DCHP Snooping

Good Day,

I am working on DHCP Snooping.

For example I have 3 x switches.

Do you enable the following commands on all switches or only the switch connected to the DHCP Server:

SW1

Config t

Ip dhcp snooping

Ip dhcp snooping vlan 8-15

Ip dhcp snooping database flash:/snooping.txt

!

Int gig 0/1

Description *** PORT to DHCP SERVER ***

Ip dhcp snooping trust

!

Int gig 0/24

Description *** TRUNK to SW2 ***

Ip dhcp snooping trust

!

Int gig 0/23

Description *** TRUNK to SW3 ***

Ip dhcp snooping trust

 

SW2

Config t

Ip dhcp snooping

Ip dhcp snooping vlan 8-15

Ip dhcp snooping database flash:/snooping.txt

!

Int gig 0/24

Description *** TRUNK to SW1 ***

Ip dhcp snooping trust

 

SW3

Config t

Ip dhcp snooping

Ip dhcp snooping vlan 8-15

Ip dhcp snooping database flash:/snooping.txt

!

Int gig 0/24

Description *** TRUNK to SW1 ***

Ip dhcp snooping trust

 

I am looking for a best practise solution

On what trunk ports do you enable : ip dhcp snooping trust in your design?

Thanks

Comments

  • You would enable dhcp snooping trust on trunk links that lead to a switch that connects to the DHCP server. On the switch that connects to the server you would do the same. For all switches attached, on those trunks you would need that command on those ports as well. Your leaf switch needs it because an incoming DHCP broadcast message received in on a port that isn't trusted would be dropped, since the switch thinks it's being spoofed. You would also enable this with DAI, dyncamic arp inspection, this ties the ARP resolution to the IP address. 

    HTH
    Rob
    On Wednesday, May 7, 2014 2:13 PM, IanT <[email protected]> wrote:
    Good Day,

    I am working on DHCP Snooping.

    For example I have 3 x switches.

    Do you enable the following commands on all switches or only the switch connected to the DHCP Server:

    SW1

    Config t

    Ip dhcp snooping

    Ip dhcp snooping vlan 8-15

    Ip dhcp snooping database flash:/snooping.txt

    !

    Int gig 0/1

    Description *** PORT to DHCP SERVER ***

    Ip dhcp snooping trust

    !

    Int gig 0/24

    Description *** TRUNK to SW2 ***

    Ip dhcp snooping trust

    !

    Int gig 0/23

    Description *** TRUNK to SW3 ***

    Ip dhcp snooping trust

     

    SW2

    Config t

    Ip dhcp snooping

    Ip dhcp snooping vlan 8-15

    Ip dhcp snooping database flash:/snooping.txt

    !

    Int gig 0/24

    Description *** TRUNK to SW1 ***

    Ip dhcp snooping trust

     

    SW3

    Config t

    Ip dhcp snooping

    Ip dhcp snooping vlan 8-15

    Ip dhcp snooping database flash:/snooping.txt

    !

    Int gig 0/24

    Description *** TRUNK to SW1 ***

    Ip dhcp snooping trust

     

    I am looking for a best practise solution

    On what trunk ports do you enable : ip dhcp snooping trust in your design?

    Thanks



    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com




  • Thanks Rob.

    On the other switches do I need to enable ip dhcp snooping or do you enable ip dhcp snooping only on the switch where the DHCP server is connected?

    Thanks

  • On the switch that is connected to the server and the trunk links of all switches that need to pass dhcp info from the server to the clients. Every trunk link needs it. If not configured, upstream switch will drop dhcp packets received in.


    Sent from my Cricket smartphone


    -------- Original message --------
    From: IanT
    Date:05/08/2014 12:12 AM (GMT-06:00)
    To: [email protected]
    Subject: Re: [ccnp] DCHP Snooping

    Thanks Rob.

    On the other switches do I need to enable ip dhcp snooping or do you enable ip dhcp snooping only on the switch where the DHCP server is connected?

