upgrade, I was planning on the following
>> > >>> > releases:
>> > >>> > 12.2(44)SE6 or 12.2(50)SE3
>> > >>> >
>> > >>> > Which one do you recommend?
>> > >>> >
>> > >>> > Regards
>> > >>> >
>> > >>> > Farrukh
>> > >>> >
>> > >>> >
>> > >>> > On Mon, Jan 18, 2010 at 2:41 PM, Farrukh Haroon
>> > >>> <farrukhharoon_at_gmail.com>wrote:
>> > >>> >
>> > >>> >> My mistake. I should have given more details.
>> > >>> >>
>> > >>> >> Users are connected to 6 3560 access-layer switches. Even tough
>> > >>> >> they
>> > >>> are
>> > >>> >> L3-capable switches, they are running in L2 mode. The switches
>> > uplink
>> > >>> to
>> > >>> a
>> > >>> >> 6500 Series Core Switch.
>> > >>> >>
>> > >>> >> There is an FWSM Module on the core switch which acts as the DHCP
>> > relay
>> > >>> >> agent for all the user requests. The DHCP servers (Microsoft) are
>> > >>> >> in
>> > a
>> > >>> >> dedicated servers VLAN connected to the core switch.
>> > >>> >>
>> > >>> >> Regards
>> > >>> >>
>> > >>> >> Farrukh
>> > >>> >>
>> > >>> >>
>> > >>> >> On Mon, Jan 18, 2010 at 2:26 PM, Sadiq Yakasai
>> > >>> <sadiqtanko_at_gmail.com>wrote:
>> > >>> >>
>> > >>> >>> Hi Farrukh,
>> > >>> >>>
>> > >>> >>> What if you trust the access ports? Does that change the
>> > >>> >>> outcome?
>> > What
>> > >>> >>> about moving on to a newer code?
>> > >>> >>>
>> > >>> >>> Is the debug above from the access switch? Whats your topology
>> > >>> >>> here
>> > >>> >>> please?
>> > >>> >>>
>> > >>> >>> Sadiq
>> > >>> >>>
>> > >>> >>> On Mon, Jan 18, 2010 at 11:22 AM, Farrukh Haroon <
>> > >>> >>> farrukhharoon_at_gmail.com> wrote:
>> > >>> >>>
>> > >>> >>>> Dear All
>> > >>> >>>>
>> > >>> >>>> We are facing a weird issue while trying to configure DHCP
>> > snooping.
>> > >>> >>>> Users are unable to get/renew IP Addresses after enabling DHCP
>> > >>> snooping.
>> > >>> >>>> The DHCP Snooping binding table is always empty.
>> > >>> >>>>
>> > >>> >>>> The configuration is pretty simple
>> > >>> >>>>
>> > >>> >>>> ip dhcp snooping vlan 101,104
>> > >>> >>>> no ip dhcp snooping information option
>> > >>> >>>> ip dhcp snooping
>> > >>> >>>>
>> > >>> >>>> All ports connected to DHCP servers and uplinks set as
>> > >>> >>>> trusted.
>> > >>> >>>>
>> > >>> >>>> Switch Version: c3560-ipservices-mz.122-35.SE5
>> > >>> >>>>
>> > >>> >>>> I tried the same configuration with another 3560 Switch
>> > >>> >>>> running
>> > an
>> > >>> >>>> older
>> > >>> >>>> version with no issues at all.
>> > >>> >>>>
>> > >>> >>>> This is the error we see on all the trusted ports, any ideas
>> > >>> >>>> why
>> > >>> this
>> > >>> >>>> is
>> > >>> >>>> happenning:
>> > >>> >>>>
>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Setting
>> > if_input
>> > >>> to
>> > >>> >>>> Gi0/49 fo
>> > >>> >>>> r pak. Was not set
>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): *Clearing
>> > if_input
>> > >>> >>>> for
>> > >>> >>>> pak. W
>> > >>> >>>> as Gi0/49*
>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input):* Setting
>> > if_input
>> > >>> to
>> > >>> >>>> Gi0/49 fo
>> > >>> >>>> r pak. Was not set*
>> > >>> >>>>
>> > >>> >>>> Regards
>> > >>> >>>>
>> > >>> >>>> Farrukh
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>> Blogs and organic groups at http://www.ccie.net
>> > >>> >>>>
>> > >>> >>>>
>> > >>>
>> > >>> _______________________________________________________________________
>> > >>> >>>> Subscription information may be found at:
>> > >>> >>>> http://www.groupstudy.com/list/CCIELab.html
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>>
>> > >>> >>>
>> > >>> >>>
>> > >>> >>> --
>> > >>> >>> CCIE #19963
>> > >>> >>>
>> > >>> >>
>> > >>> >>
>> > >>> >
>> > >>>
>> > >>>
>> > >>> --
>> > >>> CCIE #19963
>> > >>>
>> > >>>
>> > >>> Blogs and organic groups at http://www.ccie.net
>> > >>>
>> > >>>
>> > >>> _______________________________________________________________________
>> > >>> Subscription information may be found at:
>> > >>> http://www.groupstudy.com/list/CCIELab.html
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>> --
>> > >>> CCIE #19963
>> > >>>
>> > >>>
>> > >>> Blogs and organic groups at http://www.ccie.net
>> > >>>
>> > >>>
>> > >>> _______________________________________________________________________
>> > >>> Subscription information may be found at:
>> > >>> http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> > > _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> >
>> > --
>> > Regards,
>> >
>> > Joe Astorino CCIE #24347 (R&S)
>> > Sr. Technical Instructor - IPexpert
>> > Mailto: jastorino_at_ipexpert.com
>> > Telephone: +1.810.326.1444
>> > Live Assistance, Please visit: www.ipexpert.com/chat
>> > eFax: +1.810.454.0130
>> >
>> > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
>> > (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
>> > Security & Service Provider) Certification Training with locations
>> > throughout the United States, Europe and Australia. Be sure to check
>> > out our online communities at www.ipexpert.com/communities and our
>> > public website at www.ipexpert.com
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>
>

-- 
Regards,
Joe Astorino CCIE #24347 (R&S)
Sr. Technical Instructor - IPexpert
Mailto: jastorino_at_ipexpert.com
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
(R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
Security & Service Provider) Certification Training with locations
throughout the United States, Europe and Australia. Be sure to check
out our online communities at www.ipexpert.com/communities and our
public website at www.ipexpert.com
Blogs and organic groups at http://www.ccie.net

Received on Tue Jan 19 2010 - 04:20:52 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART