Re: DHCP Snooping not working

hehehhehehe that would be nice. I'm about to go to bed anyways, I
will dream of that it would be nice : )

On Tue, Jan 19, 2010 at 5:09 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
> Basic thing here is if the config works on an older code, it **must** work
> on a later code without breaking - per Cisco upgrade policy.
>
> On Tue, Jan 19, 2010 at 9:22 AM, Joe Astorino <jastorino_at_ipexpert.com>
> wrote:
>>
>> Oh another thing that would help isolate -- Do you see the DHCP
>> requests actually making it to your windows DHCP server? If you do ,
>> that should rule out option 82 insertion causing the relay to drop the
>> packets.
>>
>> On Tue, Jan 19, 2010 at 4:19 AM, Farrukh Haroon <farrukhharoon_at_gmail.com>
>> wrote:
>> > Hello Swap
>> >
>> > This is the FWSM config
>> >
>> > dhcprelay server 10.11.10.4 Internal_Service_Zone
>> > dhcprelay server 10.11.15.4 Voice-Servers-Zone
>> > dhcprelay enable Data_Services_Zone
>> > dhcprelay enable Voice_Services_Zone
>> > dhcprelay setroute Internal_Service_Zone
>> > dhcprelay setroute Voice-Servers-Zone
>> > dhcprelay timeout 15
>> >
>> > Regards
>> > Farrukh
>> >
>> >
>> > On Tue, Jan 19, 2010 at 11:24 AM, swap m <ccie19804_at_gmail.com> wrote:
>> >>
>> >> how is the FWSM configured in regard to Option82? enabled ..disabled?
>> >>
>> >> you can try a debug on FWSM to verify DHCP relay activity.
>> >> Swap
>> >> #19804
>> >> On Tue, Jan 19, 2010 at 12:18 PM, Farrukh Haroon
>> >> <farrukhharoon_at_gmail.com>
>> >> wrote:
>> >>>
>> >>> Hello Joe
>> >>>
>> >>> Thanks for your response. When Option82 was enabled, I found other
>> >>> errors
>> >>> in
>> >>> the debug. I googled the errors and found out that windows 2k3 and
>> >>> lower
>> >>> don't support it (the newer version does I believe). As soon as I
>> >>> disabled,
>> >>> the option82 related errors went away.
>> >>>
>> >>> The DHCP snooping should work even if I just enable it on the access
>> >>> layer
>> >>> switches.I tested this on another environment and it worked.
>> >>>
>> >>> The core switch debugs seem to be normal. If it still does not work
>> >>> after
>> >>> the upgrade, I will post them here.
>> >>>
>> >>> Regards
>> >>>
>> >>> Farrukh
>> >>>
>> >>> On Tue, Jan 19, 2010 at 11:06 AM, Joe Astorino
>> >>> <jastorino_at_ipexpert.com>wrote:
>> >>>
>> >>> > Hello all,
>> >>> >
>> >>> > sorry I am late to the party! Have you tried looking at possible
>> >>> > issues with DHCP option 82 insertion happening on the switch? Have
>> >>> > you looked at any DHCP packet debugs on the device doing the relay?
>> >>> >
>> >>> > On Tue, Jan 19, 2010 at 2:55 AM, Farrukh Haroon
>> >>> > <farrukhharoon_at_gmail.com>
>> >>> > wrote:
>> >>> > > Thanks for your suggestions
>> >>> > >
>> >>> > > Saud, the DHCP service is working perfectly fine without the
>> >>> > > snooping, I
>> >>> > > think I already mentioned that the FWSM is doing the relay here.
>> >>> > >
>> >>> > > Tyson, the DHCP database is a valuable suggestion but that is the
>> >>> > > next
>> >>> > step.
>> >>> > > First have to populate the binding table somehow. The NTP
>> >>> > > requirement
>> >>> > > is
>> >>> > > only for the DHCP snooping database (as mentioned in the
>> >>> > > documentation).
>> >>> > >
>> >>> > > We are going to upgrade and see how it goes.
