Solved

DHCP snooping on Cisco switch dropping all DHCP traffic

Posted on 2016-09-28
5
256 Views
Last Modified: 2016-10-05
We have 7 Cisco 2960-X access switches connected back to two Cisco 3850 stacked core switches with port channels. We have DHCP snooping enabled on both the access switches and the core switch. This configuration has been in place and working well for 4 months.

However, today the core switch stopped passing DHCP traffic from the access switches. But, if I connect a laptop directly to the core switch it can get a DHCP address. If we turn off DHCP snooping on the core switch then everything starts working again.

We haven't made any changes to the network or servers.

Any ideas?

This is the log from the core switch:
*Sep 28 06:13:01.737: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po12, MAC da: ffff.ffff.ffff, MAC sa: a41f.725e.1add, IP da: 255.255.255.255, IP sa: 172.16.7.82, DHCP ciaddr: 172.16.7.82, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: a41f.725e.1add
*Sep 28 06:13:01.738: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:01.738: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:01.896: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:01.897: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1281.e956, IP da: 255.255.255.255, IP sa: 172.16.7.7, DHCP ciaddr: 172.16.7.7, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1281.e956
*Sep 28 06:13:01.897: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:01.897: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:02.429: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:02.429: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:02.429: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 7845.c42d.be87
*Sep 28 06:13:02.430: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: 7845.c42d.be87
*Sep 28 06:13:02.430: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: 7845.c42d.be87, IP da: 255.255.255.255, IP sa: 172.16.7.147, DHCP ciaddr: 172.16.7.147, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c42d.be87
*Sep 28 06:13:02.430: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:02.430: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:03.464: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: f48e.3897.ec56
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: f48e.3897.ec56
*Sep 28 06:13:03.464: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: f48e.3897.ec56, IP da: 255.255.255.255, IP sa: 172.16.7.76, DHCP ciaddr: 172.16.7.76, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f48e.3897.ec56
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:03.465: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:03.671: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel14)
*Sep 28 06:13:03.671: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po14, MAC da: ffff.ffff.ffff, MAC sa: c81f.6642.74f0, IP da: 255.255.255.255, IP sa: 172.16.7.210, DHCP ciaddr: 172.16.7.210, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6642.74f0
*Sep 28 06:13:03.671: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:03.672: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:04.735: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel12)
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: a41f.725e.1add
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: a41f.725e.1add
*Sep 28 06:13:04.735: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po12, MAC da: ffff.ffff.ffff, MAC sa: a41f.725e.1add, IP da: 255.255.255.255, IP sa: 172.16.7.82, DHCP ciaddr: 172.16.7.82, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: a41f.725e.1add
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:04.902: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:04.902: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1281.e956, IP da: 255.255.255.255, IP sa: 172.16.7.7, DHCP ciaddr: 172.16.7.7, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1281.e956
*Sep 28 06:13:04.903: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:04.903: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:05.429: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 7845.c42d.be87
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: 7845.c42d.be87
*Sep 28 06:13:05.429: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: 7845.c42d.be87, IP da: 255.255.255.255, IP sa: 172.16.7.147, DHCP ciaddr: 172.16.7.147, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c42d.be87
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:06.157: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:06.157: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1299.baab, IP da: 255.255.255.255, IP sa: 172.16.7.39, DHCP ciaddr: 172.16.7.39, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1299.baab
*Sep 28 06:13:06.157: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:06.157: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:06.673: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel14)
*Sep 28 06:13:06.674: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po14, MAC da: ffff.ffff.ffff, MAC sa: c81f.6642.74f0, IP da: 255.255.255.255, IP sa: 172.16.7.210, DHCP ciaddr: 172.16.7.210, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6642.74f0
*Sep 28 06:13:06.674: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:06.674: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:09.159: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:09.159: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1299.baab, IP da: 255.255.255.255, IP sa: 172.16.7.39, DHCP ciaddr: 172.16.7.39, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1299.baab
*Sep 28 06:13:09.159: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:09.159: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:11.835: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:11.835: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: 7845.c40f.4191, IP da: 255.255.255.255, IP sa: 172.16.7.114, DHCP ciaddr: 172.16.7.114, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c40f.4191
*Sep 28 06:13:11.835: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:11.836: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:11.900: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: c81f.6640.881f
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: c81f.6640.881f
*Sep 28 06:13:11.900: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: c81f.6640.881f, IP da: 255.255.255.255, IP sa: 172.16.7.48, DHCP ciaddr: 172.16.7.48, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6640.881f
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:11.901: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:14.547: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:14.548: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: c81f.660f.ee0d, IP da: 255.255.255.255, IP sa: 172.16.7.85, DHCP ciaddr: 172.16.7.85, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.660f.ee0d
*Sep 28 06:13:14.548: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:14.548: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:14.904: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: c81f.6640.881f
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: c81f.6640.881f
*Sep 28 06:13:14.904: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: c81f.6640.881f, IP da: 255.255.255.255, IP sa: 172.16.7.48, DHCP ciaddr: 172.16.7.48, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6640.881f
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:15.942: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:15.942: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: 7845.c40f.4191, IP da: 255.255.255.255, IP sa: 172.16.7.114, DHCP ciaddr: 172.16.7.114, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c40f.4191
*Sep 28 06:13:15.942: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:15.942: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:14:20.130: DHCP_SNOOPING: checking expired snoop binding entries
*Sep 28 06:15:20.119: %SYS-5-CONFIG_I: Configured from console by root on vty0 (172.16.4.54)
*Sep 28 06:16:20.130: DHCP_SNOOPING: checking expired snoop binding entries
*Sep 28 06:18:20.132: DHCP_SNOOPING: checking expired snoop binding entries
*Sep 28 06:20:20.132: DHCP_SNOOPING: checking expired snoop binding entries
0
Comment
Question by:donohoe1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 29

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 250 total points
ID: 41820235
You need to configure link(s) to DHCP server (typically trunk links) as
interface Gi1/0/x
 ip dhcp snooping trust

Those are ports that can respond with DHCPOffer and DHCPACK packets. If those packets are comming from untrusted port - packets are dropped.
Typically also you want to limit how many DHCP request can be sent from DHCP client ports.
interface Gi1/0/y
 ip dhcp snooping limit rate 50
0
 

Author Comment

by:donohoe1
ID: 41820247
I’m starting to see more issues. I was running a restore from my Veeam backup server to my test lab host. The backup server is connected directly to the core switch and the test lab server is connected to an access switch. When the restore was running PRTG was showing me high traffic across all the access switches and high traffic on the EPL (connection to a remote office). The restore shouldn’t have touched any of those.

I think there is something seriously wrong with the core switch.
0
 
LVL 29

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 250 total points
ID: 41820501
Typically core should not be affected by backup restore process of access switch, but if wrong configuration is restored on access switch (or to wrong device - like core). One of the problems can be that you have LACP configured as channel-group on and the other side does not participate in LACP (and you have Po9,Po12, Po13, Po14 there) - that can lead to network loops.

Also try  remove option 82 from DHCP by issuing command below and check what is going on after that:
no ip dhcp snooping information option
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 250 total points
ID: 41831028
What version of code is on your 2960 and 3850 switches?  Which specific model of 3850 do you have?

Can you post the DHCP snooping config from the 2960s and your core, and show which interfaces have the ip dhcp snooping trust command?
0
 

Author Comment

by:donohoe1
ID: 41831197
Sorry, I forgot to update this.

The switches were showing some strange information when we logged on. After rebooting them everything looked normal again and DHCP snooping started working normally. We then upgraded the switches to the latest IOS just to safe.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question