Re: DHCP Snooping not working from Joe Astorino on 2010-01-19 (Ccielab archives 01/2010)

From: Joe Astorino <jastorino_at_ipexpert.com>
Date: Tue, 19 Jan 2010 04:22:08 -0500

Oh another thing that would help isolate -- Do you see the DHCP
requests actually making it to your windows DHCP server? If you do ,
that should rule out option 82 insertion causing the relay to drop the
packets.

On Tue, Jan 19, 2010 at 4:19 AM, Farrukh Haroon <farrukhharoon_at_gmail.com> wrote:
> Hello Swap
>
> This is the FWSM config
>
> dhcprelay server 10.11.10.4 Internal_Service_Zone
> dhcprelay server 10.11.15.4 Voice-Servers-Zone
> dhcprelay enable Data_Services_Zone
> dhcprelay enable Voice_Services_Zone
> dhcprelay setroute Internal_Service_Zone
> dhcprelay setroute Voice-Servers-Zone
> dhcprelay timeout 15
>
> Regards
> Farrukh
>
>
> On Tue, Jan 19, 2010 at 11:24 AM, swap m <ccie19804_at_gmail.com> wrote:
>>
>> how is the FWSM configured in regard to Option82? enabled ..disabled?
>>
>> you can try a debug on FWSM to verify DHCP relay activity.
>> Swap
>> #19804
>> On Tue, Jan 19, 2010 at 12:18 PM, Farrukh Haroon <farrukhharoon_at_gmail.com>
>> wrote:
>>>
>>> Hello Joe
>>>
>>> Thanks for your response. When Option82 was enabled, I found other errors
>>> in
>>> the debug. I googled the errors and found out that windows 2k3 and lower
>>> don't support it (the newer version does I believe). As soon as I
>>> disabled,
>>> the option82 related errors went away.
>>>
>>> The DHCP snooping should work even if I just enable it on the access
>>> layer
>>> switches.I tested this on another environment and it worked.
>>>
>>> The core switch debugs seem to be normal. If it still does not work after
>>> the upgrade, I will post them here.
>>>
>>> Regards
>>>
>>> Farrukh
>>>
>>> On Tue, Jan 19, 2010 at 11:06 AM, Joe Astorino
>>> <jastorino_at_ipexpert.com>wrote:
>>>
>>> > Hello all,
>>> >
>>> > sorry I am late to the party! Have you tried looking at possible
>>> > issues with DHCP option 82 insertion happening on the switch? Have
>>> > you looked at any DHCP packet debugs on the device doing the relay?
>>> >
>>> > On Tue, Jan 19, 2010 at 2:55 AM, Farrukh Haroon
>>> > <farrukhharoon_at_gmail.com>
>>> > wrote:
>>> > > Thanks for your suggestions
>>> > >
>>> > > Saud, the DHCP service is working perfectly fine without the
>>> > > snooping, I
>>> > > think I already mentioned that the FWSM is doing the relay here.
>>> > >
>>> > > Tyson, the DHCP database is a valuable suggestion but that is the
>>> > > next
>>> > step.
>>> > > First have to populate the binding table somehow. The NTP requirement
>>> > > is
>>> > > only for the DHCP snooping database (as mentioned in the
>>> > > documentation).
>>> > >
>>> > > We are going to upgrade and see how it goes.
>>> > >
>>> > > Regards
>>> > >
>>> > > Farrukh
>>> > >
>>> > > On Tue, Jan 19, 2010 at 12:51 AM, S Malik <ccie.09_at_gmail.com> wrote:
>>> > >
>>> > >> What about the configuration of 65K switches. I hope you have "ip
>>> > >> helper-add" configured. Moreover, is your DHCP server up? and is it
>>> > propery
>>> > >> configured with the IP address range as of vlan interface on 65K?
>>> > >> DHCP server will assign the IP address in the range of subnet which
>>> > >> is
>>> > >> configured on vlan interface. Make sure DHCP server is configured
>>> > >> for
>>> > the
>>> > >> same subnet as of vlan interface.
>>> > >> Try to sniff and see what is happening.
>>> > >>
>>> > >>
>>> > >>
>>> > >> On Mon, Jan 18, 2010 at 9:12 AM, Tyson Scott <tscott_at_ipexpert.com>
>>> > wrote:
>>> > >>
>>> > >>> Sadiq,
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>> I would still fix the time regardless of the information.
