Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DHCP snooping on aggregated links

We have 3560G(IP Base 15.0.2.SE4) as core and 2960's on access.

We enable DHCP snooping on all switches with uplinks on 2960's and links to DHCP servers on 3560 configured as "trusted". All worked fine.

Then we enabled link aggregation(two gigs between 3560 and each of 2960's) and our users stopped to receive IP-addresses. We tried all type of link aggregation(pagp, lacp, etherchannel) with no result. We disabled DHCP snooping on 3560 and users received they IP-addresses.

Does DHCP snooping works through aggregated links?

Everyone's tags (1)
8 REPLIES

HelloHave you trusted the

Hello

Have you trusted the port-channel also?

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Of course. On access uplink.

Of course. On access uplink.

HelloWhen you say access

Hello

When you say access uplink do you mean -  the physical interfaces  or the logical interface of the port-channel or both?
 

 

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

I mean port-channel interface

I mean port-channel interface of 2960.

 

#sh run int po1
Building configuration...

Current configuration : 78 bytes
!
interface Port-channel1
 switchport mode trunk
 ip dhcp snooping trust
end

 

#sh run int gi0/1
Building configuration...

Current configuration : 108 bytes
!
interface GigabitEthernet0/1
 switchport mode trunk
 channel-group 1 mode on
 ip dhcp snooping trust
end

HelloAs long as interfaces

Hello

As long as interfaces are trusted the snooping database does nothing else.
but listens on the the untrusted ports and snoops the ip & macs.

Also the snooping D/B will not be populated with existing clients,it will populate next time dhcp renews

So to confirm -
3560 - dhcp server(s) located ( dhcp snooping + vlan enabled -Access port and  aggregation links to 2960 trusted )

2960 -  dhcp snooping + vlan enabled ( aggregation links to 3560 trusted)
 

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

No, downlinks from 3560 to

No, downlinks from 3560 to 2960's isn't trusted because where are no dhcp servers on 2960's. When downlinks are just two gigs without port-channel - all works fine.

#sh run int gi0/51
Building configuration...

Current configuration : 152 bytes
!
interface GigabitEthernet0/51
 description downlink-to-2960-01
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 7 mode on
end

 

1#sh run int po7
Building configuration...

Current configuration : 92 bytes
!
interface Port-channel7
 switchport trunk encapsulation dot1q
 switchport mode trunk
end

 

#sh run int gi0/3
Building configuration...

Current configuration : 185 bytes
!
interface GigabitEthernet0/3
 description DHCP server
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
end

Hey,Have you tried collecting

Hey,

Have you tried collecting packet captures on the port-channel and checked the DHCP (DORA) process, also check the logs for both the boxes for any syslog related to snooping.

HTH.

Regards,

RS

New Member

I experience the same issue.

I experience the same issue. It seems to be related to the software version of 15.0(2)SE4

with ip dhcp snooping enabled it seems that if the packet is coming in via a port-channel, then requests,and informs are seen etnering the switch and are forwarded. (i see them on the next switch too). Discovers enter the switch, but don't seem to be forwarded. (i don't see them anymore on the next switch)

 

567
Views
0
Helpful
8
Replies
CreatePlease login to create content