cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3880
Views
0
Helpful
12
Replies

DHCP snooping failing to start

eduardonpinto
Level 1
Level 1

Hi all,

I'm having problems starting DHCP snooping on a 6509 L3 switch. This is the configuration:

switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
306-307
DHCP snooping is operational on following VLANs:
306-307
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
GigabitEthernet5/1           yes         unlimited
GigabitEthernet5/2           yes         unlimited

switch#sh ip dhcp snooping statistics
Packets Processed by DHCP Snooping                    = 15
Packets Dropped Because
   IDB not known                                       = 0


However, there are no bindings:

switch#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0

I'm running a debug to troubleshoot the issue:

switch#sh debug
DHCP Snooping packet debugging is on
DHCP Snooping event debugging is on

and I get some messages that I'm not able to decode:

Nov 27 16:45:30 CET: DHCP_SNOOPING: checking expired snoop binding entries
Nov 27 16:45:55 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:45:59 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:06 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:21 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !

Do you have any idea what I may be doing wrong in this configuration?

many thanks in advance

Eduardo

12 Replies 12

eduardonpinto
Level 1
Level 1

forgot to mention that we're running:

BOOTLDR: s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2)

Edison Ortiz
Hall of Fame
Hall of Fame

eduardonpinto wrote:

Hi all,

I'm running a debug to troubleshoot the issue:

switch#sh debug
DHCP Snooping packet debugging is on
DHCP Snooping event debugging is on

and I get some messages that I'm not able to decode:

Nov 27 16:45:30 CET: DHCP_SNOOPING: checking expired snoop binding entries
Nov 27 16:45:55 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:45:59 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:06 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:21 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !

Do you have any idea what I may be doing wrong in this configuration?

many thanks in advance

Eduardo

You may have other Vlans on this switch where DHCP snooping isn't enabled and clients are requesting DHCP services hence the message above.

As for the lack of information on the DHCP snooping database, try releasing and renewing a DHCP lease from a client residing on the Vlan where DHCP snooping is enabled.

I recommend reading the configuration guidelines from this link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html

Regards

Edison

Hi Edison,

thank you for the prompt reply. I now understand the results of the debug.

Unfortunately, I can't say the same about the lack of bindings on the database. I called a user and asked him to issue an "ipconfig /renew" on his windows pc but it seems they don't have permission to issue it. I had to ask him to reboot his machine but, after that the database is still showing no entries...

I've configured all DHCP snooping settings according to the document you mentioned.

Regards,

  Eduardo

An ipconfig /renew won't release the current lease - you need an ipconfig /release but I understand they don't even have access to such command.

You need to wait until a lease expires from a client in order to have the database populated. A reboot won't do it.

BTW, since they have Windows - they can go into Local Area Connection | Support | Repair

Regards

Edison.

We will have to wait then...let's see what the weekend brings. I thought rebooting the pc would generate a DHCP request.

Is there perhaps a way, by means of DHCP server configuration, to force the pc's to renew the lease? I think the DHCP lease in my company is of 1 month and I wouldn't like to wait that long to activate DAI again...(next time I'll save the database file in NVRAM, for sure)

Many thanks

Eduardo

Eduardo,

Are you sure you have some interfaces defined as "DHCP Snooping Trusted", ie the uplink ports (if dhcp is remotely connected) or the port of the official DHCP server  (if locally connected) ?

regards,

Geert

Edurado,

Could you try reconfiguring the DHCP snoopig configurations once again, this is a pretty know symptom that unless no binding tables are created for dhcp snooping it would never work even with a release renew.

Also i agree with you that with snooping table not complete we cannot implement DAI. Hence please do try the above and let me know how it goes.

Also if you could provide a brief idea of your topology right from your DHCP server to the end client we can identify where exaclty we are missing the link.

Hi all,

thank you for helping me on this problem.

After this weekend the situation still hasn't improved:

switch#sh ip dhcp snooping binding  
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0

With a NAM on the switch I was able to trace the vlans where DHCP snooping is enabled for UDP ports 67 and 68 and found DHCP traffic flowing, including DHCP ACKs (end of DHCP transaction).

This is a L2 switch with two redundant uplinks to 2x L3 core switches where an SVI is configured with the correct ip-helper address. The uplinks are trusted:

switch#sh ip dhcp snooping
(...)
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
GigabitEthernet5/1           yes         unlimited
GigabitEthernet5/2           yes         unlimited

The configuration of DHCP snooping was completely removed from the switch last week and added back again following the configuration steps provided by Cisco.

Regards,

  Eduardo

Hi Eduardo,

That's very odd. I don't know what else to suggest. I recommend opening a TAC case for further troubleshooting.

Regards,

Edison

It is indeed something strange. I've already opened a case...

Thank for all your help. I will leave the answer here as soon as I have it.

eduardonpinto wrote:

It is indeed something strange. I've already opened a case...

Thank for all your help. I will leave the answer here as soon as I have it.

Please do. We will love to see the solution.

Regards

Edison

aysar3000
Level 1
Level 1

Hello

did you find a solution

if not can you please post your full scenario

did you connect any device such cisco ip phone to the 6509 L3 Switch or a laptob would it show in the binding

 

which switch connect to switch one

 

rate if helpful

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco