|
Author
|
Topic: DHCP snooping with relay agent many issues
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted April 11, 2012 01:04 AM
Hi all
I have a DHCP client that doesn't have DHCP server in it's vlan rather a router in vlan2 is configured for ip helper address. The DHCP server is in vlan 3.
DHCP client ------------- Router (configured with ip helper address) ---------sw1 ----trunk-----sw2-----Router (DHCP Server)
vlan2 vlan3 vlan3
Now I enable DHCP snooping for vlan 3, I am not able to get an IP address for the DHCP client.
The following are the various issues:
Issue1
=====
The DHCP discover's src mac address and chaddress are different and hence the packet is being dropped by sw2
Fixed it using "no ip dhcp snooping verify mac-address"
Issue 2
=====
Sw2 configured for dhcp snooping drops DHCP discover packet as it as non-zero Gig addr.
Fixed it using "no ip dhcp snooping verify no-relay-agent-address"
Issue 3
=====
Atlast, the DHCP discover reaches the IOS DHCP server but the offer get's dropped because the switch says that it can't find the output port. Pitty, the switch has
the mac address in it's mac address table mapped to it's trunk port but still doen't forward.
Cat4(config)#ip dhcp snooping erface: Fa0/7, MAC da: 001b.54aa.fa5e, MAC sa: 001
b.d50f.f251, IP da: 10.7.7.4, IP sa: 10.7.7.7, DHCP ciaddr: 0.0.0.0, DHCP yiaddr
: 10.7.7.15, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.7.7.4, DHCP chaddr: 001b.54aa
.fa5e
Apr 11 07:03:19.477: DHCP_SNOOPING: DHCP packet may be headed in the direction o
f the relay 10.7.7.4, not extracting option82 information
Apr 11 07:03:19.477: DHCP_SNOOPING_SW: bridge packet output port set is null, pa
cket is dropped.
Cat4#sh mac address-table address ?
H.H.H 48 bit mac address
Cat4#sh mac address-table address 001b.54aa.fa5e
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
7 001b.54aa.fa5e DYNAMIC Fa0/23
Total Mac Addresses for this criterion: 1
So the fix for issue 3, I just disabled dhcp snooping :-)
Dhcp snooping does lot of validation for security which is good but bad when there is relay agent.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted April 11, 2012 01:07 AM
dhcp snooping is configured on sw2 only
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted April 13, 2012 11:50 AM
Did you put the trunk as a trusted port?
What is your DHCP server?
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted April 13, 2012 09:00 PM
I am using IOS router as a DHCP server. If I make trunk as trusted, then there would be no purpose of dhcp snooping right :-)
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted April 14, 2012 06:08 AM
quote:
Originally posted by Kingsley Charles (CCSP, CCNP, CCIP):
I am using IOS router as a DHCP server. If I make trunk as trusted, then there would be no purpose of dhcp snooping right :-)
With regards
Kings
Let me get this right, you have the client connected to R1 and this is connected to SW1. So you have snooping on both SW1 and SW2 ?
You should enable trust on the trunk from SW1 and on SW2 to the router.
Are you disabling option 82?
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted April 14, 2012 07:23 AM
The DHCP discovery reaches the IOS DHCP server. It is the DHCP offer being dropped by SW2 which has DHCP snooping configured.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
radius13
Jr Member
Member # 30879
Rate Member
|
posted April 17, 2012 10:31 PM
SW2 can't find the port as DHCP option 82 not being inserted from SW1 end since no DHCP snooping enabled on SW1. Enable DHCP snooping on SW1 and trust the trunk port on SW1. It should work after that.
Posts: 8 | From: Saint John, NB | Registered: May 2011
| IP: Logged
|
|
radius13
Jr Member
Member # 30879
Rate Member
|
posted April 17, 2012 10:36 PM
Also, you need to configure "ip dhcp snooping information option allow-untrusted" on SW2 so that it accepts packets with option 82 information from SW1. Option 82 carries port information which is missing here.
Posts: 8 | From: Saint John, NB | Registered: May 2011
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted April 18, 2012 10:48 AM
If remember correct, I had option 82 enabled. I guess, it's an issue with OS itself.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
radius13
Jr Member
Member # 30879
Rate Member
|
posted April 18, 2012 11:38 AM
It is configuration issue.
Posts: 8 | From: Saint John, NB | Registered: May 2011
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted April 18, 2012 09:28 PM
Did you try it practically?
I observed the issue practically.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
radius13
Jr Member
Member # 30879
Rate Member
|
posted April 19, 2012 07:12 AM
I have not tested this scenario yet. But it is obvious from the error that you are getting that there is option 82 issue. I will test this as soon as I can. However, in the meantime you may want to test this since you may have the setup already done and available I guess. Also, please let know if the following makes it work:
On Relay Agent - "ip dhcp relay information option".
This will enable router to insert option 82.
On SW2 - "ip dhcp snooping information option allow-untrusted". This will allow option 82 on untrusted port viz. the trunk. So SW2 will get circuit ID (here port info) from relay agent over trunk which is untrusted.
Please note that by default IOS routers do not insert option 82. I am sure you are aware of that.
cheers!
Posts: 8 | From: Saint John, NB | Registered: May 2011
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted April 19, 2012 09:05 AM
I have been playing with dhcp snooping for a long time, I know what are the commands and it's purpose, let's not go into basics now :-)
The IOS DHCP server was configured with "ip dhcp relay information option" and option 82 insertion was enabled on the switch.
Remember one thing, the mac address is in CAM table, so the switch doesn't need option 82 to forward the response packet.
Snippet from http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swdhcp82.html#wp1294425
When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and port security must be enabled on the interface. You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82. When IP source guard is enabled with MAC address filtering, the DHCP host MAC address is not learned until the host is granted a lease. When forwarding packets from the server to the host, DHCP snooping uses the option-82 data to identify the host port.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
radius13
Jr Member
Member # 30879
Rate Member
|
posted April 19, 2012 01:26 PM
I am not questioning your knowledge here. You wanted to discuss this issue and that's why you posted the issue. You may be an expert but when things do not work then unfortunately you have to go back to basics. Without you providing configuration it is difficult to discuss anything.
Posts: 8 | From: Saint John, NB | Registered: May 2011
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted April 20, 2012 03:39 AM
I never claimed that I am expert, did I?
Nobody can be an expert, as knowledge is an ocean.
You were telling to configure commands that might fix the issue and they were basics. That's why I told, let's move out from those fundamentals and jump into the core of troubleshooting.
Anyway, no more mis-understandings :-)
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
radius13
Jr Member
Member # 30879
Rate Member
|
posted April 20, 2012 07:03 AM
Kingsley,
The whole idea is to fix the issue. The issue can only be fixed if the technology is understood properly. If not then we need to probe the basics again. I am sure you will agree with that. Basic or advanced, commands will remain the same and their purpose too. If we do not understand the basics we will miss a thing here and there. That's what ccie lab exam is all about. The issue that you presented here is workable. I gave you one solution earlier. It needs to be tested. Unless you test that we can't move further with that. There is another solution to this issue. Do not enable option 82 on R1 and then trust the trunk port on SW2. This is due to the reason how cisco's DHCP snooping is designed to work with a relay agent. You have to trust the port facing a relay agent. I have seen that error before and it is fixable. OR if you do not want to trust the port then you use the solution I gave in my earlier message. But you need to test to confirm this. We can't assume things anyway.
There is no question of misunderstanding here. We are all here to learn as you put it. However, when we have an issue it is best to present the configs as that helps get the whole scenario. BTW I have been in Networking for 20 years and I think I know a few things too. :-)
happy labbing!
Posts: 8 | From: Saint John, NB | Registered: May 2011
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted April 20, 2012 07:38 AM
Hi
I discussed this issue in other forum and we came to conclusion that it might a bug.
Actually, I am in a tight schedule so I can't retest it now. But I am sure, I had option 82 enabled on the switch. So the switch has the option 82 as well as the mac address to port mapping. So it should have forwarded the DHCP offer to client.
Please have a look of error message.
Cat4(config)#ip dhcp snooping erface: Fa0/7, MAC da: 001b.54aa.fa5e, MAC sa: 001
b.d50f.f251, IP da: 10.7.7.4, IP sa: 10.7.7.7, DHCP ciaddr: 0.0.0.0, DHCP yiaddr
: 10.7.7.15, DHCP siaddr: 0.0.0.0, DHCP giaddr: 10.7.7.4, DHCP chaddr: 001b.54aa
.fa5e
Apr 11 07:03:19.477: DHCP_SNOOPING: DHCP packet may be headed in the direction o
f the relay 10.7.7.4, not extracting option82 information
Apr 11 07:03:19.477: DHCP_SNOOPING_SW: bridge packet output port set is null, pa
cket is dropped.
The other solution, of enabling dhcp trust will break the use of dhcp snooping right?
If you get it working any time, please let me know what image version was being used.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
radius13
Jr Member
Member # 30879
Rate Member
|
posted April 20, 2012 08:24 AM
I will test as soon as I can. I have worked with Relay Agent quite some time back and seen this error. Yes, logically the switch should have sent the offer to the client with all the info, as you put it. But as I said, Cisco handles Relay Agent differently. With Relay Agent or a DHCP Server you have no option but to trust the port facing it. Here SW2 trunk port logically faces the Relay Agent. So, you must trust this port. So there is no option but to trust trunk port on SW2. That will make it work.
Posts: 8 | From: Saint John, NB | Registered: May 2011
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted April 20, 2012 08:45 PM
The issue seems to specific with DHCP relay. I think, it has something to do with the chaddr. With relay, the chaddr is retained of the actual client address and the src addr is the relay agents.
This causes the issue as I can see it is only difference between DHCP request from normal client and DHCP relay.
With regards
KIngs
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
radius13
Jr Member
Member # 30879
Rate Member
|
posted April 21, 2012 05:08 AM
I don't think so since your command "no ip dhcp snooping verify mac-address" that you configured earlier should have taken care of that.
Posts: 8 | From: Saint John, NB | Registered: May 2011
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted April 21, 2012 10:06 AM
That took care of allowing DHCP discover that doesn't have matching src mac and chaddr.
My point is that the switch is somewhere confused of having this unmatched addresses when trying to forward back the DHCP offer to relay.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic