Re: DHCP Snooping not working

Basic thing here is if the config works on an older code, it **must** work
on a later code without breaking - per Cisco upgrade policy.

On Tue, Jan 19, 2010 at 9:22 AM, Joe Astorino <jastorino_at_ipexpert.com>wrote:

> Oh another thing that would help isolate -- Do you see the DHCP
> requests actually making it to your windows DHCP server? If you do ,
> that should rule out option 82 insertion causing the relay to drop the
> packets.
>
> On Tue, Jan 19, 2010 at 4:19 AM, Farrukh Haroon <farrukhharoon_at_gmail.com>
> wrote:
> > Hello Swap
> >
> > This is the FWSM config
> >
> > dhcprelay server 10.11.10.4 Internal_Service_Zone
> > dhcprelay server 10.11.15.4 Voice-Servers-Zone
> > dhcprelay enable Data_Services_Zone
> > dhcprelay enable Voice_Services_Zone
> > dhcprelay setroute Internal_Service_Zone
> > dhcprelay setroute Voice-Servers-Zone
> > dhcprelay timeout 15
> >
> > Regards
> > Farrukh
> >
> >
> > On Tue, Jan 19, 2010 at 11:24 AM, swap m <ccie19804_at_gmail.com> wrote:
> >>
> >> how is the FWSM configured in regard to Option82? enabled ..disabled?
> >>
> >> you can try a debug on FWSM to verify DHCP relay activity.
> >> Swap
> >> #19804
> >> On Tue, Jan 19, 2010 at 12:18 PM, Farrukh Haroon <
> farrukhharoon_at_gmail.com>
> >> wrote:
> >>>
> >>> Hello Joe
> >>>
> >>> Thanks for your response. When Option82 was enabled, I found other
> errors
> >>> in
> >>> the debug. I googled the errors and found out that windows 2k3 and
> lower
> >>> don't support it (the newer version does I believe). As soon as I
> >>> disabled,
> >>> the option82 related errors went away.
> >>>
> >>> The DHCP snooping should work even if I just enable it on the access
> >>> layer
> >>> switches.I tested this on another environment and it worked.
> >>>
> >>> The core switch debugs seem to be normal. If it still does not work
> after
> >>> the upgrade, I will post them here.
> >>>
> >>> Regards
> >>>
> >>> Farrukh
> >>>
> >>> On Tue, Jan 19, 2010 at 11:06 AM, Joe Astorino
> >>> <jastorino_at_ipexpert.com>wrote:
> >>>
> >>> > Hello all,
> >>> >
> >>> > sorry I am late to the party! Have you tried looking at possible
> >>> > issues with DHCP option 82 insertion happening on the switch? Have
> >>> > you looked at any DHCP packet debugs on the device doing the relay?
> >>> >
> >>> > On Tue, Jan 19, 2010 at 2:55 AM, Farrukh Haroon
> >>> > <farrukhharoon_at_gmail.com>
> >>> > wrote:
> >>> > > Thanks for your suggestions
> >>> > >
> >>> > > Saud, the DHCP service is working perfectly fine without the
> >>> > > snooping, I
> >>> > > think I already mentioned that the FWSM is doing the relay here.
> >>> > >
> >>> > > Tyson, the DHCP database is a valuable suggestion but that is the
> >>> > > next
> >>> > step.
> >>> > > First have to populate the binding table somehow. The NTP
> requirement
> >>> > > is
> >>> > > only for the DHCP snooping database (as mentioned in the
> >>> > > documentation).
> >>> > >
> >>> > > We are going to upgrade and see how it goes.
> >>> > >
> >>> > > Regards
> >>> > >
> >>> > > Farrukh
> >>> > >
> >>> > > On Tue, Jan 19, 2010 at 12:51 AM, S Malik <ccie.09_at_gmail.com>
> wrote:
> >>> > >
> >>> > >> What about the configuration of 65K switches. I hope you have "ip
> >>> > >> helper-add" configured. Moreover, is your DHCP server up? and is
> it
> >>> > propery
> >>> > >> configured with the IP address range as of vlan interface on 65K?
> >>> > >> DHCP server will assign the IP address in the range of subnet
> which
> >>> > >> is
> >>> > >> configured on vlan interface. Make sure DHCP server is configured
> >>> > >> for
> >>> > the
> >>> > >> same subnet as of vlan interface.
> >>> > >> Try to sniff and see what is happening.
> >>> > >>
> >>> > >>
> >>> > >>
> >>> > >> On Mon, Jan 18, 2010 at 9:12 AM, Tyson Scott <tscott_at_ipexpert.com
> >
> >>> > wrote:
> >>> > >>
> >>> > >>> Sadiq,
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>> I would still fix the time regardless of the information.