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>> Regards,
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>>> > >>>
>>> > >>> Technical Instructor - IPexpert, Inc.
>>> > >>>
>>> > >>> Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com
>>> > >>>
>>> > >>>
>>> > >>> Telephone: +1.810.326.1444, ext. 208
>>> > >>>
>>> > >>> Live Assistance, Please visit: <http://www.ipexpert.com/chat>
>>> > >>>
>>> > >>> www.ipexpert.com/chat
>>> > >>>
>>> > >>> eFax: +1.810.454.0130
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>> From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
>>> > >>> Sent: Monday, January 18, 2010 9:08 AM
>>> > >>> To: Tyson Scott
>>> > >>> Cc: Farrukh Haroon; Cisco certification; Cisco certification
>>> > >>> Subject: Re: DHCP Snooping not working
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>> Hi Tyson,
>>> > >>>
>>> > >>> Thats a good observation actually. However, the lease time on the
>>> > switches
>>> > >>> is not actually represented in terms of current time but in terms
>>> > >>> of
>>> > >>> duration.
>>> > >>>
>>> > >>> So regardless of the current time and/or time zone the switch is,
>>> > >>> it
>>> > would
>>> > >>> always honor the lease time. See below, my switch is not configured
>>> > with
>>> > >>> the
>>> > >>> right time at all, but my binding is still valid. PS: the DHCP
>>> > >>> server
>>> > is
>>> > >>> running accurate time.
>>> > >>>
>>> > >>> Thanks,
>>> > >>> Sadiq
>>> > >>>
>>> > >>> 3KI3R28#sh ip dhcp snooping bind
>>> > >>> MacAddress IpAddress Lease(sec) Type
>>> > >>> VLAN
>>> > >>> Interface
>>> > >>> ------------------ --------------- ---------- -------------
>>> > >>> ----
>>> > >>> --------------------
>>> > >>> 00:15:17:1E:D0:E9 172.16.21.208 43053 dhcp-snooping
>>> > >>> 2021
>>> > >>> GigabitEthernet1/0/2
>>> > >>> Total number of bindings: 1
>>> > >>>
>>> > >>> 3KI3R28#sh clock
>>> > >>> *01:10:15.683 gmt Fri Mar 5 1993
>>> > >>> 3KI3R28#
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>> On Mon, Jan 18, 2010 at 1:46 PM, Tyson Scott <tscott_at_ipexpert.com>
>>> > wrote:
>>> > >>>
>>> > >>> Just some thoughts,
>>> > >>>
>>> > >>> Do you have NTP running? Are the clocks properly synchronized
>>> > >>> between
>>> > the
>>> > >>> Microsoft Servers and the 3560's?
>>> > >>>
>>> > >>> Before calling it a bug it may be a more restricted setting in the
>>> > >>> new
>>> > >>> version of code that they are sticking to the strict lease times
>>> > provided
>>> > >>> by
>>> > >>> the DHCP server. So if the clocks are not synchronized make sure
>>> > >>> they
>>> > are
>>> > >>> all synchronized to an accurate time server.
>>> > >>>
>>> > >>> Next as a recommendation I would add to the configuration to have
>>> > >>> the
>>> > DHCP
>>> > >>> snooping database stored so it can survive a reboot.
>>> > >>>
>>> > >>> So add the following
>>> > >>>
>>> > >>>
>>> > >>> ip dhcp snooping vlan 101,104
>>> > >>> no ip dhcp snooping information option
>>> > >>> ip dhcp snooping
>>> > >>>
>>> > >>> !
>>> > >>> ntp server x.x.x.x
>>> > >>> clock timezone <zone> <offset>
>>> > >>> ! if you have daylight savings time and it is configured on the
>>> > >>> servers
>>> > >>> too
>>> > >>> clock summer-time <zone> recurring
>>> > >>> ! After time is synchronized
>>> > >>> ip dhcp snooping database flash:
>>> > >>>
>>> > >>> Regards,
>>> > >>>
>>> > >>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>>> > >>> Technical Instructor - IPexpert, Inc.