>> >>> > >
>> >>> > > Regards
>> >>> > >
>> >>> > > Farrukh
>> >>> > >
>> >>> > > On Tue, Jan 19, 2010 at 12:51 AM, S Malik <ccie.09_at_gmail.com>
>> >>> > > wrote:
>> >>> > >
>> >>> > >> What about the configuration of 65K switches. I hope you have "ip
>> >>> > >> helper-add" configured. Moreover, is your DHCP server up? and is
>> >>> > >> it
>> >>> > propery
>> >>> > >> configured with the IP address range as of vlan interface on 65K?
>> >>> > >> DHCP server will assign the IP address in the range of subnet
>> >>> > >> which
>> >>> > >> is
>> >>> > >> configured on vlan interface. Make sure DHCP server is configured
>> >>> > >> for
>> >>> > the
>> >>> > >> same subnet as of vlan interface.
>> >>> > >> Try to sniff and see what is happening.
>> >>> > >>
>> >>> > >>
>> >>> > >>
>> >>> > >> On Mon, Jan 18, 2010 at 9:12 AM, Tyson Scott
>> >>> > >> <tscott_at_ipexpert.com>
>> >>> > wrote:
>> >>> > >>
>> >>> > >>> Sadiq,
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> I would still fix the time regardless of the information.
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> Regards,
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> >>> > >>>
>> >>> > >>> Technical Instructor - IPexpert, Inc.
>> >>> > >>>
>> >>> > >>> Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> Telephone: +1.810.326.1444, ext. 208
>> >>> > >>>
>> >>> > >>> Live Assistance, Please visit: <http://www.ipexpert.com/chat>
>> >>> > >>>
>> >>> > >>> www.ipexpert.com/chat
>> >>> > >>>
>> >>> > >>> eFax: +1.810.454.0130
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
>> >>> > >>> Sent: Monday, January 18, 2010 9:08 AM
>> >>> > >>> To: Tyson Scott
>> >>> > >>> Cc: Farrukh Haroon; Cisco certification; Cisco certification
>> >>> > >>> Subject: Re: DHCP Snooping not working
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> Hi Tyson,
>> >>> > >>>
>> >>> > >>> Thats a good observation actually. However, the lease time on
>> >>> > >>> the
>> >>> > switches
>> >>> > >>> is not actually represented in terms of current time but in
>> >>> > >>> terms
>> >>> > >>> of
>> >>> > >>> duration.
>> >>> > >>>
>> >>> > >>> So regardless of the current time and/or time zone the switch
>> >>> > >>> is,
>> >>> > >>> it
>> >>> > would
>> >>> > >>> always honor the lease time. See below, my switch is not
>> >>> > >>> configured
>> >>> > with
>> >>> > >>> the
>> >>> > >>> right time at all, but my binding is still valid. PS: the DHCP
>> >>> > >>> server
>> >>> > is
>> >>> > >>> running accurate time.
>> >>> > >>>
>> >>> > >>> Thanks,
>> >>> > >>> Sadiq
>> >>> > >>>
>> >>> > >>> 3KI3R28#sh ip dhcp snooping bind
>> >>> > >>> MacAddress IpAddress Lease(sec) Type
>> >>> > >>> VLAN
>> >>> > >>> Interface
>> >>> > >>> ------------------ --------------- ---------- -------------
>> >>> > >>> ----
>> >>> > >>> --------------------
>> >>> > >>> 00:15:17:1E:D0:E9 172.16.21.208 43053 dhcp-snooping
>> >>> > >>> 2021
>> >>> > >>> GigabitEthernet1/0/2
>> >>> > >>> Total number of bindings: 1
>> >>> > >>>
>> >>> > >>> 3KI3R28#sh clock
>> >>> > >>> *01:10:15.683 gmt Fri Mar 5 1993
>> >>> > >>> 3KI3R28#
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> On Mon, Jan 18, 2010 at 1:46 PM, Tyson Scott
>> >>> > >>> <tscott_at_ipexpert.com>
>> >>> > wrote:
>> >>> > >>>
>> >>> > >>> Just some thoughts,
>> >>> > >>>
>> >>> > >>> Do you have NTP running? Are the clocks properly synchronized
>> >>> > >>> between
>> >>> > the
>> >>> > >>> Microsoft Servers and the 3560's?