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>> Regards,
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>> Tyson Scott - CCIE #13513 R&S, Security, and SP
> >>> > >>>
> >>> > >>> Technical Instructor - IPexpert, Inc.
> >>> > >>>
> >>> > >>> Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com
> >>> > >>>
> >>> > >>>
> >>> > >>> Telephone: +1.810.326.1444, ext. 208
> >>> > >>>
> >>> > >>> Live Assistance, Please visit: <http://www.ipexpert.com/chat>
> >>> > >>>
> >>> > >>> www.ipexpert.com/chat
> >>> > >>>
> >>> > >>> eFax: +1.810.454.0130
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>> From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
> >>> > >>> Sent: Monday, January 18, 2010 9:08 AM
> >>> > >>> To: Tyson Scott
> >>> > >>> Cc: Farrukh Haroon; Cisco certification; Cisco certification
> >>> > >>> Subject: Re: DHCP Snooping not working
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>> Hi Tyson,
> >>> > >>>
> >>> > >>> Thats a good observation actually. However, the lease time on the
> >>> > switches
> >>> > >>> is not actually represented in terms of current time but in terms
> >>> > >>> of
> >>> > >>> duration.
> >>> > >>>
> >>> > >>> So regardless of the current time and/or time zone the switch is,
> >>> > >>> it
> >>> > would
> >>> > >>> always honor the lease time. See below, my switch is not
> configured
> >>> > with
> >>> > >>> the
> >>> > >>> right time at all, but my binding is still valid. PS: the DHCP
> >>> > >>> server
> >>> > is
> >>> > >>> running accurate time.
> >>> > >>>
> >>> > >>> Thanks,
> >>> > >>> Sadiq
> >>> > >>>
> >>> > >>> 3KI3R28#sh ip dhcp snooping bind
> >>> > >>> MacAddress IpAddress Lease(sec) Type
> >>> > >>> VLAN
> >>> > >>> Interface
> >>> > >>> ------------------ --------------- ---------- -------------
> >>> > >>> ----
> >>> > >>> --------------------
> >>> > >>> 00:15:17:1E:D0:E9 172.16.21.208 43053 dhcp-snooping
> >>> > >>> 2021
> >>> > >>> GigabitEthernet1/0/2
> >>> > >>> Total number of bindings: 1
> >>> > >>>
> >>> > >>> 3KI3R28#sh clock
> >>> > >>> *01:10:15.683 gmt Fri Mar 5 1993
> >>> > >>> 3KI3R28#
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>> On Mon, Jan 18, 2010 at 1:46 PM, Tyson Scott <
> tscott_at_ipexpert.com>
> >>> > wrote:
> >>> > >>>
> >>> > >>> Just some thoughts,
> >>> > >>>
> >>> > >>> Do you have NTP running? Are the clocks properly synchronized
> >>> > >>> between
> >>> > the
> >>> > >>> Microsoft Servers and the 3560's?
> >>> > >>>
> >>> > >>> Before calling it a bug it may be a more restricted setting in
> the
> >>> > >>> new
> >>> > >>> version of code that they are sticking to the strict lease times
> >>> > provided
> >>> > >>> by
> >>> > >>> the DHCP server. So if the clocks are not synchronized make sure
> >>> > >>> they
> >>> > are
> >>> > >>> all synchronized to an accurate time server.
> >>> > >>>
> >>> > >>> Next as a recommendation I would add to the configuration to have
> >>> > >>> the
> >>> > DHCP
> >>> > >>> snooping database stored so it can survive a reboot.
> >>> > >>>
> >>> > >>> So add the following
> >>> > >>>
> >>> > >>>
> >>> > >>> ip dhcp snooping vlan 101,104
> >>> > >>> no ip dhcp snooping information option
> >>> > >>> ip dhcp snooping
> >>> > >>>
> >>> > >>> !
> >>> > >>> ntp server x.x.x.x
> >>> > >>> clock timezone <zone> <offset>
> >>> > >>> ! if you have daylight savings time and it is configured on the
> >>> > >>> servers
> >>> > >>> too
> >>> > >>> clock summer-time <zone> recurring
> >>> > >>> ! After time is synchronized
> >>> > >>> ip dhcp snooping database flash:
> >>> > >>>
> >>> > >>> Regards,
> >>> > >>>
> >>> > >>> Tyson Scott - CCIE #13513 R&S, Security, and SP
> >>> > >>> Technical Instructor - IPexpert, Inc.