    Thanks




    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com


  • I did the following dhcp snooping config:

     SW1

    ip dhcp snooping vlan 8-9

    no ip dhcp snooping information option

    ip dhcp snooping database flash:/dhcp_snooping_db.txt

    ip dhcp snooping

    !

    interface GigabitEthernet0/1

    Description ***  DHCP SERVER  - 10.224.8.10 ***

     switchport access vlan 8

     switchport mode access

     spanning-tree portfast

     ip dhcp snooping trust

     SW2

    ip dhcp snooping vlan 8-9

    no ip dhcp snooping information option

    ip dhcp snooping database flash:/dhcp_snooping_db.txt

    ip dhcp snooping

    !

    interface FastEthernet0/24

    Description *** Trunk to SW1 ***

    switchport trunk encapsulation dot1q

     switchport mode trunk

     switchport nonegotiate

     spanning-tree portfast trunk

     ip dhcp snooping trust

     When i connect a client on SW2 the client receives an IP and everything looks 100%.

     When i do a debug on SW1 i received the following information almost every minute:

     02:03:05: DHCP_SNOOPING: checking expired snoop binding entries

    02:03:51: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/24 for pak.  Was Vl9

    02:03:51: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl9 for pak.  Was Gi0/24

    02:03:51: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/24 for pak.  Was Vl9

    02:03:51: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/24)

    02:03:51: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Gi0/24, MAC da: ffff.ffff.ffff, MAC sa: 782b.cbc6.7b8f, IP da: 255.255.255.255, IP sa: 10.224.9.10, DHCP ciaddr: 10.224.9.10, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 782b.cbc6.7b8f

    02:03:51: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (9)

    02:03:51: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan9.

    02:03:51: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan8)

    02:03:51: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Vl8, MAC da: 984b.e17e.b4a9, MAC sa: 0027.0c6d.73c1, IP da: 10.224.8.10, IP sa: 10.224.9.1, DHCP ciaddr: 10.224.9.10, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.224.9.1, DHCP chaddr: 782b.cbc6.7b8f

    02:03:51: DHCP_SNOOPING_SW: exclude source cpu port Vlan8 from output portset.

    02:03:51: DHCP_SNOOPING_SW: bridge packet send packet to port: GigabitEthernet0/1.

    02:03:51: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/1 for pak.  Was Vl8

    02:03:51: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl8 for pak.  Was Gi0/1

    02:03:51: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/1 for pak.  Was Vl8

    02:03:51: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/1)

    02:03:51: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Gi0/1, MAC da: 0027.0c6d.73c1, MAC sa: 984b.e17e.b4a9, IP da: 10.224.9.1, IP sa: 10.224.8.10, DHCP ciaddr: 10.224.9.10, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.224.9.1, DHCP chaddr: 782b.cbc6.7b8f

    02:03:51: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: 0027.0c6d.73c1

    02:03:51: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 782b.cbc6.7b8f

    02:03:51: DHCP_SNOOPING: can't find client's destination port, packet is assumed to be not from local switch, no binding update is needed.

    02:03:51: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: 0027.0C6D.73C1, packet is flooded to ingress VLAN: (8)

    02:03:51: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan8.

    02:03:51: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan9)

    02:03:51: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Vl9, MAC da: ffff.ffff.ffff, MAC sa: 0027.0c6d.73c2, IP da: 255.255.255.255, IP sa: 10.224.9.1, DHCP ciaddr: 10.224.9.10, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.224.9.1, DHCP chaddr: 782b.cbc6.7b8f

    02:03:51: DHCP_SNOOPING: intercepted DHCPACK with no DHCPOPT_LEASE_TIME option field, packet is still forwarded but no snooping binding update is performed.

    02:03:51: DHCP_SNOOPING: direct forward dhcp reply to output port: GigabitEthernet0/24.

     Is this normal?

     Why does this debug happen so frequently?

     Thanks

  • Did you apply ip dhcp snooping trust on sw1 on the trunk to sw 2? Is the DHCP server directly attached to sw1 and on a different vlan? If so, try the helper address under the svi and point the helper address to the interface of the dhcp server. If there is a router separating the DHCP server from destination vlan then use the helper address there. If the router is the DHCP server I'd be curious to see the output from that on what it's receiving. Is the client receiving an address and can the client surf without issue?

