Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

DHCP snooping on Cisco switch dropping all DHCP traffic

Posted on 2016-09-28
5
Medium Priority
?
417 Views
Last Modified: 2016-10-05
We have 7 Cisco 2960-X access switches connected back to two Cisco 3850 stacked core switches with port channels. We have DHCP snooping enabled on both the access switches and the core switch. This configuration has been in place and working well for 4 months.

However, today the core switch stopped passing DHCP traffic from the access switches. But, if I connect a laptop directly to the core switch it can get a DHCP address. If we turn off DHCP snooping on the core switch then everything starts working again.

We haven't made any changes to the network or servers.

Any ideas?

This is the log from the core switch:
*Sep 28 06:13:01.737: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po12, MAC da: ffff.ffff.ffff, MAC sa: a41f.725e.1add, IP da: 255.255.255.255, IP sa: 172.16.7.82, DHCP ciaddr: 172.16.7.82, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: a41f.725e.1add
*Sep 28 06:13:01.738: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:01.738: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:01.896: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:01.897: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1281.e956, IP da: 255.255.255.255, IP sa: 172.16.7.7, DHCP ciaddr: 172.16.7.7, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1281.e956
*Sep 28 06:13:01.897: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:01.897: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:02.429: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:02.429: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:02.429: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 7845.c42d.be87
*Sep 28 06:13:02.430: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: 7845.c42d.be87
*Sep 28 06:13:02.430: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: 7845.c42d.be87, IP da: 255.255.255.255, IP sa: 172.16.7.147, DHCP ciaddr: 172.16.7.147, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c42d.be87
*Sep 28 06:13:02.430: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:02.430: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:03.464: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: f48e.3897.ec56
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: f48e.3897.ec56
*Sep 28 06:13:03.464: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: f48e.3897.ec56, IP da: 255.255.255.255, IP sa: 172.16.7.76, DHCP ciaddr: 172.16.7.76, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f48e.3897.ec56
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:03.465: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:03.671: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel14)
*Sep 28 06:13:03.671: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po14, MAC da: ffff.ffff.ffff, MAC sa: c81f.6642.74f0, IP da: 255.255.255.255, IP sa: 172.16.7.210, DHCP ciaddr: 172.16.7.210, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6642.74f0
*Sep 28 06:13:03.671: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:03.672: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:04.735: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel12)
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: a41f.725e.1add
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: a41f.725e.1add
*Sep 28 06:13:04.735: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po12, MAC da: ffff.ffff.ffff, MAC sa: a41f.725e.1add, IP da: 255.255.255.255, IP sa: 172.16.7.82, DHCP ciaddr: 172.16.7.82, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: a41f.725e.1add
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:04.902: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:04.902: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1281.e956, IP da: 255.255.255.255, IP sa: 172.16.7.7, DHCP ciaddr: 172.16.7.7, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1281.e956
*Sep 28 06:13:04.903: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:04.903: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:05.429: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 7845.c42d.be87
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: 7845.c42d.be87
*Sep 28 06:13:05.429: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: 7845.c42d.be87, IP da: 255.255.255.255, IP sa: 172.16.7.147, DHCP ciaddr: 172.16.7.147, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c42d.be87
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:06.157: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:06.157: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1299.baab, IP da: 255.255.255.255, IP sa: 172.16.7.39, DHCP ciaddr: 172.16.7.39, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1299.baab
*Sep 28 06:13:06.157: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:06.157: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:06.673: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel14)
*Sep 28 06:13:06.674: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po14, MAC da: ffff.ffff.ffff, MAC sa: c81f.6642.74f0, IP da: 255.255.255.255, IP sa: 172.16.7.210, DHCP ciaddr: 172.16.7.210, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6642.74f0
*Sep 28 06:13:06.674: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:06.674: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:09.159: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:09.159: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1299.baab, IP da: 255.255.255.255, IP sa: 172.16.7.39, DHCP ciaddr: 172.16.7.39, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1299.baab
*Sep 28 06:13:09.159: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:09.159: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:11.835: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:11.835: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: 7845.c40f.4191, IP da: 255.255.255.255, IP sa: 172.16.7.114, DHCP ciaddr: 172.16.7.114, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c40f.4191
*Sep 28 06:13:11.835: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:11.836: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:11.900: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: c81f.6640.881f
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: c81f.6640.881f
*Sep 28 06:13:11.900: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: c81f.6640.881f, IP da: 255.255.255.255, IP sa: 172.16.7.48, DHCP ciaddr: 172.16.7.48, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6640.881f
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:11.901: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:14.547: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:14.548: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: c81f.660f.ee0d, IP da: 255.255.255.255, IP sa: 172.16.7.85, DHCP ciaddr: 172.16.7.85, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.660f.ee0d
*Sep 28 06:13:14.548: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:14.548: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:14.904: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: c81f.6640.881f
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: c81f.6640.881f
*Sep 28 06:13:14.904: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: c81f.6640.881f, IP da: 255.255.255.255, IP sa: 172.16.7.48, DHCP ciaddr: 172.16.7.48, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6640.881f
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:15.942: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:15.942: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: 7845.c40f.4191, IP da: 255.255.255.255, IP sa: 172.16.7.114, DHCP ciaddr: 172.16.7.114, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c40f.4191
*Sep 28 06:13:15.942: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:15.942: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:14:20.130: DHCP_SNOOPING: checking expired snoop binding entries
*Sep 28 06:15:20.119: %SYS-5-CONFIG_I: Configured from console by root on vty0 (172.16.4.54)
*Sep 28 06:16:20.130: DHCP_SNOOPING: checking expired snoop binding entries
*Sep 28 06:18:20.132: DHCP_SNOOPING: checking expired snoop binding entries
*Sep 28 06:20:20.132: DHCP_SNOOPING: checking expired snoop binding entries
0
Comment
Question by:donohoe1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 31

