[c-nsp] dai / dhcp snooping bug

Mike mike-cisconsplist at tiedyenetworks.com
Sun Aug 9 11:04:52 EDT 2015 

Hi,

     I have a 3560G switch running 15.0(2)SE and in my config I am using 
dhcp snooping / dai on a few customer facing vlans. Everything works, 
and I have certifiably received protection against mis-configured 
clients / plugged in backwards home networking equipment as a direct 
result. Been running this way and with same software and configs for 
more than 2 years now. But there seems to also be a bug where, 
sometimes, some valid entries are incorrectly dropped from the dhcp 
snooping binding database, causing DAI to start dropping arp to that 
address, and I can't determine why.

    Consider this example: I have a client  00:27:22:ee:27:4d which 
lives in vlan 311, which receives it's ip assignment via dhcp. The lease 
time it's given is 3 days, and going thru my dhcp server logs I can see 
clearly that - yes - every 1.5 days this client refreshes it's dhcp 
lease. Its been doing it correctly for untold months and nothing has 
changed in the network itself. But now, the most recent refresh of it's 
lease:

Aug  9 06:23:44 dnsfixer dhcpd: DHCPREQUEST for 172.16.35.115 from 
00:27:22:ee:27:4d (<hostname>) via eth1
Aug  9 06:23:44 dnsfixer dhcpd: DHCPACK on 172.16.35.115 to 
00:27:22:ee:27:4d (<hostname>) via eth1

     The above shows the dhcp server acking' the lease, just like all 
previous times. But DAI on that switch is now complaining:

Aug  9 06:24:02.436 PST: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs 
(Req) on Gi0/15, vlan 
311.([0027.22ee.274d/172.16.35.115/0000.0000.0000/172.16.32.1/06:24:02 
PST Sun Aug 9 2015])

     And when I show ip dhcp snooping binding, the entry isn't there.

     I have other switches, running same software, where this problem 
also has become apparent. And, the problem is growing, with more of 
these clients suddently being removed without explanation from the dhcp 
snooping database on their home switch and then DAI stepping in the 
block them. Its almost as if the switch simply wasn't paying attention 
at the time the client was renewing it's dhcp lease and did not 
therefore update the lease time in the dhcp snooping database 
accordingly, allowing it to expire instead.

      The only event I know of which I think could be related, is the 
fact that I did interrupt the dhcp server maybe 1.5 days ago for a time 
and destroyed the dhcp lease database (my fault, clumsy me). But - the 
clients asking to refresh their lease are being permitted to keep their 
current IP as per the above, the server config has not changed, and I am 
not sure what aspect of this would have been visible to the switch and 
doubt it makes any difference in the packets at all. This problem has 
cropped up at other times without any such events to the dhcp server - 
there are client cpe that occasionally have experienced this problem 
which I have ignored, but I recognise this now as a larger problem that 
needs to be figured out.

     All I can do right now is to simply disable ip arp inspection for 
the vlans in question and hope the dhcp snooping database gets populated 
so I can turn this back on. But I'd like to figure out a fix instead. 
Any ideas?

Mike-

More information about the cisco-nsp mailing list