>> >>> > >>>
>> >>> > >>> Before calling it a bug it may be a more restricted setting in
>> >>> > >>> the
>> >>> > >>> new
>> >>> > >>> version of code that they are sticking to the strict lease times
>> >>> > provided
>> >>> > >>> by
>> >>> > >>> the DHCP server. So if the clocks are not synchronized make
>> >>> > >>> sure
>> >>> > >>> they
>> >>> > are
>> >>> > >>> all synchronized to an accurate time server.
>> >>> > >>>
>> >>> > >>> Next as a recommendation I would add to the configuration to
>> >>> > >>> have
>> >>> > >>> the
>> >>> > DHCP
>> >>> > >>> snooping database stored so it can survive a reboot.
>> >>> > >>>
>> >>> > >>> So add the following
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> ip dhcp snooping vlan 101,104
>> >>> > >>> no ip dhcp snooping information option
>> >>> > >>> ip dhcp snooping
>> >>> > >>>
>> >>> > >>> !
>> >>> > >>> ntp server x.x.x.x
>> >>> > >>> clock timezone <zone> <offset>
>> >>> > >>> ! if you have daylight savings time and it is configured on the
>> >>> > >>> servers
>> >>> > >>> too
>> >>> > >>> clock summer-time <zone> recurring
>> >>> > >>> ! After time is synchronized
>> >>> > >>> ip dhcp snooping database flash:
>> >>> > >>>
>> >>> > >>> Regards,
>> >>> > >>>
>> >>> > >>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> >>> > >>> Technical Instructor - IPexpert, Inc.
>> >>> > >>> Mailto: tscott_at_ipexpert.com
>> >>> > >>> Telephone: +1.810.326.1444, ext. 208
>> >>> > >>>
>> >>> > >>> Live Assistance, Please visit: www.ipexpert.com/chat
>> >>> > >>> eFax: +1.810.454.0130
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> -----Original Message-----
>> >>> > >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>> >>> > >>> Behalf
>> >>> > Of
>> >>> > >>> Sadiq Yakasai
>> >>> > >>>
>> >>> > >>> Sent: Monday, January 18, 2010 7:08 AM
>> >>> > >>> To: Farrukh Haroon
>> >>> > >>> Cc: Cisco certification; Cisco certification
>> >>> > >>> Subject: Re: DHCP Snooping not working
>> >>> > >>>
>> >>> > >>> Hey Farrukh,
>> >>> > >>>
>> >>> > >>> It could be a bug man. I have worked with both images (44 and
>> >>> > >>> 50)
>> >>> > >>> and
>> >>> > both
>> >>> > >>> work fine with DHCP snooping. I would say upgrade and see how it
>> >>> > >>> goes.
>> >>> > >>>
>> >>> > >>> Good luck!
>> >>> > >>>
>> >>> > >>> Sadiq
>> >>> > >>>
>> >>> > >>> On Mon, Jan 18, 2010 at 12:02 PM, Farrukh Haroon
>> >>> > >>> <farrukhharoon_at_gmail.com>wrote:
>> >>> > >>>
>> >>> > >>> > Dear Sadiq
>> >>> > >>> >
>> >>> > >>> > I think I tried setting the access ports as trusted option,
>> >>> > >>> > but
>> >>> > >>> > it
>> >>> > did
>> >>> > >>> not
>> >>> > >>> > help.
>> >>> > >>> >
>> >>> > >>> > For the software upgrade, I was planning on the following
>> >>> > >>> > releases:
>> >>> > >>> > 12.2(44)SE6 or 12.2(50)SE3
>> >>> > >>> >
>> >>> > >>> > Which one do you recommend?
>> >>> > >>> >
>> >>> > >>> > Regards
>> >>> > >>> >
>> >>> > >>> > Farrukh
>> >>> > >>> >
>> >>> > >>> >
>> >>> > >>> > On Mon, Jan 18, 2010 at 2:41 PM, Farrukh Haroon
>> >>> > >>> <farrukhharoon_at_gmail.com>wrote:
>> >>> > >>> >
>> >>> > >>> >> My mistake. I should have given more details.
>> >>> > >>> >>
>> >>> > >>> >> Users are connected to 6 3560 access-layer switches. Even
>> >>> > >>> >> tough
>> >>> > >>> >> they
>> >>> > >>> are
>> >>> > >>> >> L3-capable switches, they are running in L2 mode. The
>> >>> > >>> >> switches
>> >>> > uplink
>> >>> > >>> to
>> >>> > >>> a
>> >>> > >>> >> 6500 Series Core Switch.
