RIP, EIGRP, OSPF, IS-IS, BGP, MPLS, VTP, STP.
Langly
Member
Posts:
224
Joined:
Tue Jul 14, 2009 11:59 pm
Certs:
CCENT

Dhcp snooping issue

Tue Apr 17, 2012 4:08 pm

I've ran into a fun little problem with my dhcp snooping setup. Maybe you guys can shed some light on things, I was reading up on Cisco for more info on this to see if maybe my setup won't work with what I'm doing but I'm at a standstill.

Here is my setup currently:
All switches are 3750 stacks

----Core-----
| |
---Switch closets--

Every one of my switch closets has two copper or fiber links back to the core in a port channel setup like this
interface Port-channelX
switchport trunk encapsulation dot1q
switchport trunk allowed vlan my vlans
switchport mode trunk
ip dhcp snooping trust

I have one more unique setup in a building across the street that goes like this:

----Core-----
| | <--- 2 fiber lines to core
---2nd Building's Stack 1--
| | <---Two copper trunks in port channel
---Stack 2--

When I have dhcp snooping configured on any of my wiring closets, It works great. Its allowing dhcp from my servers in the core.

When I put DHCP snooping setup the exact same way however on my 2nd building stack 1 and 2, I get issues and dhcp snooping starts to drop ALL dhcp packets on Stack 1. I've looked at things and I can't explain why it would drop the packets when technically the fiber links to my core switch are setup EXACTLY the same as the links to my switch closets. The only thing different is I have a 2nd Stack of 3750s setup in that building that use a second port channel on the 2nd Building's Stack.

Anyone have any light they can shed on this or want more info? I want to finish rolling out dhcp snooping to help out with security as we are doing a huge push for pci compliance this year. Here is how the Port channels are configured on the 2nd Building's Main stack:

interface Port-channel1
description Feed to Core
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 90 (wireless AP vlan),997 (routing vlan)
switchport mode trunk
ip dhcp snooping trust
end
interface Port-channel2
description Feed to Stack 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 90(wireless AP vlan),997 (routing vlan)
switchport mode trunk
end


Edit: If this ends up being something simple and small I'm going to plant my face into my desk lol

User avatar
cisco_1
CCIE #24973
Posts:
201
Joined:
Fri Mar 02, 2007 5:18 am
Certs:
CCNP,CCSP,CCIE (R&S)#24973

Re: Dhcp snooping issue

Tue Apr 17, 2012 4:22 pm

Hi,
just skim reply, enable "ip dhcp snooping trust" on all interfaces that you expect dhcp reply will come from.
means ports facing upstream to the dhcp services device.
most of the time will be trunk ports, your case will be cascaded uplinks as well.
more over, enable this command "no ip dhcp snooping information option " , some switches will encode some options will dhcp request
end up to drop the request from server side if option is not recognisable, as redundant enable snooping per vlan "ip dhcp snooping vlan X"

hope this help.

cisco_1
"Nothing Is Limited, Except Our Understanding To The Universe"

Langly
Member
Posts:
224
Joined:
Tue Jul 14, 2009 11:59 pm
Certs:
CCENT

Re: Dhcp snooping issue

Tue Apr 17, 2012 5:10 pm

I gave the no ip dhcp snooping information option a shot which didn't work out.

So I have snooping configured as such:

--Core-- No snooping on any links
| |
--Building 2's Stack -- Ip dhcp snooping trust on po1 that connect to the core. Po2 which goes to Stack 2 does
NOT have trust on it----------
||
--Stack 2--- Trust on Po1 which links to Stack 1 via copper.

The 2nd Stack's DHCP snooping does work fine when I enable it. Its just the switch stack inbetween that has the issue it seems.

User avatar
wirerat
Post Whore
Posts:
5340
Joined:
Tue Mar 31, 2009 4:15 pm
Certs:
More than none

Re: Dhcp snooping issue

Tue Apr 17, 2012 5:18 pm

"See packet, be packet, you are packet. Ignore all else!" -The Networker
packetsdropped.wordpress.com

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: Dhcp snooping issue

Tue Apr 17, 2012 5:20 pm

Can you post the full config of the sw1? And 'sh ip dhcp snooping' as well?

Are you sure sw1 is the switch dropping DHCP? Or is it being dropped elsewhere?

