×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DHCP Snooping binding table not complete

Unanswered Question
Mar 10th, 2014
User Badges:
  • Bronze, 100 points or more

Hi guys,

 

Just deployed DHCP Snooping on one Vlan only for now. I enabled it on three switches so far, to see how things work.

Here is the topology:

Wireless Client --> Access Point --> Switch 7 --> Distribution 1 --> Distribution 2 --> DHCP Server.

 

All four access points are connected to Switch 7 and there is only one way to the DHCP Server: through the aforementioned path.

DHCP is working for this VLAN, only issue is that I have about 90 leases on the DHCP server and only half in DHCP Snooping Binding Table. The lease time configured on the DHCP Server is 2h.

Here are the configs:

Switch 7:

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
110
Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
GigabitEthernet1/1           yes         unlimited

 

Distribution 1:

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
110
DHCP snooping is operational on following VLANs:
110
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id default format: vlan-mod-port
   remote-id: 2c54.2d02.e300 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
GigabitEthernet1/1         yes        yes             unlimited

 

Distribution 2:

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
110
DHCP snooping is operational on following VLANs:
110
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id default format: vlan-mod-port
   remote-id: 2c54.2d02.b400 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
GigabitEthernet1/5         yes        yes             unlimited

 

I read on the Internet that partial binding table could be caused by too many trusted interfaces, but for this scenario as you can see I am using only one for interface on the right direction.

DHCP Server is Windows 2008 R2, and there are about 10 reservations for the entire 200+ IP pool. 

All three switches have the same binding database and no log messages DHCP related are present in the buffer (configured for informational level).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Julio Carvajal Mon, 03/10/2014 - 05:51
User Badges:
  • Purple, 4500 points or more

Hello,

 

Are you looking at that info on the switch directly attached to the DHCP server???

Also remember that the DHCP Snooping switch must see the entire DHCP DORA process in order to add  those entries in the DHCP binding database so question is, was DHCP disabled before enabling DHCP Snooping so the Switch saw the entire exchanges of DHCP packets on the LAN?

 

Regards

Florin Barhala Mon, 03/10/2014 - 05:56
User Badges:
  • Bronze, 100 points or more

As mentioned, the binding database is the same on all three switches.

I was also concern if the DORA process flows other ways, I did some checks and I can be 99% sure this is the path. No secondary/backup DHCP server, no other APs installed and what stays solid: DHCP server is connected on Distribution 2 switch.

 

Julio Carvajal Mon, 03/10/2014 - 06:29
User Badges:
  • Purple, 4500 points or more

That's not what I meant,

 

I mean when you enabled DHCP snooping, where there already some IPs assigned via DHCP? 

 

Regards

Florin Barhala Mon, 03/10/2014 - 06:43
User Badges:
  • Bronze, 100 points or more

Yesterday, there were about 35 leases and binding database had less than 12 entried.

Today there are now 95 and 49 entries in the binding database. Lease time is 2h. 

What do you think?

Julio Carvajal Mon, 03/10/2014 - 08:40
User Badges:
  • Purple, 4500 points or more

Interesting,

 

Then the only way to determine what the heck is going on might be with debugs:

debug ip dhcp snooping packet 

 

Regards,

 

Florin Barhala Mon, 03/10/2014 - 12:14
User Badges:
  • Bronze, 100 points or more

Thanks Julio; I will give it a try this way, then.

Actions

This Discussion