Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

DHCP snooping on Cisco switch dropping all DHCP traffic

Posted on 2016-09-28
5
Medium Priority
?
511 Views
Last Modified: 2016-10-05
We have 7 Cisco 2960-X access switches connected back to two Cisco 3850 stacked core switches with port channels. We have DHCP snooping enabled on both the access switches and the core switch. This configuration has been in place and working well for 4 months.

However, today the core switch stopped passing DHCP traffic from the access switches. But, if I connect a laptop directly to the core switch it can get a DHCP address. If we turn off DHCP snooping on the core switch then everything starts working again.

We haven't made any changes to the network or servers.

Any ideas?

This is the log from the core switch:
*Sep 28 06:13:01.737: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po12, MAC da: ffff.ffff.ffff, MAC sa: a41f.725e.1add, IP da: 255.255.255.255, IP sa: 172.16.7.82, DHCP ciaddr: 172.16.7.82, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: a41f.725e.1add
*Sep 28 06:13:01.738: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:01.738: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:01.896: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:01.897: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1281.e956, IP da: 255.255.255.255, IP sa: 172.16.7.7, DHCP ciaddr: 172.16.7.7, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1281.e956
*Sep 28 06:13:01.897: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:01.897: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:02.429: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:02.429: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:02.429: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 7845.c42d.be87
*Sep 28 06:13:02.430: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: 7845.c42d.be87
*Sep 28 06:13:02.430: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: 7845.c42d.be87, IP da: 255.255.255.255, IP sa: 172.16.7.147, DHCP ciaddr: 172.16.7.147, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c42d.be87
*Sep 28 06:13:02.430: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:02.430: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:03.464: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: f48e.3897.ec56
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: f48e.3897.ec56
*Sep 28 06:13:03.464: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: f48e.3897.ec56, IP da: 255.255.255.255, IP sa: 172.16.7.76, DHCP ciaddr: 172.16.7.76, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f48e.3897.ec56
*Sep 28 06:13:03.464: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:03.465: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:03.671: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel14)
*Sep 28 06:13:03.671: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po14, MAC da: ffff.ffff.ffff, MAC sa: c81f.6642.74f0, IP da: 255.255.255.255, IP sa: 172.16.7.210, DHCP ciaddr: 172.16.7.210, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6642.74f0
*Sep 28 06:13:03.671: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:03.672: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:04.735: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel12)
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: a41f.725e.1add
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: a41f.725e.1add
*Sep 28 06:13:04.735: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po12, MAC da: ffff.ffff.ffff, MAC sa: a41f.725e.1add, IP da: 255.255.255.255, IP sa: 172.16.7.82, DHCP ciaddr: 172.16.7.82, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: a41f.725e.1add
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:04.735: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:04.902: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:04.902: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1281.e956, IP da: 255.255.255.255, IP sa: 172.16.7.7, DHCP ciaddr: 172.16.7.7, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1281.e956
*Sep 28 06:13:04.903: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:04.903: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:05.429: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 7845.c42d.be87
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: 7845.c42d.be87
*Sep 28 06:13:05.429: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: 7845.c42d.be87, IP da: 255.255.255.255, IP sa: 172.16.7.147, DHCP ciaddr: 172.16.7.147, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c42d.be87
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:05.429: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:06.157: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:06.157: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1299.baab, IP da: 255.255.255.255, IP sa: 172.16.7.39, DHCP ciaddr: 172.16.7.39, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1299.baab
*Sep 28 06:13:06.157: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:06.157: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:06.673: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel14)
*Sep 28 06:13:06.674: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po14, MAC da: ffff.ffff.ffff, MAC sa: c81f.6642.74f0, IP da: 255.255.255.255, IP sa: 172.16.7.210, DHCP ciaddr: 172.16.7.210, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6642.74f0
*Sep 28 06:13:06.674: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:06.674: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:09.159: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel13)
*Sep 28 06:13:09.159: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po13, MAC da: ffff.ffff.ffff, MAC sa: f8bc.1299.baab, IP da: 255.255.255.255, IP sa: 172.16.7.39, DHCP ciaddr: 172.16.7.39, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: f8bc.1299.baab
*Sep 28 06:13:09.159: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:09.159: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:11.835: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:11.835: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: 7845.c40f.4191, IP da: 255.255.255.255, IP sa: 172.16.7.114, DHCP ciaddr: 172.16.7.114, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c40f.4191
*Sep 28 06:13:11.835: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:11.836: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:11.900: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: c81f.6640.881f
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: c81f.6640.881f
*Sep 28 06:13:11.900: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: c81f.6640.881f, IP da: 255.255.255.255, IP sa: 172.16.7.48, DHCP ciaddr: 172.16.7.48, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6640.881f
*Sep 28 06:13:11.900: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:11.901: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:14.547: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:14.548: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: c81f.660f.ee0d, IP da: 255.255.255.255, IP sa: 172.16.7.85, DHCP ciaddr: 172.16.7.85, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.660f.ee0d
*Sep 28 06:13:14.548: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:14.548: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:14.904: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: c81f.6640.881f
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: SVI destination port lookup failed for mac: c81f.6640.881f
*Sep 28 06:13:14.904: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: c81f.6640.881f, IP da: 255.255.255.255, IP sa: 172.16.7.48, DHCP ciaddr: 172.16.7.48, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: c81f.6640.881f
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:14.904: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:13:15.942: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel9)
*Sep 28 06:13:15.942: DHCP_SNOOPING: process new DHCP packet, message type: DHCPINFORM, input interface: Po9, MAC da: ffff.ffff.ffff, MAC sa: 7845.c40f.4191, IP da: 255.255.255.255, IP sa: 172.16.7.114, DHCP ciaddr: 172.16.7.114, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 7845.c40f.4191
*Sep 28 06:13:15.942: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (4)
*Sep 28 06:13:15.942: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan4.
*Sep 28 06:14:20.130: DHCP_SNOOPING: checking expired snoop binding entries
*Sep 28 06:15:20.119: %SYS-5-CONFIG_I: Configured from console by root on vty0 (172.16.4.54)
*Sep 28 06:16:20.130: DHCP_SNOOPING: checking expired snoop binding entries
*Sep 28 06:18:20.132: DHCP_SNOOPING: checking expired snoop binding entries
*Sep 28 06:20:20.132: DHCP_SNOOPING: checking expired snoop binding entries
0
Comment
Question by:donohoe1
  • 2
  • 2
5 Comments
 