And ignore wirerat. This post is better ;P

http://blog.brokennetwork.ca/2011/12/dh ... -dhcp.html

User avatar
scottsee
Post Whore
Posts:
1804
Joined:
Wed Feb 10, 2010 2:45 am
Certs:
NA:R&S, NA:Sec

Re: Dhcp snooping issue

Tue Apr 17, 2012 5:32 pm

I've chased my tail over dhcp snooping.. Make sure the command is enabled/trusted on every trunk in your switched network.

Langly
Member
Posts:
224
Joined:
Tue Jul 14, 2009 11:59 pm
Certs:
CCENT

Re: Dhcp snooping issue

Tue Apr 17, 2012 5:58 pm

Here is a sanitized config from the 1st Stack's switch. The 2nd stack is almost exactly the same. Vlan 997 is used for Layer 3 Vlan routing between the stack and the core. Vlan 90 is separate for my wireless access points
Code: Select all
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Building2's Stack
no aaa new-model
clock timezone my place
switch 1 provision ws-c3750v2-48ts
switch 2 provision ws-c3750v2-48ps
system mtu routing 1998
vtp mode transparent
authentication mac-move permit
ip routing
ip cef load-sharing algorithm universal
ip domain-name domain
ip name-server 10.x.x.x0
ip name-server 10.x.x.x1
ip dhcp excluded-address 172.x.x.1
!
ip dhcp pool Phones
   network 172.x.x.x 255.255.255.0
   default-router 172.x.x.1
   option 176
   option 242
!
!
ip dhcp snooping
ip dhcp snooping vlan 1-1000
no ip dhcp snooping information option
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint all the crypto info
auto qos srnd4
!
!
!
port-channel load-balance src-dst-ip
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20
 name POE Phones
!
vlan 90
 name External Wireless Network Vlan
!
vlan 997
 name Vlan Routing
!
ip ssh version 2
!
!
interface Port-channel1
 description Feed to Core Switch
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 90,997
 switchport mode trunk
 ip dhcp snooping trust
!
interface Port-channel2
 description Feed to Stack 2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 90,997
 switchport mode trunk
!
interface GigabitEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 90,997
 switchport mode trunk
 channel-group 1 mode on
 ip dhcp snooping trust
end
!
interface GigabitEthernet2/0/1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 90,997
 channel-group 1 mode on
 ip dhcp snooping trust
end
!
interface GigabitEthernet1/0/2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 90,997
 switchport mode trunk
 channel-group 2 mode on
end
!
interface GigabitEthernet2/0/2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 90,997
 switchport mode trunk
 channel-group 2 mode on
end

interface Vlan1
 ip address 10.x.y.1 255.255.254.0
 ip helper-address 10.x.x.x0
!
interface Vlan20
 ip address 172.x.x.1 255.255.255.0
!
interface Vlan997
 ip address 10.y.x.10 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 core switch ip
no ip http server
no ip http secure-server
!
ip sla enable reaction-alerts
snmp-server community our snmp stuff
!
ntp clock-period 36028658
ntp server 10.0.x.x0
end


Langly
Member
Posts:
224
Joined:
Tue Jul 14, 2009 11:59 pm
Certs:
CCENT

Re: Dhcp snooping issue

Tue Apr 17, 2012 6:01 pm

Show command requested:


stack 1#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1-997
DHCP snooping is operational on following VLANs:
1,20,90,997
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: xxxxxxx (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
GigabitEthernet1/0/1 yes yes unlimited
Custom circuit-ids:
GigabitEthernet2/0/1 yes yes unlimited
Custom circuit-ids:
Port-channel1 yes yes unlimited
Custom circuit-ids:

Langly
Member
Posts:
224
Joined:
Tue Jul 14, 2009 11:59 pm
Certs:
CCENT

Re: Dhcp snooping issue

Tue Apr 17, 2012 6:16 pm

Fixed it looks like. Looks like you do gotta trust all the trunks in port channels when do Vlan Routing for it. I added Trust to the downstream port channel on Stack 1 and its working on both now.

Thanks guys for the links and the help :). Logically it made no sense to me to put that trust there but thinking about how dhcp works and how the vlan routing works, its OK to do it.

'

Return to Cisco Routing and Switching

Who is online

Users browsing this forum: No registered users and 17 guests