[c-nsp] dai / dhcp snooping bug

Murphy, William William.Murphy at uth.tmc.edu
Fri Aug 14 13:56:51 EDT 2015


Cisco confirmed we are hitting bug DHCP snooping fails with unicast DHCP request CSCup02384...  I don't think it should be classified as enhancement severity...  If Cisco says they do DHCP snooping then they should be able to cover the case of unicast renewal...  I'm going to try the ACL suggestion made be Gert...  Thanks...

Bill

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mattias Gyllenvarg
Sent: Tuesday, August 11, 2015 6:49 AM
To: Mike
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] dai / dhcp snooping bug

Mike

I recently solved an issue a client had with a very similar setup and the same symptoms.

They had a very complex PBR setup and the unicasts in the renew process got misplaced .

tis 11 aug. 2015 kl 00:40 skrev Mike <mike-cisconsplist at tiedyenetworks.com>:

> On 08/10/2015 12:37 PM, Gert Doering wrote:
> > Hi,
> >
> > On Mon, Aug 10, 2015 at 06:31:16AM -0700, Mike wrote:
> >> I've loaded SE7 and - suprise -  same problem, so it's not fixed. I 
> >> have a directly connected device I can cause to refresh it's dhcp 
> >> lease, and sure enough, a refresh doesn't do it, but a reboot of 
> >> that device which casues a new round of dhcp discovery, does in 
> >> fact work. A packet capture seems to confirm the unicast case 
> >> failing - a client with an existing lease renewing will use unicast 
> >> to the dhcp server, whereas a client starting up will use broadcast 
> >> to find servers, and both the 'discover' and 'request' phases in that case are broadcast destination.
> >> That was painful.
> > Wild idea... put an ACL into place that will block the unicast renewal?
> >
> > gert
>
>
> I had that idea too. Another idea was to see if there might be some 
> way to work with it... My dhcp model is one where the server is 
> directly connected to the vlans being served, but I recently made 
> changes in the direction of going to a full-on dhcp relay model 
> instead where all switches are doing that instead. The open question 
> then is, does it work correctly if the switch is acting as a dhcp 
> relay? I unfortunately don't have the equipment on standby to set up a 
> lab and test this out (story of my life), but if it worked then my problem would mostly be solved.
> Another idea would be to see if I could configure the dhcp server to 
> just ignore unicast requests (easier than putting ACL's on the the 
> switches).
>
> Mike-
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m
> ailman_listinfo_cisco-2Dnsp&d=BQICAg&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8J
> VoF8oWH1AgfQ&r=KfZDYG9Z0HjJnyM7sFaf--H7klz6hYbHw7jZxQxoDkc&m=RjDtK8Ah9
> sHcaAbWTIRskjhoXqlJsHwOKWQ7dtgKt58&s=w_igARzvwkhYUQ6jNsujzXgVFxgtnMI4X
> 9hgrchnIII&e= archive at 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi
> permail_cisco-2Dnsp_&d=BQICAg&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH
> 1AgfQ&r=KfZDYG9Z0HjJnyM7sFaf--H7klz6hYbHw7jZxQxoDkc&m=RjDtK8Ah9sHcaAbW
> TIRskjhoXqlJsHwOKWQ7dtgKt58&s=YXosNe2_6omw3uBhkZymvn8whS9Q3mGrb9X9Taex
> Fps&e=
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=BQICAg&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=KfZDYG9Z0HjJnyM7sFaf--H7klz6hYbHw7jZxQxoDkc&m=RjDtK8Ah9sHcaAbWTIRskjhoXqlJsHwOKWQ7dtgKt58&s=w_igARzvwkhYUQ6jNsujzXgVFxgtnMI4X9hgrchnIII&e=
archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=BQICAg&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=KfZDYG9Z0HjJnyM7sFaf--H7klz6hYbHw7jZxQxoDkc&m=RjDtK8Ah9sHcaAbWTIRskjhoXqlJsHwOKWQ7dtgKt58&s=YXosNe2_6omw3uBhkZymvn8whS9Q3mGrb9X9TaexFps&e= 


More information about the cisco-nsp mailing list