    HTH
    Rob
    On Thursday, May 8, 2014 12:56 PM, IanT <[email protected]> wrote:
    I did the following dhcp snooping config:

     SW1

    ip dhcp snooping vlan 8-9

    no ip dhcp snooping information option

    ip dhcp snooping database flash:/dhcp_snooping_db.txt

    ip dhcp snooping

    !

    interface GigabitEthernet0/1

    Description ***  DHCP SERVER  - 10.224.8.10 ***

     switchport access vlan 8

     switchport mode access

     spanning-tree portfast

     ip dhcp snooping trust

     SW2

    ip dhcp snooping vlan 8-9

    no ip dhcp snooping information option

    ip dhcp snooping database flash:/dhcp_snooping_db.txt

    ip dhcp snooping

    !

    interface FastEthernet0/24

    Description *** Trunk to SW1 ***

    switchport trunk encapsulation dot1q

     switchport mode trunk

     switchport nonegotiate

     spanning-tree portfast trunk

     ip dhcp snooping trust

     When i connect a client on SW2 the client receives an IP and everything looks 100%.

     When i do a debug on SW1 i received the following information almost every minute:

     02:03:05: DHCP_SNOOPING: checking expired snoop binding entries

    02:03:51: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/24 for pak.  Was Vl9

    02:03:51: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl9 for pak.  Was Gi0/24

    02:03:51: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/24 for pak.  Was Vl9

    02:03:51: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/24)

    02:03:51: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Gi0/24, MAC da: ffff.ffff.ffff, MAC sa: 782b.cbc6.7b8f, IP da: 255.255.255.255, IP sa: 10.224.9.10, DHCP ciaddr: 10.224.9.10, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 782b.cbc6.7b8f

    02:03:51: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (9)

    02:03:51: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan9.

    02:03:51: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan8)

    02:03:51: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Vl8, MAC da: 984b.e17e.b4a9, MAC sa: 0027.0c6d.73c1, IP da: 10.224.8.10, IP sa: 10.224.9.1, DHCP ciaddr: 10.224.9.10, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.224.9.1, DHCP chaddr: 782b.cbc6.7b8f

    02:03:51: DHCP_SNOOPING_SW: exclude source cpu port Vlan8 from output portset.

    02:03:51: DHCP_SNOOPING_SW: bridge packet send packet to port: GigabitEthernet0/1.

    02:03:51: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/1 for pak.  Was Vl8

    02:03:51: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl8 for pak.  Was Gi0/1

    02:03:51: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/1 for pak.  Was Vl8

    02:03:51: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/1)

    02:03:51: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Gi0/1, MAC da: 0027.0c6d.73c1, MAC sa: 984b.e17e.b4a9, IP da: 10.224.9.1, IP sa: 10.224.8.10, DHCP ciaddr: 10.224.9.10, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.224.9.1, DHCP chaddr: 782b.cbc6.7b8f

    02:03:51: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: 0027.0c6d.73c1

    02:03:51: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 782b.cbc6.7b8f

    02:03:51: DHCP_SNOOPING: can't find client's destination port, packet is assumed to be not from local switch, no binding update is needed.

    02:03:51: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: 0027.0C6D.73C1, packet is flooded to ingress VLAN: (8)

    02:03:51: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan8.

    02:03:51: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan9)

    02:03:51: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Vl9, MAC da: ffff.ffff.ffff, MAC sa: 0027.0c6d.73c2, IP da: 255.255.255.255, IP sa: 10.224.9.1, DHCP ciaddr: 10.224.9.10, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.224.9.1, DHCP chaddr: 782b.cbc6.7b8f

    02:03:51: DHCP_SNOOPING: intercepted DHCPACK with no DHCPOPT_LEASE_TIME option field, packet is still forwarded but no snooping binding update is performed.

    02:03:51: DHCP_SNOOPING: direct forward dhcp reply to output port: GigabitEthernet0/24.

     Is this normal?

     Why does this debug happen so frequently?