> >>> > >>> Mailto: tscott_at_ipexpert.com
> >>> > >>> Telephone: +1.810.326.1444, ext. 208
> >>> > >>>
> >>> > >>> Live Assistance, Please visit: www.ipexpert.com/chat
> >>> > >>> eFax: +1.810.454.0130
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>> -----Original Message-----
> >>> > >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
> >>> > >>> Behalf
> >>> > Of
> >>> > >>> Sadiq Yakasai
> >>> > >>>
> >>> > >>> Sent: Monday, January 18, 2010 7:08 AM
> >>> > >>> To: Farrukh Haroon
> >>> > >>> Cc: Cisco certification; Cisco certification
> >>> > >>> Subject: Re: DHCP Snooping not working
> >>> > >>>
> >>> > >>> Hey Farrukh,
> >>> > >>>
> >>> > >>> It could be a bug man. I have worked with both images (44 and 50)
> >>> > >>> and
> >>> > both
> >>> > >>> work fine with DHCP snooping. I would say upgrade and see how it
> >>> > >>> goes.
> >>> > >>>
> >>> > >>> Good luck!
> >>> > >>>
> >>> > >>> Sadiq
> >>> > >>>
> >>> > >>> On Mon, Jan 18, 2010 at 12:02 PM, Farrukh Haroon
> >>> > >>> <farrukhharoon_at_gmail.com>wrote:
> >>> > >>>
> >>> > >>> > Dear Sadiq
> >>> > >>> >
> >>> > >>> > I think I tried setting the access ports as trusted option, but
> >>> > >>> > it
> >>> > did
> >>> > >>> not
> >>> > >>> > help.
> >>> > >>> >
> >>> > >>> > For the software upgrade, I was planning on the following
> >>> > >>> > releases:
> >>> > >>> > 12.2(44)SE6 or 12.2(50)SE3
> >>> > >>> >
> >>> > >>> > Which one do you recommend?
> >>> > >>> >
> >>> > >>> > Regards
> >>> > >>> >
> >>> > >>> > Farrukh
> >>> > >>> >
> >>> > >>> >
> >>> > >>> > On Mon, Jan 18, 2010 at 2:41 PM, Farrukh Haroon
> >>> > >>> <farrukhharoon_at_gmail.com>wrote:
> >>> > >>> >
> >>> > >>> >> My mistake. I should have given more details.
> >>> > >>> >>
> >>> > >>> >> Users are connected to 6 3560 access-layer switches. Even
> tough
> >>> > >>> >> they
> >>> > >>> are
> >>> > >>> >> L3-capable switches, they are running in L2 mode. The switches
> >>> > uplink
> >>> > >>> to
> >>> > >>> a
> >>> > >>> >> 6500 Series Core Switch.
> >>> > >>> >>
> >>> > >>> >> There is an FWSM Module on the core switch which acts as the
> >>> > >>> >> DHCP
> >>> > relay
> >>> > >>> >> agent for all the user requests. The DHCP servers (Microsoft)
> >>> > >>> >> are in
> >>> > a
> >>> > >>> >> dedicated servers VLAN connected to the core switch.
> >>> > >>> >>
> >>> > >>> >> Regards
> >>> > >>> >>
> >>> > >>> >> Farrukh
> >>> > >>> >>
> >>> > >>> >>
> >>> > >>> >> On Mon, Jan 18, 2010 at 2:26 PM, Sadiq Yakasai
> >>> > >>> <sadiqtanko_at_gmail.com>wrote:
> >>> > >>> >>
> >>> > >>> >>> Hi Farrukh,
> >>> > >>> >>>
> >>> > >>> >>> What if you trust the access ports? Does that change the
> >>> > >>> >>> outcome?
> >>> > What
> >>> > >>> >>> about moving on to a newer code?
> >>> > >>> >>>
> >>> > >>> >>> Is the debug above from the access switch? Whats your
> topology
> >>> > >>> >>> here
> >>> > >>> >>> please?
> >>> > >>> >>>
> >>> > >>> >>> Sadiq
> >>> > >>> >>>
> >>> > >>> >>> On Mon, Jan 18, 2010 at 11:22 AM, Farrukh Haroon <
> >>> > >>> >>> farrukhharoon_at_gmail.com> wrote:
> >>> > >>> >>>
> >>> > >>> >>>> Dear All
> >>> > >>> >>>>
> >>> > >>> >>>> We are facing a weird issue while trying to configure DHCP
> >>> > snooping.
> >>> > >>> >>>> Users are unable to get/renew IP Addresses after enabling
> DHCP
> >>> > >>> snooping.
> >>> > >>> >>>> The DHCP Snooping binding table is always empty.
> >>> > >>> >>>>
> >>> > >>> >>>> The configuration is pretty simple
> >>> > >>> >>>>
> >>> > >>> >>>> ip dhcp snooping vlan 101,104
> >>> > >>> >>>> no ip dhcp snooping information option
> >>> > >>> >>>> ip dhcp snooping
> >>> > >>> >>>>
> >>> > >>> >>>> All ports connected to DHCP servers and uplinks set as
> >>> > >>> >>>> trusted.
