HelloAs long as interfaces

victorsotov · ‎06-22-2014

We have 3560G(IP Base 15.0.2.SE4) as core and 2960's on access.

We enable DHCP snooping on all switches with uplinks on 2960's and links to DHCP servers on 3560 configured as "trusted". All worked fine.

Then we enabled link aggregation(two gigs between 3560 and each of 2960's) and our users stopped to receive IP-addresses. We tried all type of link aggregation(pagp, lacp, etherchannel) with no result. We disabled DHCP snooping on 3560 and users received they IP-addresses.

Does DHCP snooping works through aggregated links?

paul driver · ‎06-23-2014

Hello

Have you trusted the port-channel also?

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

victorsotov · ‎06-23-2014

Of course. On access uplink.

paul driver · ‎06-23-2014

Hello

When you say access uplink do you mean - the physical interfaces or the logical interface of the port-channel or both?

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

victorsotov · ‎06-23-2014

I mean port-channel interface of 2960.

#sh run int po1
Building configuration...

Current configuration : 78 bytes
!
interface Port-channel1
switchport mode trunk
ip dhcp snooping trust
end

#sh run int gi0/1
Building configuration...

Current configuration : 108 bytes
!
interface GigabitEthernet0/1
switchport mode trunk
channel-group 1 mode on
ip dhcp snooping trust
end

paul driver · ‎06-23-2014

Hello

As long as interfaces are trusted the snooping database does nothing else.
but listens on the the untrusted ports and snoops the ip & macs.

Also the snooping D/B will not be populated with existing clients,it will populate next time dhcp renews

So to confirm -
3560 - dhcp server(s) located ( dhcp snooping + vlan enabled -Access port and aggregation links to 2960 trusted )

2960 - dhcp snooping + vlan enabled ( aggregation links to 3560 trusted)

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

victorsotov · ‎06-23-2014

No, downlinks from 3560 to 2960's isn't trusted because where are no dhcp servers on 2960's. When downlinks are just two gigs without port-channel - all works fine.

#sh run int gi0/51
Building configuration...

Current configuration : 152 bytes
!
interface GigabitEthernet0/51
description downlink-to-2960-01
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 7 mode on
end

1#sh run int po7
Building configuration...

Current configuration : 92 bytes
!
interface Port-channel7
switchport trunk encapsulation dot1q
switchport mode trunk
end

#sh run int gi0/3
Building configuration...

Current configuration : 185 bytes
!
interface GigabitEthernet0/3
description DHCP server
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
end

Rajeev Sharma · ‎06-23-2014

Hey,

Have you tried collecting packet captures on the port-channel and checked the DHCP (DORA) process, also check the logs for both the boxes for any syslog related to snooping.

HTH.

Regards,

RS

Tom Vanhout · ‎10-29-2014

I experience the same issue. It seems to be related to the software version of 15.0(2)SE4

with ip dhcp snooping enabled it seems that if the packet is coming in via a port-channel, then requests,and informs are seen etnering the switch and are forwarded. (i see them on the next switch too). Discovers enter the switch, but don't seem to be forwarded. (i don't see them anymore on the next switch)

DHCP snooping on aggregated links