Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

4510 / Port Security / DHCP

Any thoughts on this?  Having a strange problem.  On some of our newer 4510s (SUP 8e), I'm having some devices not getting dhcp addresses until I take off port-security.

The background:  on at least two 4510s, new installs, everything comes up and works perfectly.  After about a month on the first one, we started having a few printers suddenly stop working with no ip address.  After some trouble-shooting, we took off port-security and immediately they got an address and started working.  We installed another 4510;  3 weeks later the same thing started happening.  However this time we noticed that the night before we did some generator testing, and the affected printers may have briefly lost power.  So this gave me a little more to test on, and am now able to replicate it.

1st,  all affected devices have been printers (mainly HP - although a co-worker thought an IP phone was affected on the first switch) - but not all printers on the switch have been affected.  I plug a new printer in, everything comes up fine.  If I power that printer off and back on, it fails to get a dhcp address.  I can plug a laptop into the same port and it comes up fine.  Back to the printer - take off port security, it will immediately pick up an address.  I can put port-security back on, and it's fine until powered off again.

DHCP Snooping is not on.

Port-config:

interface GigabitEthernet10/18

description **IP PHONE OR PC**

switchport access vlan 24

switchport mode access

switchport voice vlan 14

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

no mdix auto

qos trust device cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy

service-policy output DBL

end

Network capture when it's failing only shows dhcp request, no answer.

failed:

No.     Time           Source                Destination           Protocol Length Info

    157 50.802870000   0.0.0.0               255.255.255.255       DHCP     347    DHCP Discover - Transaction ID 0xc2f80993

Frame 157: 347 bytes on wire (2776 bits), 347 bytes captured (2776 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Bootstrap Protocol

No.     Time           Source                Destination           Protocol Length Info

    182 54.820824000   0.0.0.0               255.255.255.255       DHCP     347    DHCP Discover - Transaction ID 0xc2f80993

Frame 182: 347 bytes on wire (2776 bits), 347 bytes captured (2776 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Bootstrap Protocol

(repeated)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Working:

No.     Time           Source                Destination           Protocol Length Info

    138 35.496720000   0.0.0.0               255.255.255.255       DHCP     347    DHCP Discover - Transaction ID 0xc2f8a7b8

Frame 138: 347 bytes on wire (2776 bits), 347 bytes captured (2776 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Bootstrap Protocol

No.     Time           Source                Destination           Protocol Length Info

    185 40.527732000   0.0.0.0               255.255.255.255       DHCP     379    DHCP Request  - Transaction ID 0xc2f8a7b8

Frame 185: 379 bytes on wire (3032 bits), 379 bytes captured (3032 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Bootstrap Protocol

No.     Time           Source                Destination           Protocol Length Info

    187 40.584626000   Hewlett-_86:fe:9f     Broadcast             ARP      60     Who has 10.201.238.252?  Tell 0.0.0.0

Frame 187: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Address Resolution Protocol (request)

No.     Time           Source                Destination           Protocol Length Info

    200 42.177704000   Hewlett-_86:fe:9f     Broadcast             ARP      60     Gratuitous ARP for 10.201.238.252 (Request)

Frame 200: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Address Resolution Protocol (request/gratuitous ARP)

No.     Time           Source                Destination           Protocol Length Info

    203 42.415502000   10.201.238.252        224.0.1.60            IGMPv1   60     Membership Report

Frame 203: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: IPv4mcast_00:01:3c (01:00:5e:00:01:3c)

Internet Protocol Version 4, Src: 10.201.238.252 (10.201.238.252), Dst: 224.0.1.60 (224.0.1.60)

Internet Group Management Protocol

15 REPLIES

4510 / Port Security / DHCP

Is the port in err-disable state?

New Member

4510 / Port Security / DHCP

No, never goes err-disable or shows any errors/logging.

New Member

I am experiencing the exact

I am experiencing the exact same type of issues.

 

Did you ever resolve this?

New Member

Hi,should be fixed in version

Hi,

should be fixed in version 3.6.0, 3.6.1 and 3.7.0E.

We updated our switches in 3.7.0E and it is working fine now.

Kr

Nicolas

New Member

Not really, we will be

Not really, we will be upgrading IOS to 3.6 soon, hoping that will resolve the issue.  We've just removed port-security where it's an issue as of now.  If it happens after upgrade, I'll go back to tac.