>>> > >>> Mailto: tscott_at_ipexpert.com
>>> > >>> Telephone: +1.810.326.1444, ext. 208
>>> > >>>
>>> > >>> Live Assistance, Please visit: www.ipexpert.com/chat
>>> > >>> eFax: +1.810.454.0130
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>> -----Original Message-----
>>> > >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>>> > >>> Behalf
>>> > Of
>>> > >>> Sadiq Yakasai
>>> > >>>
>>> > >>> Sent: Monday, January 18, 2010 7:08 AM
>>> > >>> To: Farrukh Haroon
>>> > >>> Cc: Cisco certification; Cisco certification
>>> > >>> Subject: Re: DHCP Snooping not working
>>> > >>>
>>> > >>> Hey Farrukh,
>>> > >>>
>>> > >>> It could be a bug man. I have worked with both images (44 and 50)
>>> > >>> and
>>> > both
>>> > >>> work fine with DHCP snooping. I would say upgrade and see how it
>>> > >>> goes.
>>> > >>>
>>> > >>> Good luck!
>>> > >>>
>>> > >>> Sadiq
>>> > >>>
>>> > >>> On Mon, Jan 18, 2010 at 12:02 PM, Farrukh Haroon
>>> > >>> <farrukhharoon_at_gmail.com>wrote:
>>> > >>>
>>> > >>> > Dear Sadiq
>>> > >>> >
>>> > >>> > I think I tried setting the access ports as trusted option, but
>>> > >>> > it
>>> > did
>>> > >>> not
>>> > >>> > help.
>>> > >>> >
>>> > >>> > For the software upgrade, I was planning on the following
>>> > >>> > releases:
>>> > >>> > 12.2(44)SE6 or 12.2(50)SE3
>>> > >>> >
>>> > >>> > Which one do you recommend?
>>> > >>> >
>>> > >>> > Regards
>>> > >>> >
>>> > >>> > Farrukh
>>> > >>> >
>>> > >>> >
>>> > >>> > On Mon, Jan 18, 2010 at 2:41 PM, Farrukh Haroon
>>> > >>> <farrukhharoon_at_gmail.com>wrote:
>>> > >>> >
>>> > >>> >> My mistake. I should have given more details.
>>> > >>> >>
>>> > >>> >> Users are connected to 6 3560 access-layer switches. Even tough
>>> > >>> >> they
>>> > >>> are
>>> > >>> >> L3-capable switches, they are running in L2 mode. The switches
>>> > uplink
>>> > >>> to
>>> > >>> a
>>> > >>> >> 6500 Series Core Switch.
>>> > >>> >>
>>> > >>> >> There is an FWSM Module on the core switch which acts as the
>>> > >>> >> DHCP
>>> > relay
>>> > >>> >> agent for all the user requests. The DHCP servers (Microsoft)
>>> > >>> >> are in
>>> > a
>>> > >>> >> dedicated servers VLAN connected to the core switch.
>>> > >>> >>
>>> > >>> >> Regards
>>> > >>> >>
>>> > >>> >> Farrukh
>>> > >>> >>
>>> > >>> >>
>>> > >>> >> On Mon, Jan 18, 2010 at 2:26 PM, Sadiq Yakasai
>>> > >>> <sadiqtanko_at_gmail.com>wrote:
>>> > >>> >>
>>> > >>> >>> Hi Farrukh,
>>> > >>> >>>
>>> > >>> >>> What if you trust the access ports? Does that change the
>>> > >>> >>> outcome?
>>> > What
>>> > >>> >>> about moving on to a newer code?
>>> > >>> >>>
>>> > >>> >>> Is the debug above from the access switch? Whats your topology
>>> > >>> >>> here
>>> > >>> >>> please?
>>> > >>> >>>
>>> > >>> >>> Sadiq
>>> > >>> >>>
>>> > >>> >>> On Mon, Jan 18, 2010 at 11:22 AM, Farrukh Haroon <
>>> > >>> >>> farrukhharoon_at_gmail.com> wrote:
>>> > >>> >>>
>>> > >>> >>>> Dear All
>>> > >>> >>>>
>>> > >>> >>>> We are facing a weird issue while trying to configure DHCP
>>> > snooping.
>>> > >>> >>>> Users are unable to get/renew IP Addresses after enabling DHCP
>>> > >>> snooping.
>>> > >>> >>>> The DHCP Snooping binding table is always empty.
>>> > >>> >>>>
>>> > >>> >>>> The configuration is pretty simple
>>> > >>> >>>>
>>> > >>> >>>> ip dhcp snooping vlan 101,104
>>> > >>> >>>> no ip dhcp snooping information option
>>> > >>> >>>> ip dhcp snooping
>>> > >>> >>>>
>>> > >>> >>>> All ports connected to DHCP servers and uplinks set as
>>> > >>> >>>> trusted.
