Solved: Re: DHCP IMPLEMENTED IN ROUTER SHOWS STRANGE MESSAGES

ROGER FERNANDO MAJO ZACARIAS · ‎09-04-2012

Hello,

We have a DHCP SERVER implemented in a cisco router 2610.

This router is connected to a switch cisco 2960 configured as DHCP SNOOPING.

At the switch appear the next log message:

%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port,

message type: DHCPINFORM, MAC sa: 001e.13ba.2040

%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port,

message type: DHCPINFORM, MAC sa: 9c4e.2098.b9c0

%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port,

message type: DHCPREQUEST, MAC sa: 001e.13ba.2040

%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port,

message type: DHCPINFORM, MAC sa: 9c4e.2098.b9c0

%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port,

message type: DHCPREQUEST, MAC sa: 001e.13ba.2040

%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port,

message type: DHCPREQUEST, MAC sa: 001e.13ba.2040

%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port,

message type: DHCPINFORM, MAC sa: 001e.13ba.2040

%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port,

message type: DHCPREQUEST, MAC sa: 001e.13ba.2040

%DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port,

message type: DHCPINFORM, MAC sa: 001e.13ba.2040

DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port,

The mac-address shown at the log belong to interfaces vlan 1 of other access switches:

SW_SITELCHINCHON_3560PoE#sh int vlan 1

Vlan1 is up, line protocol is up

Hardware is EtherSVI, address is 001e.13ba.2040 (bia 001e.13ba.2040)

SW_AVAYA_CCCR#sh int vlan 1

Vlan1 is up, line protocol is up

Hardware is EtherSVI, address is 9c4e.2098.b9c0 (bia 9c4e.2098.b9c0)

All the int vlan 1 are configured as follows:

interface Vlan1

ip address 10.x.y.z 255.255.0.0

ip helper-address 10.100.200.1

The ip address: 10.100.200.1 belongs to DHCP SERVER configured at router cisco 2610.

Can somebody tell me what to do so these log messages does not appear any more?

Do I need to do some configuration changes at some switch or router?

Thanks

Peter Paluch · ‎09-07-2012

Hello Roger,

I see. Okay. Can you please tell me if the DHCP service is currently working satisfactorily in your network and no more DHCP Snooping messages are being produced on your switches?

Best regards,

Peter

View solution in original post

Peter Paluch · ‎09-04-2012

Hi Roger,

Can you please post a diagram of your network topology? The message you are seeing basically says that a DHCP message relayed by a DHCP Relay Agent was received on an untrusted port of your DHCP Snooping-enabled switch. However, to correctly rectify this issue, we need to precisely know the topology of your network, the placement of the DHCP server and DHCP Relay Agents (the switches configured with the ip helper-address command) and we also need to know which switches are configured with DHCP Snooping.

Thank you!

Best regards,

Peter

ROGER FERNANDO MAJO ZACARIAS · ‎09-04-2012

Peter,

I am annexing the topology requested by you.

Waiting your sooner answer.

Thanks.

Roger

El mensaje fue editado por: ROGER FERNANDO MAJO ZACARIAS

Peter Paluch · ‎09-04-2012

Hello Roger,

Thank you for the topology. If I am reading it correctly, every device including the DHCP server is placed into VLAN 1. I am assuming that based on the fact that all devices including the DHCP server are located in the 10.100.0.0/16 network. Am I correct in this assumption?

If yes then please follow these steps:

The command ip helper-address should be removed from all interfaces. The usage of this command is necessary only if the DHCP server is placed in a different network or VLAN than the clients. Because the DHCP server in your topology appears to be in the same VLAN with the clients, there is no point in using the ip helper-address command. The server will be able to hear the clients and to communicate with them directly.
All switchports that connect the switches together (i.e. all inter-switch interconnections) must be configured with ip dhcp snooping trust command. This is to allow the ports to carry both client and server DHCP messages and not to complain about the Option-82 inserted by individual DHCP Snooping-enabled switches.
The router with the DHCP server must be configured with the ip dhcp relay information trust-all command. This is to allow the DHCP server to process DHCP messages that have the Option-82 inserted by DHCP Snooping-enabled switches.