>> >>> > >>> >>
>> >>> > >>> >> There is an FWSM Module on the core switch which acts as the
>> >>> > >>> >> DHCP
>> >>> > relay
>> >>> > >>> >> agent for all the user requests. The DHCP servers (Microsoft)
>> >>> > >>> >> are in
>> >>> > a
>> >>> > >>> >> dedicated servers VLAN connected to the core switch.
>> >>> > >>> >>
>> >>> > >>> >> Regards
>> >>> > >>> >>
>> >>> > >>> >> Farrukh
>> >>> > >>> >>
>> >>> > >>> >>
>> >>> > >>> >> On Mon, Jan 18, 2010 at 2:26 PM, Sadiq Yakasai
>> >>> > >>> <sadiqtanko_at_gmail.com>wrote:
>> >>> > >>> >>
>> >>> > >>> >>> Hi Farrukh,
>> >>> > >>> >>>
>> >>> > >>> >>> What if you trust the access ports? Does that change the
>> >>> > >>> >>> outcome?
>> >>> > What
>> >>> > >>> >>> about moving on to a newer code?
>> >>> > >>> >>>
>> >>> > >>> >>> Is the debug above from the access switch? Whats your
>> >>> > >>> >>> topology
>> >>> > >>> >>> here
>> >>> > >>> >>> please?
>> >>> > >>> >>>
>> >>> > >>> >>> Sadiq
>> >>> > >>> >>>
>> >>> > >>> >>> On Mon, Jan 18, 2010 at 11:22 AM, Farrukh Haroon <
>> >>> > >>> >>> farrukhharoon_at_gmail.com> wrote:
>> >>> > >>> >>>
>> >>> > >>> >>>> Dear All
>> >>> > >>> >>>>
>> >>> > >>> >>>> We are facing a weird issue while trying to configure DHCP
>> >>> > snooping.
>> >>> > >>> >>>> Users are unable to get/renew IP Addresses after enabling
>> >>> > >>> >>>> DHCP
>> >>> > >>> snooping.
>> >>> > >>> >>>> The DHCP Snooping binding table is always empty.
>> >>> > >>> >>>>
>> >>> > >>> >>>> The configuration is pretty simple
>> >>> > >>> >>>>
>> >>> > >>> >>>> ip dhcp snooping vlan 101,104
>> >>> > >>> >>>> no ip dhcp snooping information option
>> >>> > >>> >>>> ip dhcp snooping
>> >>> > >>> >>>>
>> >>> > >>> >>>> All ports connected to DHCP servers and uplinks set as
>> >>> > >>> >>>> trusted.
>> >>> > >>> >>>>
>> >>> > >>> >>>> Switch Version: c3560-ipservices-mz.122-35.SE5
>> >>> > >>> >>>>
>> >>> > >>> >>>> I tried the same configuration with another 3560 Switch
>> >>> > >>> >>>> running
>> >>> > an
>> >>> > >>> >>>> older
>> >>> > >>> >>>> version with no issues at all.