>>> > >>> >>>>
>>> > >>> >>>> Switch Version: c3560-ipservices-mz.122-35.SE5
>>> > >>> >>>>
>>> > >>> >>>> I tried the same configuration with another 3560 Switch
>>> > >>> >>>> running
>>> > an
>>> > >>> >>>> older
>>> > >>> >>>> version with no issues at all.
>>> > >>> >>>>
>>> > >>> >>>> This is the error we see on all the trusted ports, any ideas
>>> > >>> >>>> why
>>> > >>> this
>>> > >>> >>>> is
>>> > >>> >>>> happenning:
>>> > >>> >>>>
>>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Setting
>>> > if_input
>>> > >>> to
>>> > >>> >>>> Gi0/49 fo
>>> > >>> >>>> r pak. Was not set
>>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): *Clearing
>>> > if_input
>>> > >>> >>>> for
>>> > >>> >>>> pak. W
>>> > >>> >>>> as Gi0/49*
>>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input):* Setting
>>> > if_input
>>> > >>> to
>>> > >>> >>>> Gi0/49 fo
>>> > >>> >>>> r pak. Was not set*
>>> > >>> >>>>
>>> > >>> >>>> Regards
>>> > >>> >>>>
>>> > >>> >>>> Farrukh
>>> > >>> >>>>
>>> > >>> >>>>
>>> > >>> >>>> Blogs and organic groups at http://www.ccie.net
>>> > >>> >>>>
>>> > >>> >>>>
>>> > >>>
>>> > >>> _______________________________________________________________________
>>> > >>> >>>> Subscription information may be found at:
>>> > >>> >>>> http://www.groupstudy.com/list/CCIELab.html
>>> > >>> >>>>
>>> > >>> >>>>
>>> > >>> >>>>
>>> > >>> >>>>
>>> > >>> >>>>
>>> > >>> >>>>
>>> > >>> >>>>
>>> > >>> >>>>
>>> > >>> >>>
>>> > >>> >>>
>>> > >>> >>> --
>>> > >>> >>> CCIE #19963
>>> > >>> >>>
>>> > >>> >>
>>> > >>> >>
>>> > >>> >
>>> > >>>
>>> > >>>
>>> > >>> --
>>> > >>> CCIE #19963
>>> > >>>
>>> > >>>
>>> > >>> Blogs and organic groups at http://www.ccie.net
>>> > >>>
>>> > >>>
>>> > >>> _______________________________________________________________________
>>> > >>> Subscription information may be found at:
>>> > >>> http://www.groupstudy.com/list/CCIELab.html
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>> --
>>> > >>> CCIE #19963
>>> > >>>
>>> > >>>
>>> > >>> Blogs and organic groups at http://www.ccie.net
>>> > >>>
>>> > >>>
>>> > >>> _______________________________________________________________________
>>> > >>> Subscription information may be found at:
>>> > >>> http://www.groupstudy.com/list/CCIELab.html
>>> > >
>>> > >
>>> > > Blogs and organic groups at http://www.ccie.net
>>> > >
>>> > >
>>> > > _______________________________________________________________________
>>> > > Subscription information may be found at:
>>> > > http://www.groupstudy.com/list/CCIELab.html
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> >
>>> >
>>> >
>>> > --
>>> > Regards,
>>> >
>>> > Joe Astorino CCIE #24347 (R&S)
>>> > Sr. Technical Instructor - IPexpert
>>> > Mailto: jastorino_at_ipexpert.com
>>> > Telephone: +1.810.326.1444
>>> > Live Assistance, Please visit: www.ipexpert.com/chat
>>> > eFax: +1.810.454.0130
>>> >
>>> > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
>>> > (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
>>> > Security & Service Provider) Certification Training with locations
>>> > throughout the United States, Europe and Australia. Be sure to check
>>> > out our online communities at www.ipexpert.com/communities and our
>>> > public website at www.ipexpert.com
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
>

-- 
Regards,
Joe Astorino CCIE #24347 (R&S)
Sr. Technical Instructor - IPexpert
Mailto: jastorino_at_ipexpert.com
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
(R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
Security & Service Provider) Certification Training with locations
throughout the United States, Europe and Australia. Be sure to check
out our online communities at www.ipexpert.com/communities and our
public website at www.ipexpert.com
Blogs and organic groups at http://www.ccie.net

Received on Tue Jan 19 2010 - 04:22:08 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART