Solved

DHCP snooping on Cisco switch dropping all DHCP traffic

Posted on 2016-09-28
5
61 Views
Last Modified: 2016-10-05
We have 7 Cisco 2960-X access switches connected back to two Cisco 3850 stacked core switches with port channels. We have DHCP snooping enabled on both the access switches and the core switch. This configuration has been in place and working well for 4 months.

However, today the core switch stopped passing DHCP traffic from the access switches. But, if I connect a laptop directly to the core switch it can get a DHCP address. If we turn off DHCP snooping on the core switch then everything starts working again.

We haven't made any changes to the network or servers.

Any ideas?

This is the log from the core switch:
*Sep 28 06:13:01.737: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po12, MAC da: ffff.ffff.ffff, MAC sa: a41f.725e.1add, IP da: 255.255.255.255, IP sa: 172.16.7.82, DHCP ciaddr: 172.16.7.82, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: a41f.725e.1add
*Sep 28 06:13:01.738: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:01.738: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:01.896: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:01.897: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1281.e956, IP da: 255.255.255.255, IP sa: 172.16.7.7, DHCP ciaddr: 172.16.7.7, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1281.e956
*Sep 28 06:13:01.897: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:01.897: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:02.429: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:02.429: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:02.429: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 7845.c42d.be87
*Sep 28 06:13:02.430: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: 7845.c42d.be87
*Sep 28 06:13:02.430: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: 7845.c42d.be87, IP da: 255.255.255.255, IP sa: 172.16.7.147, DHCP ciaddr: 172.16.7.147, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c42d.be87
*Sep 28 06:13:02.430: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:02.430: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:03.464: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: f48e.3897.ec56
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: f48e.3897.ec56
*Sep 28 06:13:03.464: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: f48e.3897.ec56, IP da: 255.255.255.255, IP sa: 172.16.7.76, DHCP ciaddr: 172.16.7.76, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f48e.3897.ec56
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:03.465: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:03.671: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel14)
*Sep 28 06:13:03.671: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po14, MAC da: ffff.ffff.ffff, MAC sa: c81f.6642.74f0, IP da: 255.255.255.255, IP sa: 172.16.7.210, DHCP ciaddr: 172.16.7.210, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6642.74f0
*Sep 28 06:13:03.671: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:03.672: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:04.735: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel12)
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: a41f.725e.1add
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: a41f.725e.1add
*Sep 28 06:13:04.735: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po12, MAC da: ffff.ffff.ffff, MAC sa: a41f.725e.1add, IP da: 255.255.255.255, IP sa: 172.16.7.82, DHCP ciaddr: 172.16.7.82, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: a41f.725e.1add
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:04.902: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:04.902: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1281.e956, IP da: 255.255.255.255, IP sa: 172.16.7.7, DHCP ciaddr: 172.16.7.7, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1281.e956
*Sep 28 06:13:04.903: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:04.903: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:05.429: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 7845.c42d.be87
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: 7845.c42d.be87
*Sep 28 06:13:05.429: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: 7845.c42d.be87, IP da: 255.255.255.255, IP sa: 172.16.7.147, DHCP ciaddr: 172.16.7.147, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c42d.be87
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:06.157: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:06.157: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1299.baab, IP da: 255.255.255.255, IP sa: 172.16.7.39, DHCP ciaddr: 172.16.7.39, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1299.baab
*Sep 28 06:13:06.157: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:06.157: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:06.673: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel14)
*Sep 28 06:13:06.674: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po14, MAC da: ffff.ffff.ffff, MAC sa: c81f.6642.74f0, IP da: 255.255.255.255, IP sa: 172.16.7.210, DHCP ciaddr: 172.16.7.210, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6642.74f0
*Sep 28 06:13:06.674: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:06.674: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:09.159: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:09.159: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1299.baab, IP da: 255.255.255.255, IP sa: 172.16.7.39, DHCP ciaddr: 172.16.7.39, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1299.baab
*Sep 28 06:13:09.159: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:09.159: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:11.835: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:11.835: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: 7845.c40f.4191, IP da: 255.255.255.255, IP sa: 172.16.7.114, DHCP ciaddr: 172.16.7.114, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c40f.4191
*Sep 28 06:13:11.835: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:11.836: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:11.900: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: c81f.6640.881f
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: c81f.6640.881f
*Sep 28 06:13:11.900: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: c81f.6640.881f, IP da: 255.255.255.255, IP sa: 172.16.7.48, DHCP ciaddr: 172.16.7.48, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6640.881f
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:11.901: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:14.547: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:14.548: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: c81f.660f.ee0d, IP da: 255.255.255.255, IP sa: 172.16.7.85, DHCP ciaddr: 172.16.7.85, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.660f.ee0d
*Sep 28 06:13:14.548: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:14.548: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:14.904: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: c81f.6640.881f
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: c81f.6640.881f
*Sep 28 06:13:14.904: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: c81f.6640.881f, IP da: 255.255.255.255, IP sa: 172.16.7.48, DHCP ciaddr: 172.16.7.48, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6640.881f
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:15.942: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:15.942: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: 7845.c40f.4191, IP da: 255.255.255.255, IP sa: 172.16.7.114, DHCP ciaddr: 172.16.7.114, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c40f.4191
*Sep 28 06:13:15.942: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:15.942: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:14:20.130: DHCP_SNOOPING: checking expired snoop binding entries
*Sep 28 06:15:20.119: %SYS-5-CONFIG_I: Configured from console by root on vty0 (172.16.4.54)
*Sep 28 06:16:20.130: DHCP_SNOOPING: checking expired snoop binding entries
*Sep 28 06:18:20.132: DHCP_SNOOPING: checking expired snoop binding entries
*Sep 28 06:20:20.132: DHCP_SNOOPING: checking expired snoop binding entries
0
Comment
Question by:donohoe1
  • 2
  • 2
5 Comments
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 250 total points
ID: 41820235
You need to configure link(s) to DHCP server (typically trunk links) as
interface Gi1/0/x
 ip dhcp snooping trust

Those are ports that can respond with DHCPOffer and DHCPACK packets. If those packets are comming from untrusted port - packets are dropped.
Typically also you want to limit how many DHCP request can be sent from DHCP client ports.
interface Gi1/0/y
 ip dhcp snooping limit rate 50
0
 

Author Comment

by:donohoe1
ID: 41820247
I’m starting to see more issues. I was running a restore from my Veeam backup server to my test lab host. The backup server is connected directly to the core switch and the test lab server is connected to an access switch. When the restore was running PRTG was showing me high traffic across all the access switches and high traffic on the EPL (connection to a remote office). The restore shouldn’t have touched any of those.

I think there is something seriously wrong with the core switch.
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 250 total points
ID: 41820501
Typically core should not be affected by backup restore process of access switch, but if wrong configuration is restored on access switch (or to wrong device - like core). One of the problems can be that you have LACP configured as channel-group on and the other side does not participate in LACP (and you have Po9,Po12, Po13, Po14 there) - that can lead to network loops.

Also try  remove option 82 from DHCP by issuing command below and check what is going on after that:
no ip dhcp snooping information option
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 250 total points
ID: 41831028
What version of code is on your 2960 and 3850 switches?  Which specific model of 3850 do you have?

Can you post the DHCP snooping config from the 2960s and your core, and show which interfaces have the ip dhcp snooping trust command?
0
 

Author Comment

by:donohoe1
ID: 41831197
Sorry, I forgot to update this.

The switches were showing some strange information when we logged on. After rebooting them everything looked normal again and DHCP snooping started working normally. We then upgraded the switches to the latest IOS just to safe.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now