     Thanks



    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com




  • I think it is working:

    Will you please confirm if this is best practise

     R1 (DHCP – 10.224.1.10)

    ip dhcp relay information trust-all

     

    SW1 (10.224.1.11)

    ip dhcp snooping vlan 1,8-9

    ip dhcp snooping database flash:/snooping.txt

    ip dhcp snooping

    !

    interface GigabitEthernet0/21

     description *** DHCP SERVER PORT ***

     switchport mode access

     spanning-tree portfast

     ip dhcp snooping trust

    !

    interface GigabitEthernet0/23

     description *** TRUNK to SW2 ***

     switchport trunk encapsulation dot1q

     switchport mode trunk

     spanning-tree portfast trunk

     ip dhcp snooping trust

    !

    interface Vlan9

     ip address 10.224.9.1 255.255.255.0

     ip helper-address 10.224.1.10

     

    SW2

    ip dhcp snooping vlan 1,8-9

    ip dhcp snooping database flash:/snooping.txt

    ip dhcp snooping database write-delay 30

    ip dhcp snooping

     ip dhcp snooping trust

    !

    interface GigabitEthernet0/24

     description *** TRUNK to SW1 ***

     switchport trunk encapsulation dot1q

     switchport mode trunk

     spanning-tree portfast trunk

     ip dhcp snooping trust

     

     What I am not sure of are the following debugs:

     

    R1

    Almost every minute the DHCP SERVER receives the following from a DHCP client:

     

    May  9 16:11:22.626: DHCPD: client's VPN is .

    May  9 16:11:22.626: DHCPD: DHCPINFORM received from client 0178.2bcb.c67b.8f (10.224.9.101).

    May  9 16:11:22.626: DHCPD: Sending DHCPACK to client 0178.2bcb.c67b.8f (10.224.9.101).

    May  9 16:11:22.626: DHCPD: unicasting BOOTREPLY for client 782b.cbc6.7b8f to relay 10.224.9.1.

     

    Why is the client sending a DHCPINFORM so frequently?

     

    SW1

    This is the debug when the client sends a DHCPINFORM

     

    May  9 15:18:54.548: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/23 for pak.  Was Vl9

    May  9 15:18:54.548: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl9 for pak.  Was Gi0/23

    May  9 15:18:54.548: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/23 for pak.  Was Vl9

    May  9 15:18:54.548: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/23)

    May  9 15:18:54.548: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Gi0/23, MAC da: ffff.ffff.ffff, MAC sa: 782b.cbc6.7b8f, IP da: 255.255.255.255, IP sa: 10.224.9.101, DHCP ciaddr: 10.224.9.101, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 782b.cbc6.7b8f

    May  9 15:18:54.548: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (9)

    May  9 15:18:54.548: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan9.

    May  9 15:18:54.548: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan1)

    May  9 15:18:54.548: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Vl1, MAC da: 68ef.bd38.3e81, MAC sa: ec30.9132.05c0, IP da: 10.224.1.10, IP sa: 10.224.9.1, DHCP ciaddr: 10.224.9.101, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.224.9.1, DHCP chaddr: 782b.cbc6.7b8f

    May  9 15:18:54.548: DHCP_SNOOPING_SW: exclude source cpu port Vlan1 from output portset.

    May  9 15:18:54.548: DHCP_SNOOPING_SW: bridge packet send packet to port: GigabitEthernet0/21, vlan 1.

    May  9 15:18:54.556: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/21 for pak.  Was Vl1

    May  9 15:18:54.556: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Gi0/21

    May  9 15:18:54.556: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/21 for pak.  Was Vl1

    May  9 15:18:54.556: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/21)

    May  9 15:18:54.556: DHCP_SNOOPING: DHCP packet may be headed in the direction of the relay 10.224.9.1, not extracting option82 information

    May  9 15:18:54.556: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Gi0/21, MAC da: ec30.9132.05c0, MAC sa: 68ef.bd38.3e81, IP da: 10.224.9.1, IP sa: 10.224.1.10, DHCP ciaddr: 10.224.9.101, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.224.9.1, DHCP chaddr: 782b.cbc6.7b8f

    May  9 15:18:54.556: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ec30.9132.05c0

    May  9 15:18:54.556: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 782b.cbc6.7b8f

    May  9 15:18:54.556: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: 782b.cbc6.7b8f

    May  9 15:18:54.556: DHCP_SNOOPING: can't find client's destination port, packet is assumed to be not from local switch, no binding update is needed.

    May  9 15:18:54.556: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ec30.9132.05c0

    May  9 15:18:54.556: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 782b.cbc6.7b8f

    May  9 15:18:54.556: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: 782b.cbc6.7b8f

    May  9 15:18:54.556: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: EC30.9132.05C0, packet is flooded to ingress VLAN: (1)

    May  9 15:18:54.556: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan1.