 

New Member

Re: 4510 / Port Security / DHCP

We have seen this same issue but with some Motion Tablets, running Windows 7, and some Linux PC's. We have just gotten reports of Ricoh Printers as well.

       We have oppened a tac case on this as well.

New Member

Re: 4510 / Port Security / DHCP

So far no where with TAC.. last was port-security debugs that they are looking into.

Traffic capture on the device port shows the dhcp broadcast.  Traffic capture on the uplink port shows no traffic going through from that device.  So the switch sees it on the access port, doesn't record the mac, and then drops the traffic.  If you take port-security off, or statically assign the mac to the port, then all is good.

New Member

Re: 4510 / Port Security / DHCP

Hi

First try to remove these two commands:

#switchport port-security aging time 2

#switchport port-security aging type inactivity

Maybe it works

Regards

Amir

New Member

Re: 4510 / Port Security / DHCP

No, I've tried that as well, peeling back the different layers of port-security critierias.  Only will work when 'switchport port-security' is removed.

New Member

Same problem here ... just

Same problem here ... just started deploying a dozen or so of these 4510RE SUP-8E switches and port-security is causing some printers and timecard devices to fail.  From what I can see, port-security is NOT tripping but simpley the MAC address never gets loaded to the port on certain types of devices.  I would try a different code, but their is only one available at this time.

New Member

Yes, same thing - with port

Yes, same thing - with port-security on, the mac address is not getting loaded into mac table.  Can see the dhcp request come into the switch, and then it's just dropped, never goes out, mac address is not registered.  

Seeing this on about 1/2 4510s now, various printers/devices.  TAC still has no solution on this. He said another engineer was seeing something similar on a case. 

The one thing I have done that has seemed to clear it up, at least temporarily, is I rolled to the redundant sup and back.  Since I did that on one chassis, everything appears to be working correctly.  However, that was about 2 weeks ago, and generally it's taken a few weeks for this problem to pop up after an install - whether timing on that is coincidence or not, not sure.  The other problem, is all of these new chassis are running RPR redundancy (LAN base) - so i'm not able to just roll them w/out taking a hit (most of them are in 24x7 operations areas).

Another issue, and not sure if it's related or not.  I have 4 pc's going to 2 different chassis.  Each pc is set with a static IP, but is set to autologin into the domain.  Every other time the pc is rebooted, it logs in fine.  The reboots in-between, the pc will not log in, and in fact registers an APIPA 169.x.x.x address in the arp table - which is pretty odd since they are set with a static IP.  I can duplicate this by shut/no shut the port and every other time it will (or won't) get on the network.

I would recommend opening a tac case if you haven't - seems like a few more people are seeing this happen.  (my tac ref: 629278423)

New Member

Hi guys !  Same issue now. A

Hi guys ! 

 

Same issue now. A printer was working fine for several weeks and suddenly the mac address is no more learned.

 

Any update ?

 

kr

New Member

Not really;  we've had

Not really;  we've had multiple issues with port-security;  printers (and at times pc's) not picking up dhcp addresses; ip phones not getting dhcp options correctly.  TAC has said they may be related to a couple of different issues.  Suggested upgrading to 3.3.1; said could be related to this bug: : https://tools.cisco.com/bugsearch/bug/CSCuj73571/?reffering_site=dumpcr

Can also try adding a delay to global ip device tracking probe (if it is on) - see following bugs.

https://tools.cisco.com/bugsearch/bug/CSCuj04986/?reffering_site=dumpcr

https://tools.cisco.com/bugsearch/bug/CSCtn27420/?reffering_site=dumpcr

The delay fixed issues with pc's not getting dhcp addresses, but not issues with phones.  We have not upgraded to 3.3.1 yet.

New Member

Hi,thanks for your answer. We

Hi,

thanks for your answer. We have already the last version of IOS. It seems that the issue is solved when we remove the port-security but if we re-enable it then it is still working ... I don't know how long it will work ...

we kind of test did you already do ?

kr

New Member

Hi,

Hi,

Had the same problem only I am doing this on a virtual lab environment.

What I did is to enable ip dhcp snooping on the vlan of the hosts that needs ip via DHCP.

trusted the uplink port going to the dhcp server.  I have only trusted the uplink port of the access switch that I have configured ip dhcp snooping.

Then enabled:

no ip dhcp snooping information option on the access switch.  Now it's either this or:

ip dhcp relay information trust-all  ----:> THIS DOES NOT WORK

Please let me know if this works...

840
Views
0
Helpful
15
Replies