DHCP snooping failing to start

Unanswered Question
Nov 27th, 2009
User Badges:

Hi all,


I'm having problems starting DHCP snooping on a 6509 L3 switch. This is the configuration:


switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
306-307
DHCP snooping is operational on following VLANs:
306-307
DHCP snooping is configured on the following L3 Interfaces:


Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:


Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
GigabitEthernet5/1           yes         unlimited
GigabitEthernet5/2           yes         unlimited


switch#sh ip dhcp snooping statistics
Packets Processed by DHCP Snooping                    = 15
Packets Dropped Because
   IDB not known                                       = 0



However, there are no bindings:


switch#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0



I'm running a debug to troubleshoot the issue:


switch#sh debug
DHCP Snooping packet debugging is on
DHCP Snooping event debugging is on


and I get some messages that I'm not able to decode:


Nov 27 16:45:30 CET: DHCP_SNOOPING: checking expired snoop binding entries
Nov 27 16:45:55 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:45:59 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:06 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:21 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !


Do you have any idea what I may be doing wrong in this configuration?


many thanks in advance

Eduardo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eduardonpinto Fri, 11/27/2009 - 07:49
User Badges:

forgot to mention that we're running:


BOOTLDR: s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2)

Edison Ortiz Fri, 11/27/2009 - 10:34
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

eduardonpinto wrote:


Hi all,


I'm running a debug to troubleshoot the issue:


switch#sh debug
DHCP Snooping packet debugging is on
DHCP Snooping event debugging is on


and I get some messages that I'm not able to decode:


Nov 27 16:45:30 CET: DHCP_SNOOPING: checking expired snoop binding entries
Nov 27 16:45:55 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:45:59 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:06 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:21 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !


Do you have any idea what I may be doing wrong in this configuration?


many thanks in advance

Eduardo


You may have other Vlans on this switch where DHCP snooping isn't enabled and clients are requesting DHCP services hence the message above.


As for the lack of information on the DHCP snooping database, try releasing and renewing a DHCP lease from a client residing on the Vlan where DHCP snooping is enabled.


I recommend reading the configuration guidelines from this link:


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html


Regards


Edison

eduardonpinto Fri, 11/27/2009 - 10:49
User Badges:

Hi Edison,


thank you for the prompt reply. I now understand the results of the debug.


Unfortunately, I can't say the same about the lack of bindings on the database. I called a user and asked him to issue an "ipconfig /renew" on his windows pc but it seems they don't have permission to issue it. I had to ask him to reboot his machine but, after that the database is still showing no entries...


I've configured all DHCP snooping settings according to the document you mentioned.


Regards,

  Eduardo

Edison Ortiz Fri, 11/27/2009 - 10:59
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

An ipconfig /renew won't release the current lease - you need an ipconfig /release but I understand they don't even have access to such command.


You need to wait until a lease expires from a client in order to have the database populated. A reboot won't do it.


BTW, since they have Windows - they can go into Local Area Connection | Support | Repair


Regards


Edison.

eduardonpinto Fri, 11/27/2009 - 11:23
User Badges:

We will have to wait then...let's see what the weekend brings. I thought rebooting the pc would generate a DHCP request.


Is there perhaps a way, by means of DHCP server configuration, to force the pc's to renew the lease? I think the DHCP lease in my company is of 1 month and I wouldn't like to wait that long to activate DAI again...(next time I'll save the database file in NVRAM, for sure)


Many thanks

Eduardo

gnijs Sat, 11/28/2009 - 12:36
User Badges:
  • Bronze, 100 points or more

Eduardo,


Are you sure you have some interfaces defined as "DHCP Snooping Trusted", ie the uplink ports (if dhcp is remotely connected) or the port of the official DHCP server  (if locally connected) ?


regards,

Geert

abmehta Sat, 11/28/2009 - 13:12
User Badges:

Edurado,


Could you try reconfiguring the DHCP snoopig configurations once again, this is a pretty know symptom that unless no binding tables are created for dhcp snooping it would never work even with a release renew.

Also i agree with you that with snooping table not complete we cannot implement DAI. Hence please do try the above and let me know how it goes.


Also if you could provide a brief idea of your topology right from your DHCP server to the end client we can identify where exaclty we are missing the link.

eduardonpinto Mon, 11/30/2009 - 02:19
User Badges:

Hi all,


thank you for helping me on this problem.


After this weekend the situation still hasn't improved:


switch#sh ip dhcp snooping binding  
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0



With a NAM on the switch I was able to trace the vlans where DHCP snooping is enabled for UDP ports 67 and 68 and found DHCP traffic flowing, including DHCP ACKs (end of DHCP transaction).


This is a L2 switch with two redundant uplinks to 2x L3 core switches where an SVI is configured with the correct ip-helper address. The uplinks are trusted:


switch#sh ip dhcp snooping
(...)
DHCP snooping trust/rate is configured on the following Interfaces:


Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
GigabitEthernet5/1           yes         unlimited
GigabitEthernet5/2           yes         unlimited



The configuration of DHCP snooping was completely removed from the switch last week and added back again following the configuration steps provided by Cisco.


Regards,

  Eduardo

Edison Ortiz Wed, 12/02/2009 - 09:36
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Hi Eduardo,


That's very odd. I don't know what else to suggest. I recommend opening a TAC case for further troubleshooting.


Regards,


Edison

eduardonpinto Wed, 12/02/2009 - 12:01
User Badges:

It is indeed something strange. I've already opened a case...


Thank for all your help. I will leave the answer here as soon as I have it.

Edison Ortiz Thu, 12/03/2009 - 08:42
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

eduardonpinto wrote:


It is indeed something strange. I've already opened a case...


Thank for all your help. I will leave the answer here as soon as I have it.

Please do. We will love to see the solution.


Regards


Edison

Actions

This Discussion