Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
847
Views
0
Helpful
6
Replies

DHCP Snooping binding table not complete

Florin Barhala
Level 6
Level 6

‎03-10-2014 04:25 AM - edited ‎03-07-2019 06:37 PM

Hi guys,

 

Just deployed DHCP Snooping on one Vlan only for now. I enabled it on three switches so far, to see how things work.

Here is the topology:

Wireless Client --> Access Point --> Switch 7 --> Distribution 1 --> Distribution 2 --> DHCP Server.

 

All four access points are connected to Switch 7 and there is only one way to the DHCP Server: through the aforementioned path.

DHCP is working for this VLAN, only issue is that I have about 90 leases on the DHCP server and only half in DHCP Snooping Binding Table. The lease time configured on the DHCP Server is 2h.

Here are the configs:

Switch 7:

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
110
Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
GigabitEthernet1/1           yes         unlimited

 

Distribution 1:

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
110
DHCP snooping is operational on following VLANs:
110
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id default format: vlan-mod-port
   remote-id: 2c54.2d02.e300 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
GigabitEthernet1/1         yes        yes             unlimited

 

Distribution 2:

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
110
DHCP snooping is operational on following VLANs:
110
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id default format: vlan-mod-port
   remote-id: 2c54.2d02.b400 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
GigabitEthernet1/5         yes        yes             unlimited

 

I read on the Internet that partial binding table could be caused by too many trusted interfaces, but for this scenario as you can see I am using only one for interface on the right direction.

DHCP Server is Windows 2008 R2, and there are about 10 reservations for the entire 200+ IP pool. 

All three switches have the same binding database and no log messages DHCP related are present in the buffer (configured for informational level).

Labels:
0 Helpful
6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-10-2014 05:51 AM

Hello,

 

Are you looking at that info on the switch directly attached to the DHCP server???

Also remember that the DHCP Snooping switch must see the entire DHCP DORA process in order to add  those entries in the DHCP binding database so question is, was DHCP disabled before enabling DHCP Snooping so the Switch saw the entire exchanges of DHCP packets on the LAN?

 

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Florin Barhala
Level 6
Level 6
In response to Julio Carvajal

‎03-10-2014 05:56 AM

As mentioned, the binding database is the same on all three switches.

I was also concern if the DORA process flows other ways, I did some checks and I can be 99% sure this is the path. No secondary/backup DHCP server, no other APs installed and what stays solid: DHCP server is connected on Distribution 2 switch.

 

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Florin Barhala

‎03-10-2014 06:29 AM

That's not what I meant,

 

I mean when you enabled DHCP snooping, where there already some IPs assigned via DHCP? 

 

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Florin Barhala
Level 6
Level 6
In response to Julio Carvajal

‎03-10-2014 06:43 AM

Yesterday, there were about 35 leases and binding database had less than 12 entried.

Today there are now 95 and 49 entries in the binding database. Lease time is 2h. 

What do you think?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Florin Barhala

‎03-10-2014 08:40 AM

Interesting,

 

Then the only way to determine what the heck is going on might be with debugs:

debug ip dhcp snooping packet 

 

Regards,

 

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Florin Barhala
Level 6
Level 6
In response to Julio Carvajal

‎03-10-2014 12:14 PM

Thanks Julio; I will give it a try this way, then.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card