    May  9 15:18:54.556: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan9)

    May  9 15:18:54.556: DHCP_SNOOPING: binary dump of option 82, length: 20 data:

    0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x9 0x1 0xB 0x2 0x8 0x0 0x6 0x0 0x27 0xC 0x6D 0x73 0x80

    May  9 15:18:54.556: DHCP_SNOOPING: binary dump of extracted circuit id, length: 8 data:

    0x1 0x6 0x0 0x4 0x0 0x9 0x1 0xB

    May  9 15:18:54.556: DHCP_SNOOPING: binary dump of extracted remote id, length: 10 data:

    0x2 0x8 0x0 0x6 0x0 0x27 0xC 0x6D 0x73 0x80

    May  9 15:18:54.565: DHCP_SNOOPING_SW: opt82 data indicates not a local packet

    May  9 15:18:54.565: DHCP_SNOOPING: can't parse option 82 data of the message, it is either in wrong format or not inserted by local switch

    May  9 15:18:54.565: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Vl9, MAC da: 782b.cbc6.7b8f, MAC sa: ec30.9132.05c2, IP da: 10.224.9.101, IP sa: 10.224.9.1, DHCP ciaddr: 10.224.9.101, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.224.9.1, DHCP chaddr: 782b.cbc6.7b8f

    May  9 15:18:54.565: DHCP_SNOOPING: direct forward dhcp replyto output port: GigabitEthernet0/23.

  • Initially guess without knowing more about your topology, the DHCP server, is it providing DHCP for more than one Vlan? If so I would make the port to the server a trunk. Also you could turn on Dynamic Arp Inspection DAI and see if it resolves what may be going on. I do see
    May  9 15:18:54.556: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 782b.cbc6.7b8f

    Which I am guessing that has something do with reaching the server. Is the server an actual server or a router/L3 switch? Is the client actually receiving an IP address/default gateway, or DNS info?
    On Friday, May 9, 2014 11:37 AM, IanT <[email protected]> wrote:
    I think it is working:

    Will you please confirm if this is best practise

     R1 (DHCP – 10.224.1.10)

    ip dhcp relay information trust-all

     

    SW1 (10.224.1.11)

    ip dhcp snooping vlan 1,8-9

    ip dhcp snooping database flash:/snooping.txt

    ip dhcp snooping

    !

    interface GigabitEthernet0/21

     description *** DHCP SERVER PORT ***

     switchport mode access

     spanning-tree portfast

     ip dhcp snooping trust

    !

    interface GigabitEthernet0/23

     description *** TRUNK to SW2 ***

     switchport trunk encapsulation dot1q

     switchport mode trunk

     spanning-tree portfast trunk

     ip dhcp snooping trust

    !

    interface Vlan9

     ip address 10.224.9.1 255.255.255.0

     ip helper-address 10.224.1.10

     

    SW2

    ip dhcp snooping vlan 1,8-9

    ip dhcp snooping database flash:/snooping.txt

    ip dhcp snooping database write-delay 30

    ip dhcp snooping

     ip dhcp snooping trust

    !

    interface GigabitEthernet0/24

     description *** TRUNK to SW1 ***

     switchport trunk encapsulation dot1q

     switchport mode trunk

     spanning-tree portfast trunk

     ip dhcp snooping trust

     

     What I am not sure of are the following debugs:

     

    R1

    Almost every minute the DHCP SERVER receives the following from a DHCP client:

     

    May  9 16:11:22.626: DHCPD: client's VPN is .

    May  9 16:11:22.626: DHCPD: DHCPINFORM received from client 0178.2bcb.c67b.8f (10.224.9.101).

    May  9 16:11:22.626: DHCPD: Sending DHCPACK to client 0178.2bcb.c67b.8f (10.224.9.101).

    May  9 16:11:22.626: DHCPD: unicasting BOOTREPLY for client 782b.cbc6.7b8f to relay 10.224.9.1.

     

    Why is the client sending a DHCPINFORM so frequently?