> >>> > >>> >>>>
> >>> > >>> >>>> Switch Version: c3560-ipservices-mz.122-35.SE5
> >>> > >>> >>>>
> >>> > >>> >>>> I tried the same configuration with another 3560 Switch
> >>> > >>> >>>> running
> >>> > an
> >>> > >>> >>>> older
> >>> > >>> >>>> version with no issues at all.
> >>> > >>> >>>>
> >>> > >>> >>>> This is the error we see on all the trusted ports, any
> ideas
> >>> > >>> >>>> why
> >>> > >>> this
> >>> > >>> >>>> is
> >>> > >>> >>>> happenning:
> >>> > >>> >>>>
> >>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Setting
> >>> > if_input
> >>> > >>> to
> >>> > >>> >>>> Gi0/49 fo
> >>> > >>> >>>> r pak. Was not set
> >>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): *Clearing
> >>> > if_input
> >>> > >>> >>>> for
> >>> > >>> >>>> pak. W
> >>> > >>> >>>> as Gi0/49*
> >>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input):* Setting
> >>> > if_input
> >>> > >>> to
> >>> > >>> >>>> Gi0/49 fo
> >>> > >>> >>>> r pak. Was not set*
> >>> > >>> >>>>
> >>> > >>> >>>> Regards
> >>> > >>> >>>>
> >>> > >>> >>>> Farrukh
> >>> > >>> >>>>
> >>> > >>> >>>>
> >>> > >>> >>>> Blogs and organic groups at http://www.ccie.net
> >>> > >>> >>>>
> >>> > >>> >>>>
> >>> > >>>
> >>> > >>>
> _______________________________________________________________________
> >>> > >>> >>>> Subscription information may be found at:
> >>> > >>> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>> > >>> >>>>
> >>> > >>> >>>>
> >>> > >>> >>>>
> >>> > >>> >>>>
> >>> > >>> >>>>
> >>> > >>> >>>>
> >>> > >>> >>>>
> >>> > >>> >>>>
> >>> > >>> >>>
> >>> > >>> >>>
> >>> > >>> >>> --
> >>> > >>> >>> CCIE #19963
> >>> > >>> >>>
> >>> > >>> >>
> >>> > >>> >>
> >>> > >>> >
> >>> > >>>
> >>> > >>>
> >>> > >>> --
> >>> > >>> CCIE #19963
> >>> > >>>
> >>> > >>>
> >>> > >>> Blogs and organic groups at http://www.ccie.net
> >>> > >>>
> >>> > >>>
> >>> > >>>
> _______________________________________________________________________
> >>> > >>> Subscription information may be found at:
> >>> > >>> http://www.groupstudy.com/list/CCIELab.html
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>> --
> >>> > >>> CCIE #19963
> >>> > >>>
> >>> > >>>
> >>> > >>> Blogs and organic groups at http://www.ccie.net
> >>> > >>>
> >>> > >>>
> >>> > >>>
> _______________________________________________________________________
> >>> > >>> Subscription information may be found at:
> >>> > >>> http://www.groupstudy.com/list/CCIELab.html
> >>> > >
> >>> > >
> >>> > > Blogs and organic groups at http://www.ccie.net
> >>> > >
> >>> > >
> >>> > >
> _______________________________________________________________________
> >>> > > Subscription information may be found at:
> >>> > > http://www.groupstudy.com/list/CCIELab.html
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> >
> >>> >
> >>> >
> >>> > --
> >>> > Regards,
> >>> >
> >>> > Joe Astorino CCIE #24347 (R&S)
> >>> > Sr. Technical Instructor - IPexpert
> >>> > Mailto: jastorino_at_ipexpert.com
> >>> > Telephone: +1.810.326.1444
> >>> > Live Assistance, Please visit: www.ipexpert.com/chat
> >>> > eFax: +1.810.454.0130
> >>> >
> >>> > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
> >>> > (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
> >>> > Security & Service Provider) Certification Training with locations
> >>> > throughout the United States, Europe and Australia. Be sure to check
> >>> > out our online communities at www.ipexpert.com/communities and our
> >>> > public website at www.ipexpert.com
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >
> >
>
>
>
> --
> Regards,
>
> Joe Astorino CCIE #24347 (R&S)
> Sr. Technical Instructor - IPexpert
> Mailto: jastorino_at_ipexpert.com
> Telephone: +1.810.326.1444
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
> Security & Service Provider) Certification Training with locations
> throughout the United States, Europe and Australia. Be sure to check
> out our online communities at www.ipexpert.com/communities and our
> public website at www.ipexpert.com
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net