03-10-2014 04:25 AM - edited 03-07-2019 06:37 PM
Hi guys,
Just deployed DHCP Snooping on one Vlan only for now. I enabled it on three switches so far, to see how things work.
Here is the topology:
Wireless Client --> Access Point --> Switch 7 --> Distribution 1 --> Distribution 2 --> DHCP Server.
All four access points are connected to Switch 7 and there is only one way to the DHCP Server: through the aforementioned path.
DHCP is working for this VLAN, only issue is that I have about 90 leases on the DHCP server and only half in DHCP Snooping Binding Table. The lease time configured on the DHCP Server is 2h.
Here are the configs:
Switch 7:
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
110
Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
GigabitEthernet1/1 yes unlimited
Distribution 1:
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
110
DHCP snooping is operational on following VLANs:
110
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 2c54.2d02.e300 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet1/1 yes yes unlimited
Distribution 2:
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
110
DHCP snooping is operational on following VLANs:
110
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 2c54.2d02.b400 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet1/5 yes yes unlimited
I read on the Internet that partial binding table could be caused by too many trusted interfaces, but for this scenario as you can see I am using only one for interface on the right direction.
DHCP Server is Windows 2008 R2, and there are about 10 reservations for the entire 200+ IP pool.
All three switches have the same binding database and no log messages DHCP related are present in the buffer (configured for informational level).
03-10-2014 05:51 AM
Hello,
Are you looking at that info on the switch directly attached to the DHCP server???
Also remember that the DHCP Snooping switch must see the entire DHCP DORA process in order to add those entries in the DHCP binding database so question is, was DHCP disabled before enabling DHCP Snooping so the Switch saw the entire exchanges of DHCP packets on the LAN?
Regards
03-10-2014 05:56 AM
As mentioned, the binding database is the same on all three switches.
I was also concern if the DORA process flows other ways, I did some checks and I can be 99% sure this is the path. No secondary/backup DHCP server, no other APs installed and what stays solid: DHCP server is connected on Distribution 2 switch.
03-10-2014 06:29 AM
That's not what I meant,
I mean when you enabled DHCP snooping, where there already some IPs assigned via DHCP?
Regards
03-10-2014 06:43 AM
Yesterday, there were about 35 leases and binding database had less than 12 entried.
Today there are now 95 and 49 entries in the binding database. Lease time is 2h.
What do you think?
03-10-2014 08:40 AM
Interesting,
Then the only way to determine what the heck is going on might be with debugs:
debug ip dhcp snooping packet
Regards,
03-10-2014 12:14 PM
Thanks Julio; I will give it a try this way, then.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide