Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DHCP snooping failing to start

Hi all,

I'm having problems starting DHCP snooping on a 6509 L3 switch. This is the configuration:

switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
306-307
DHCP snooping is operational on following VLANs:
306-307
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
GigabitEthernet5/1           yes         unlimited
GigabitEthernet5/2           yes         unlimited

switch#sh ip dhcp snooping statistics
Packets Processed by DHCP Snooping                    = 15
Packets Dropped Because
   IDB not known                                       = 0


However, there are no bindings:

switch#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0

I'm running a debug to troubleshoot the issue:

switch#sh debug
DHCP Snooping packet debugging is on
DHCP Snooping event debugging is on

and I get some messages that I'm not able to decode:

Nov 27 16:45:30 CET: DHCP_SNOOPING: checking expired snoop binding entries
Nov 27 16:45:55 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:45:59 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:06 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:21 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !

Do you have any idea what I may be doing wrong in this configuration?

many thanks in advance

Eduardo

11 REPLIES
New Member

Re: DHCP snooping failing to start

forgot to mention that we're running:

BOOTLDR: s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2)

Hall of Fame Super Bronze

Re: DHCP snooping failing to start

eduardonpinto wrote:

Hi all,

I'm running a debug to troubleshoot the issue:

switch#sh debug
DHCP Snooping packet debugging is on
DHCP Snooping event debugging is on

and I get some messages that I'm not able to decode:

Nov 27 16:45:30 CET: DHCP_SNOOPING: checking expired snoop binding entries
Nov 27 16:45:55 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:45:59 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:06 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !
Nov 27 16:46:21 CET: dhcp_snooping_check_dhcp_packet:Intercepted DHCP packet egress idb unknown !

Do you have any idea what I may be doing wrong in this configuration?

many thanks in advance

Eduardo

You may have other Vlans on this switch where DHCP snooping isn't enabled and clients are requesting DHCP services hence the message above.

As for the lack of information on the DHCP snooping database, try releasing and renewing a DHCP lease from a client residing on the Vlan where DHCP snooping is enabled.

I recommend reading the configuration guidelines from this link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html

Regards

Edison

New Member

Re: DHCP snooping failing to start

Hi Edison,

thank you for the prompt reply. I now understand the results of the debug.

Unfortunately, I can't say the same about the lack of bindings on the database. I called a user and asked him to issue an "ipconfig /renew" on his windows pc but it seems they don't have permission to issue it. I had to ask him to reboot his machine but, after that the database is still showing no entries...

I've configured all DHCP snooping settings according to the document you mentioned.

Regards,

  Eduardo

Hall of Fame Super Bronze

Re: DHCP snooping failing to start

An ipconfig /renew won't release the current lease - you need an ipconfig /release but I understand they don't even have access to such command.

You need to wait until a lease expires from a client in order to have the database populated. A reboot won't do it.

BTW, since they have Windows - they can go into Local Area Connection | Support | Repair

Regards

Edison.

New Member

Re: DHCP snooping failing to start

We will have to wait then...let's see what the weekend brings. I thought rebooting the pc would generate a DHCP request.

Is there perhaps a way, by means of DHCP server configuration, to force the pc's to renew the lease? I think the DHCP lease in my company is of 1 month and I wouldn't like to wait that long to activate DAI again...(next time I'll save the database file in NVRAM, for sure)

Many thanks

Eduardo

Bronze

Re: DHCP snooping failing to start

Eduardo,

Are you sure you have some interfaces defined as "DHCP Snooping Trusted", ie the uplink ports (if dhcp is remotely connected) or the port of the official DHCP server  (if locally connected) ?

regards,

Geert

New Member

Re: DHCP snooping failing to start

Edurado,

Could you try reconfiguring the DHCP snoopig configurations once again, this is a pretty know symptom that unless no binding tables are created for dhcp snooping it would never work even with a release renew.

Also i agree with you that with snooping table not complete we cannot implement DAI. Hence please do try the above and let me know how it goes.

Also if you could provide a brief idea of your topology right from your DHCP server to the end client we can identify where exaclty we are missing the link.

New Member

Re: DHCP snooping failing to start

Hi all,

thank you for helping me on this problem.

After this weekend the situation still hasn't improved:

switch#sh ip dhcp snooping binding  
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0

With a NAM on the switch I was able to trace the vlans where DHCP snooping is enabled for UDP ports 67 and 68 and found DHCP traffic flowing, including DHCP ACKs (end of DHCP transaction).

This is a L2 switch with two redundant uplinks to 2x L3 core switches where an SVI is configured with the correct ip-helper address. The uplinks are trusted:

switch#sh ip dhcp snooping
(...)
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
GigabitEthernet5/1           yes         unlimited
GigabitEthernet5/2           yes         unlimited

The configuration of DHCP snooping was completely removed from the switch last week and added back again following the configuration steps provided by Cisco.

Regards,

  Eduardo

Hall of Fame Super Bronze

Re: DHCP snooping failing to start

Hi Eduardo,

That's very odd. I don't know what else to suggest. I recommend opening a TAC case for further troubleshooting.

Regards,

Edison

New Member

Re: DHCP snooping failing to start

It is indeed something strange. I've already opened a case...

Thank for all your help. I will leave the answer here as soon as I have it.

Hall of Fame Super Bronze

Re: DHCP snooping failing to start

eduardonpinto wrote:

It is indeed something strange. I've already opened a case...

Thank for all your help. I will leave the answer here as soon as I have it.

Please do. We will love to see the solution.

Regards

Edison

1394
Views
0
Helpful
11
Replies