     

    SW1

    This is the debug when the client sends a DHCPINFORM

     

    May  9 15:18:54.548: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/23 for pak.  Was Vl9

    May  9 15:18:54.548: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl9 for pak.  Was Gi0/23

    May  9 15:18:54.548: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/23 for pak.  Was Vl9

    May  9 15:18:54.548: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/23)

    May  9 15:18:54.548: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Gi0/23, MAC da: ffff.ffff.ffff, MAC sa: 782b.cbc6.7b8f, IP da: 255.255.255.255, IP sa: 10.224.9.101, DHCP ciaddr: 10.224.9.101, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 782b.cbc6.7b8f

    May  9 15:18:54.548: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (9)

    May  9 15:18:54.548: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan9.

    May  9 15:18:54.548: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan1)

    May  9 15:18:54.548: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Vl1, MAC da: 68ef.bd38.3e81, MAC sa: ec30.9132.05c0, IP da: 10.224.1.10, IP sa: 10.224.9.1, DHCP ciaddr: 10.224.9.101, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.224.9.1, DHCP chaddr: 782b.cbc6.7b8f

    May  9 15:18:54.548: DHCP_SNOOPING_SW: exclude source cpu port Vlan1 from output portset.

    May  9 15:18:54.548: DHCP_SNOOPING_SW: bridge packet send packet to port: GigabitEthernet0/21, vlan 1.

    May  9 15:18:54.556: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/21 for pak.  Was Vl1

    May  9 15:18:54.556: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Gi0/21

    May  9 15:18:54.556: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/21 for pak.  Was Vl1

    May  9 15:18:54.556: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/21)

    May  9 15:18:54.556: DHCP_SNOOPING: DHCP packet may be headed in the direction of the relay 10.224.9.1, not extracting option82 information

    May  9 15:18:54.556: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Gi0/21, MAC da: ec30.9132.05c0, MAC sa: 68ef.bd38.3e81, IP da: 10.224.9.1, IP sa: 10.224.1.10, DHCP ciaddr: 10.224.9.101, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.224.9.1, DHCP chaddr: 782b.cbc6.7b8f

    May  9 15:18:54.556: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ec30.9132.05c0

    May  9 15:18:54.556: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 782b.cbc6.7b8f

    May  9 15:18:54.556: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: 782b.cbc6.7b8f

    May  9 15:18:54.556: DHCP_SNOOPING: can't find client's destination port, packet is assumed to be not from local switch, no binding update is needed.

    May  9 15:18:54.556: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ec30.9132.05c0

    May  9 15:18:54.556: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 782b.cbc6.7b8f

    May  9 15:18:54.556: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: 782b.cbc6.7b8f

    May  9 15:18:54.556: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: EC30.9132.05C0, packet is flooded to ingress VLAN: (1)

    May  9 15:18:54.556: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan1.

    May  9 15:18:54.556: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan9)

    May  9 15:18:54.556: DHCP_SNOOPING: binary dump of option 82, length: 20 data:

    0x52 0x12 0x1 0x6 0x0 0x4 0x0 0x9 0x1 0xB 0x2 0x8 0x0 0x6 0x0 0x27 0xC 0x6D 0x73 0x80

    May  9 15:18:54.556: DHCP_SNOOPING: binary dump of extracted circuit id, length: 8 data:

    0x1 0x6 0x0 0x4 0x0 0x9 0x1 0xB

    May  9 15:18:54.556: DHCP_SNOOPING: binary dump of extracted remote id, length: 10 data:

    0x2 0x8 0x0 0x6 0x0 0x27 0xC 0x6D 0x73 0x80

    May  9 15:18:54.565: DHCP_SNOOPING_SW: opt82 data indicates not a local packet

    May  9 15:18:54.565: DHCP_SNOOPING: can't parse option 82 data of the message, it is either in wrong format or not inserted by local switch

    May  9 15:18:54.565: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Vl9, MAC da: 782b.cbc6.7b8f, MAC sa: ec30.9132.05c2, IP da: 10.224.9.101, IP sa: 10.224.9.1, DHCP ciaddr: 10.224.9.101, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.224.9.1, DHCP chaddr: 782b.cbc6.7b8f

    May  9 15:18:54.565: DHCP_SNOOPING: direct forward dhcp replyto output port: GigabitEthernet0/23.



    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com




  • It is a layer 3 switch (SW1).

    The client is receiving an ip address from the DHCP server and working 100%.

    I am not sure if:

    DHCPD: no option 125 can cause anything?

    Thanks

     

Sign In or Register to comment.