>> >>> > >>> >>>>
>> >>> > >>> >>>> This is the error we see on all the trusted ports, any
>> >>> > >>> >>>> ideas
>> >>> > >>> >>>> why
>> >>> > >>> this
>> >>> > >>> >>>> is
>> >>> > >>> >>>> happenning:
>> >>> > >>> >>>>
>> >>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input): Setting
>> >>> > if_input
>> >>> > >>> to
>> >>> > >>> >>>> Gi0/49 fo
>> >>> > >>> >>>> r pak. Was not set
>> >>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input):
>> >>> > >>> >>>> *Clearing
>> >>> > if_input
>> >>> > >>> >>>> for
>> >>> > >>> >>>> pak. W
>> >>> > >>> >>>> as Gi0/49*
>> >>> > >>> >>>> Dec 27 08:56:43 KSA: DHCPSNOOP(hlfm_set_if_input):* Setting
>> >>> > if_input
>> >>> > >>> to
>> >>> > >>> >>>> Gi0/49 fo
>> >>> > >>> >>>> r pak. Was not set*
>> >>> > >>> >>>>
>> >>> > >>> >>>> Regards
>> >>> > >>> >>>>
>> >>> > >>> >>>> Farrukh
>> >>> > >>> >>>>
>> >>> > >>> >>>>
>> >>> > >>> >>>> Blogs and organic groups at http://www.ccie.net
>> >>> > >>> >>>>
>> >>> > >>> >>>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> _______________________________________________________________________
>> >>> > >>> >>>> Subscription information may be found at:
>> >>> > >>> >>>> http://www.groupstudy.com/list/CCIELab.html
>> >>> > >>> >>>>
>> >>> > >>> >>>>
>> >>> > >>> >>>>
>> >>> > >>> >>>>
>> >>> > >>> >>>>
>> >>> > >>> >>>>
>> >>> > >>> >>>>
>> >>> > >>> >>>>
>> >>> > >>> >>>
>> >>> > >>> >>>
>> >>> > >>> >>> --
>> >>> > >>> >>> CCIE #19963
>> >>> > >>> >>>
>> >>> > >>> >>
>> >>> > >>> >>
>> >>> > >>> >
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> --
>> >>> > >>> CCIE #19963
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> Blogs and organic groups at http://www.ccie.net
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> _______________________________________________________________________
>> >>> > >>> Subscription information may be found at:
>> >>> > >>> http://www.groupstudy.com/list/CCIELab.html
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> --
>> >>> > >>> CCIE #19963
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> Blogs and organic groups at http://www.ccie.net
>> >>> > >>>
>> >>> > >>>
>> >>> > >>>
>> >>> > >>> _______________________________________________________________________
>> >>> > >>> Subscription information may be found at:
>> >>> > >>> http://www.groupstudy.com/list/CCIELab.html
>> >>> > >
>> >>> > >
>> >>> > > Blogs and organic groups at http://www.ccie.net
>> >>> > >
>> >>> > >
>> >>> > >
>> >>> > > _______________________________________________________________________
>> >>> > > Subscription information may be found at:
>> >>> > > http://www.groupstudy.com/list/CCIELab.html
>> >>> > >
>> >>> > >
>> >>> > >
>> >>> > >
>> >>> > >
>> >>> > >
>> >>> > >
>> >>> > >
>> >>> >
>> >>> >
>> >>> >
>> >>> > --
>> >>> > Regards,
>> >>> >
>> >>> > Joe Astorino CCIE #24347 (R&S)
>> >>> > Sr. Technical Instructor - IPexpert
>> >>> > Mailto: jastorino_at_ipexpert.com
>> >>> > Telephone: +1.810.326.1444
>> >>> > Live Assistance, Please visit: www.ipexpert.com/chat
>> >>> > eFax: +1.810.454.0130
>> >>> >
>> >>> > IPexpert is a premier provider of Classroom and Self-Study Cisco
>> >>> > CCNA
>> >>> > (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
>> >>> > Security & Service Provider) Certification Training with locations
>> >>> > throughout the United States, Europe and Australia. Be sure to check
>> >>> > out our online communities at www.ipexpert.com/communities and our
>> >>> > public website at www.ipexpert.com
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>>
>> >>> _______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>
>> >
>> >
>>
>>
>>
>> --
>> Regards,
>>
>> Joe Astorino CCIE #24347 (R&S)
>> Sr. Technical Instructor - IPexpert
>> Mailto: jastorino_at_ipexpert.com
>> Telephone: +1.810.326.1444
>> Live Assistance, Please visit: www.ipexpert.com/chat
>> eFax: +1.810.454.0130
>>
>> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
>> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
>> Security & Service Provider) Certification Training with locations
>> throughout the United States, Europe and Australia. Be sure to check
>> out our online communities at www.ipexpert.com/communities and our
>> public website at www.ipexpert.com
>
>
>
> --
> CCIE #19963
>

-- 
Regards,
Joe Astorino CCIE #24347 (R&S)
Sr. Technical Instructor - IPexpert
Mailto: jastorino_at_ipexpert.com
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
(R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice,
Security & Service Provider) Certification Training with locations
throughout the United States, Europe and Australia. Be sure to check
out our online communities at www.ipexpert.com/communities and our
public website at www.ipexpert.com
Blogs and organic groups at http://www.ccie.net