LVL 31

Assisted Solution

by:Predrag
Predrag earned 1000 total points
ID: 41820235
You need to configure link(s) to DHCP server (typically trunk links) as
interface Gi1/0/x
 ip dhcp snooping trust

Those are ports that can respond with DHCPOffer and DHCPACK packets. If those packets are comming from untrusted port - packets are dropped.
Typically also you want to limit how many DHCP request can be sent from DHCP client ports.
interface Gi1/0/y
 ip dhcp snooping limit rate 50
0
 

Author Comment

by:donohoe1
ID: 41820247
I’m starting to see more issues. I was running a restore from my Veeam backup server to my test lab host. The backup server is connected directly to the core switch and the test lab server is connected to an access switch. When the restore was running PRTG was showing me high traffic across all the access switches and high traffic on the EPL (connection to a remote office). The restore shouldn’t have touched any of those.

I think there is something seriously wrong with the core switch.
0
 
LVL 31

Assisted Solution

by:Predrag
Predrag earned 1000 total points
ID: 41820501
Typically core should not be affected by backup restore process of access switch, but if wrong configuration is restored on access switch (or to wrong device - like core). One of the problems can be that you have LACP configured as channel-group on and the other side does not participate in LACP (and you have Po9,Po12, Po13, Po14 there) - that can lead to network loops.

Also try  remove option 82 from DHCP by issuing command below and check what is going on after that:
no ip dhcp snooping information option
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 1000 total points
ID: 41831028
What version of code is on your 2960 and 3850 switches?  Which specific model of 3850 do you have?

Can you post the DHCP snooping config from the 2960s and your core, and show which interfaces have the ip dhcp snooping trust command?
0
 

Author Comment

by:donohoe1
ID: 41831197
Sorry, I forgot to update this.

The switches were showing some strange information when we logged on. After rebooting them everything looked normal again and DHCP snooping started working normally. We then upgraded the switches to the latest IOS just to safe.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question