We have setup dhcp snooping with option 82 insertion to authenticate clients based on their vlan-id. Requests on certain random vlans seem to work ok, but when for other vlans the switch thinks that the opt82 data is not local. This seems wrong as the opt82 dump according to the switch for both the insertion and DHCPOFFER (from the dhcp server) are identical. (The opt82 "remote-id" mac addess matches the switch mac address.)
If the client has the ip address set statically they have network access ok. So its just something with the dhcp...
Is this an IOS bug here, but maybe someone can clear this up here...
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA14, RELEASE SOFTWARE (fc1)
debug on switch
Nov 23 17:26:35.553 ACDT: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/10) Nov 23 17:26:35.553 ACDT: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER Nov 23 17:26:35.553 ACDT: DHCP_SNOOPING: add relay information option. Nov 23 17:26:35.557 ACDT: DHCP_SNOOPING_SW: Encoding opt82 in vlan-mod-port format Nov 23 17:26:35.557 ACDT: DHCP_SNOOPING: binary dump of relay info option, length: 20 data: 0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x8D 0x0 0x9 0x2 0x8 0x0 0x6 0x0 0x16 0x9D 0x5 0xB9 0x80 Nov 23 17:26:35.557 ACDT: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (141) Nov 23 17:26:35.561 ACDT: DHCP_SNOOPING_SW: bridge packet send packet to port: FastEthernet0/3. Nov 23 17:26:36.705 ACDT: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/3) Nov 23 17:26:36.705 ACDT: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER Nov 23 17:26:36.705 ACDT: DHCP_SNOOPING: binary dump of option 82, length: 20 data: 0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x8D 0x0 0x9 0x2 0x8 0x0 0x6 0x0 0x16 0x9D 0x5 0xB9 0x80 Nov 23 17:26:36.709 ACDT: DHCP_SNOOPING: binary dump of extracted circuit id, length: 8 data: 0x1 0x6 0x0 0x4 0x0 0x8D 0x0 0x9 Nov 23 17:26:36.709 ACDT: DHCP_SNOOPING: binary dump of extracted remote id, length: 10 data: 0x2 0x8 0x0 0x6 0x0 0x16 0x9D 0x5 0xB9 0x80 Nov 23 17:26:36.709 ACDT: DHCP_SNOOPING_SW: opt82 data indicates not a local packet Nov 23 17:26:36.713 ACDT: DHCP_SNOOPING: can't parse option 82 data of the message,it is either in wrong format or not inserted by local switch Nov 23 17:26:36.713 ACDT: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff Nov 23 17:26:36.713 ACDT: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 001e.ec2f.0011 Nov 23 17:26:36.713 ACDT: DHCP_SNOOPING: can't find output interface for dhcp reply. the message is dropped.
Relevant Config: ip dhcp snooping vlan 100 400 ip dhcp snooping vlan 2006 ip dhcp snooping
switch#sh ip dhcp snoo bin Option 82 on untrusted port is not allowed MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------- ---- -------------------- 00:15:F2:A5:48:F3 x.x.59.156 1794 dynamic 105 FastEthernet0/9 00:60:64:3D:FC:92 x.x.59.152 1198 dynamic 111 FastEthernet0/9 00:60:64:3D:FA:DF x.x.59.131 1736 dynamic 104 FastEthernet0/9 00:60:64:19:D8:C5 x.x.59.133 1246 dynamic 103 FastEthernet0/9 00:15:58:7A:8F:2E x.x.59.139 1120 dynamic 109 FastEthernet0/9 00:60:64:3D:FC:90 x.x.59.132 1216 dynamic 102 FastEthernet0/9 00:60:64:3D:FE:B1 x.x.59.137 1223 dynamic 106 FastEthernet0/9
switch#sh ip dhcp sn Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 100-400,2006 Insertion of option 82 is enabled Interface Trusted Rate limit (pps) ------------------------ ------- ---------------- FastEthernet0/3 yes unlimited
switch#sh int fa0/10
FastEthernet0/10 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0016.9d05.b98a (bia 0016.9d05.b98a)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 100BaseTX
input flow-control is unsupported output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...