Assisted Solution

by:Predrag
Predrag earned 1000 total points
ID: 41820235
You need to configure link(s) to DHCP server (typically trunk links) as
interface Gi1/0/x
 ip dhcp snooping trust

Those are ports that can respond with DHCPOffer and DHCPACK packets. If those packets are comming from untrusted port - packets are dropped.
Typically also you want to limit how many DHCP request can be sent from DHCP client ports.
interface Gi1/0/y
 ip dhcp snooping limit rate 50
0
 

Author Comment

by:donohoe1
ID: 41820247
I’m starting to see more issues. I was running a restore from my Veeam backup server to my test lab host. The backup server is connected directly to the core switch and the test lab server is connected to an access switch. When the restore was running PRTG was showing me high traffic across all the access switches and high traffic on the EPL (connection to a remote office). The restore shouldn’t have touched any of those.

I think there is something seriously wrong with the core switch.
0
 
LVL 31

Assisted Solution

by:Predrag
Predrag earned 1000 total points
ID: 41820501
Typically core should not be affected by backup restore process of access switch, but if wrong configuration is restored on access switch (or to wrong device - like core). One of the problems can be that you have LACP configured as channel-group on and the other side does not participate in LACP (and you have Po9,Po12, Po13, Po14 there) - that can lead to network loops.

Also try  remove option 82 from DHCP by issuing command below and check what is going on after that:
no ip dhcp snooping information option
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 1000 total points
ID: 41831028
What version of code is on your 2960 and 3850 switches?  Which specific model of 3850 do you have?

Can you post the DHCP snooping config from the 2960s and your core, and show which interfaces have the ip dhcp snooping trust command?
0
 

Author Comment

by:donohoe1
ID: 41831197
Sorry, I forgot to update this.

The switches were showing some strange information when we logged on. After rebooting them everything looked normal again and DHCP snooping started working normally. We then upgraded the switches to the latest IOS just to safe.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question