Clients attached to 3560's with DHCP Snooping enabled no ip address

Unanswered Question
Nov 2nd, 2009

I have a customer that is using dhcp snooping on their access switches, I have not done dhcp snooping in my career but I only see this issue where they have cascading l2 switches installed. When using a l2 switch with 2 more l2 switches, all configured single vlan, every 8 days when dhcp lease expires client cannot get a new ip address IF connected to one of the 2 cascaded l2 switches hanging off the central l2 switch "acting" as a distro switch in a small site, pc's on the "distro" switch work just fine. cannot see logs as they must disable and reenable dhcp snooping in order for site to start working again, tac case advised they have no clue customer tells me, anyone see and diagnose this ??



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Reza Sharifi Mon, 11/02/2009 - 11:42

Hi Dave,

If you disable DHCP Snooping, does every thing work fine for more then 8 days?

Also, is IP DHCP snooping trust configured under the correct interface and VLAN?



DAVE GENTON Mon, 11/02/2009 - 11:44

yep appears to all be fine, once reenabled it works again for another 8 days since that is the dhcp lease time.

Edison Ortiz Tue, 11/03/2009 - 07:55

The documentation goes into details with regards to the configuration guidelines, so I highly recommend reading it.

In short, just make sure you have DHCP trust enabled on the DHCP server facing switchport as well as inter-switch links.



DAVE GENTON Tue, 11/03/2009 - 10:02

I think I found it, thanks everyone. Despite what the customer tells me :) I can recreate their environments issues exactly ONLY WHEN option 82 is enabled on the switches !! When I disable option 82, change the lease time down, it renews fine over and over. So while they claim they disabled in the past due to older windows dhcp server, they either didn't or there was a bug back then, but they still think it was post 12.2.25 when the bug they appeard to have was prominent.

That said, any way to enable option 82 in a IOS based dhcp server to emulate opt 82 and non opt 82 based solutions ??


Edison Ortiz Tue, 11/03/2009 - 11:48

Please take a moment and read the link I provided. It does mentioned how to add an additional command for Option 82, if you haven't done so:

In Cisco IOS Release 12.2(25)SEA or later, when an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow-untrusted global configuration command, the aggregation switch accepts packets with option-82 information from the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. The DHCP security features, such as dynamic ARP inspection or IP source guard, can still be enabled on the aggregation switch while the switch receives packets with option-82 information on untrusted input interfaces to which hosts are connected. The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface.

DAVE GENTON Tue, 11/03/2009 - 13:46

that's on the switch, i am familiar, I was inquiring about enabling option 82 on a router's dhcp server ....



This Discussion