Best regards,

Peter

ROGER FERNANDO MAJO ZACARIAS · ‎09-06-2012

Peter,

I am sorry for the delay but i was evaluating the results after the changes were made.

All is O.K., the switch where is configured DHCP SNOOPING does not show any error log message and we do not have problems of ip conflict.

I have only one observation:

We have configured DHCP SERVER in a cisco router 2610 and due to old version of IOS we could not to configure:

ip dhcp relay information trust-all

The only command we can configure was: ip dhcp relay information option.

Do you have any observation about this command?.

Best regards.

Roger

Peter Paluch · ‎09-07-2012

Hello Roger,

The ip dhcp relay information option is a different command (it actually controls the insertion of Option-82 into DHCP messages if they are relayed by this router) and I recommend not modifying or using it, as the default setting is fine for your needs.

If the ip dhcp relay information trust-all command is not available on the router then try to enter the configuration mode of the interface on the router that is connected to the switch, and try using the ip dhcp relay information trusted command on that router's interface.

Please keep me informed.

Best regards,

Peter

ROGER FERNANDO MAJO ZACARIAS · ‎09-07-2012

Peter,

this are the only options available at cisco router 2610 interface connected to the switch:

DHCP_SITEL(config)#ip dhcp relay information ?
check Validate relay information in BOOTREPLY
option Insert relay information in BOOTREQUEST
policy Define reforwarding policy

DHCP_SITEL(config)#

if the command you are indicating is very critical for the configuration tell if we need to change of router (the actual router 2610 is very old and is EOL/EOS).

Waiting your sooner answer.

attn.

Roger

Peter Paluch · ‎09-07-2012

Hello Roger,

The command is not critical. If your DHCP service appears to work correctly, i.e. the devices are able to obtain their IP settings from DHCP, you do not need to worry about that command.

What IOS version are you running on the 2610, by the way?

Best regards,

Peter

ROGER FERNANDO MAJO ZACARIAS · ‎09-07-2012

Peter,

This is the IOS of router 2610:

DHCP_SITEL#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-IS-M), Version 12.1(5)T15, RELEASE SOFTWARE (fc2

)

TAC Support: http://www.cisco.com/tac

Compiled Thu 17-Jul-03 22:24 by kellmill

Image text-base: 0x80008088, data-base: 0x8101B904

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

DHCP_SITEL uptime is 1 week, 2 days, 18 hours, 39 minutes

System returned to ROM by reload at 15:45:40 UTC Sun Sep 16 2001

System restarted at 20:15:39 GMT Tue Aug 28 2012

System image file is "flash:c2600-is-mz.121-5.T15.bin"

cisco 2610 (MPC860) processor (revision 0x203) with 45056K/4096K bytes of memory

.

Processor board ID JAD05060V4V (2453473232)

M860 processor: part number 0, mask 49

Bridging software.

X.25 software, Version 3.0.0.

Basic Rate ISDN software, Version 1.1.

1 Ethernet/IEEE 802.3 interface(s)

1 Serial network interface(s)

1 ISDN Basic Rate interface(s)

2 Voice FXS interface(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)

Attn.

Roger

Peter Paluch · ‎09-07-2012

Hello Roger,

I see. Okay. Can you please tell me if the DHCP service is currently working satisfactorily in your network and no more DHCP Snooping messages are being produced on your switches?

Best regards,

Peter

ROGER FERNANDO MAJO ZACARIAS · ‎09-07-2012

Peter,

At DHCP server and switch (dhcp snooping) all is ok.

At log does not appear any error message regard snooping.

There is not any conflict error message.

Thanks very much.

Roger

Peter Paluch · ‎09-07-2012

Hello Roger,

It was a pleasure. Thank you!

Best regards,

Peter