CCNP exam review, DHCP snooping

I'm following along with Kieth Bogart's exam review, and I'm stuck on the DHCP snooping lab. I'm sure some of you are familiar with the lab, but in case you're not:

The lab consists of a DHCP client in vlan 1234 (1.2.34.0/24) who needs to lease an ip address from a legitimate DHCP server, a router at 4.4.4.4.

All of the usual gotchas associated with running snooping on non-access layer switches and across L3 boundaries are handled (I think): The trunk ports are all trusted (the port leading to the rogue is not), Option 82 is not being inserted, the switches are told not to consider GiAddr or check the client's MAC address, etc. and snooping is enabled on all 3 switches.

Client - > Sw1 -> Sw2 -> Sw3 -> DHCP Router

There is a rogue DHCP server connected to Sw2, attempting to hand out addresses from the 9.9.9.0/24 network. The goal is to configure DHCP snooping to allow the legitimate server, R4, to give out addresses, and prevent the rogue from participating.

Sw2 is handling IP routing, and has an ip-helper address configured on his SVI for vlan 1234, pointing to R4 's ip address of 4.4.4.4. There is a transit vlan between Sw2 and Sw3 (200.1.1.0/24). There are two connections between Sw2 and Sw3., ports Gi2/0 and Gi2/1 on both. Because Sw3, running RSTP, is the root for the common spanning tree, both of his connections are Desg Fwd. Sw2, running MST, has Gi2/0 as BLK. Gi2/1, which he sees as a boundary port, is Mstr Fwd.

Sw3 is connected, via a routed port, to R4, using network 4.4.4.0/24.

Up to now, in prior labs, everything has worked like-for-like in GNS3, but here is my issue. This what happens when the client puts out his DHCPDISCOVER packet:

Sw2#
*Jan 26 00:21:34.298: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet3/1)
*Jan 26 00:21:34.299: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi3/1, MAC da: ffff.ffff.ffff, MAC sa: 0c3f.d8ee.2000, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0c3f.d8ee.2000
*Jan 26 00:21:34.300: DHCP_SNOOPING: message type : DHCPDISCOVER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0c3f.d8ee.2000
Sw2#
*Jan 26 00:21:34.300: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (1234)
*Jan 26 00:21:34.300: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan1234.
*Jan 26 00:21:34.301: DHCP_SNOOPING_SW: bridge packet send packet to port: GigabitEthernet2/1, vlan 1234.

Ok, great, he sent the packet up to Sw3 on port G2/1. All well and good. Next up we have Sw3:

Sw3#
*Jan 26 00:25:21.816: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet2/1)
*Jan 26 00:25:21.818: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi2/1, MAC da: ffff.ffff.ffff, MAC sa: 0c3f.d8ee.2000, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0c3f.d8ee.2000
*Jan 26 00:25:21.818: DHCP_SNOOPING: message type : DHCPDISCOVER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0c3f.d8ee.2000
Sw3#
*Jan 26 00:25:21.818: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (1234)
*Jan 26 00:25:21.819: DHCP_SNOOPING_SW: bridge packet send packet to port: GigabitEthernet2/0, vlan 1234.

...What? Instead of forwarding the packet up to the router at 4.4.4.4 (Sw3 has an SVI of 4.4.4.3 for that network), he's sending the packet right back to Sw2, on G2/0, a port that is blocking.

Does anyone know a reason for this behavior?

It's possible that this is a weird bug in the IOSvL2 VIRL image, but I want to make sure I'm not missing something or making a mistake. There are other labs I want to do that are dependent on a functioning DHCP snooping database, and this has me stumped. Any help is appreciated.

I should note everything works fine if snooping is off; the client gets an address from 9.9.9.0 if the rogue is running, and if not, he gets a proper address in the 1.2.34.0 network. Snooping on Sw1 does not cause a problem. The issue is this ping-ponging DHCPDISCOVER between Sw2 and Sw3.

Comments

  • Rather than post another wall of text, here is the output of "show ip dhcp snooping" for Sw2 and Sw3:

    Sw2#sh ip dhcp snooping
    Switch DHCP snooping is enabled
    Switch DHCP gleaning is disabled
    DHCP snooping is configured on following VLANs:
    1-2,1234,2000
    DHCP snooping is operational on following VLANs:
    1-2,1234,2000
    DHCP snooping is configured on the following L3 Interfaces:

    Insertion of option 82 is disabled
    circuit-id default format: vlan-mod-port
    remote-id: 0c3f.d889.d100 (MAC)
    Option 82 on untrusted port is not allowed
    Verification of hwaddr field is disabled
    Verification of giaddr field is disabled
    DHCP snooping trust/rate is configured on the following Interfaces:

    Interface Trusted Allow option Rate limit (pps)
    ----------------------- ------- ------------ ----------------
    GigabitEthernet2/0 yes yes unlimited
    Custom circuit-ids:
    GigabitEthernet2/1 yes yes unlimited
    Custom circuit-ids:
    GigabitEthernet3/0 yes yes unlimited
    Interface Trusted Allow option Rate limit (pps)
    ----------------------- ------- ------------ ----------------
    Custom circuit-ids:
    GigabitEthernet3/1 yes yes unlimited
    Custom circuit-ids:

    Sw3#sh ip dhcp snooping
    Switch DHCP snooping is enabled
    Switch DHCP gleaning is disabled
    DHCP snooping is configured on following VLANs:
    1-2,1234,2000
    DHCP snooping is operational on following VLANs:
    1-2,1234,2000
    DHCP snooping is configured on the following L3 Interfaces:

    Insertion of option 82 is disabled
    circuit-id default format: vlan-mod-port
    remote-id: 0c3f.d899.9300 (MAC)
    Option 82 on untrusted port is not allowed
    Verification of hwaddr field is disabled
    Verification of giaddr field is disabled
    DHCP snooping trust/rate is configured on the following Interfaces:

    Interface Trusted Allow option Rate limit (pps)
    ----------------------- ------- ------------ ----------------
    GigabitEthernet1/0 yes yes unlimited
    Custom circuit-ids:
    GigabitEthernet1/1 yes yes unlimited
    Custom circuit-ids:
    GigabitEthernet2/0 yes yes unlimited
    Interface Trusted Allow option Rate limit (pps)
    ----------------------- ------- ------------ ----------------
    Custom circuit-ids:
    GigabitEthernet2/1 yes yes unlimited
    Custom circuit-ids:

Sign In or Register to comment.