[c-nsp] DHCP Snooping on Cat3850
Crist J. Clark
cjc+cisco-nsp at pumpky.net
Mon Sep 26 20:19:50 EDT 2016
Having some weird issues on a WS-C3850-24XU with DHCP snooping. It is running
IOS-XE 03.07.04E.
According to the "debug ip dhcp snooping packet" output,
Sep 26 16:34:44.713 PDT: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Te1/0/22, MAC da: ffff.ffff.ffff, MAC sa: 002a.1034.84d2, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 002a.1034.84d2
Sep 26 16:34:44.713 PDT: DHCP_SNOOPING: message type : DHCPDISCOVER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 002a.1034.84d2
Sep 26 16:34:44.713 PDT: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (146)
Sep 26 16:34:44.763 PDT: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel15)
Sep 26 16:34:44.774 PDT: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Po15, MAC da: 002a.1034.84d2, MAC sa: 547f.eed3.06c1, IP da: 172.26.94.230, IP sa: 172.26.92.3, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 172.26.94.230, DHCP siaddr: 172.31.145.108, DHCP giaddr: 172.26.92.3, DHCP chaddr: 002a.1034.84d2
Sep 26 16:34:44.774 PDT: DHCP_SNOOPING: message type : DHCPOFFER DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 172.26.94.230, DHCP siaddr: 172.31.145.108, DHCP giaddr: 172.26.92.3, DHCP chaddr: 002a.1034.84d2
Sep 26 16:34:44.774 PDT: DHCP_SNOOPING: direct forward dhcp replyto output port: TenGigabitEthernet1/0/22.
Everything looks correct. However, the device on Te1/0/22 just keeps
sending DHCPDISCOVERs like it never gets the DHCPOFFER. And all 20
or so devices on the switch have the same issue.
I fired up a SPAN to a PC with Wireshark and watched a port. It sees
the DHCPDISCOVER go out, but never sees the DHCPOFFER either.
The setup is pretty bland,
switch-mgig#sh run | i dhcp
no service dhcp
ip dhcp snooping vlan 100-4094
no ip dhcp snooping information option
ip dhcp snooping
ip dhcp snooping trust
ip dhcp snooping trust
ip dhcp snooping trust
(The trusted interfaces are the port-channel uplink and the two
physical links it contains.) The DHCPOFFER is getting back to
this switch and it says is it delivering it, so I don't think
it could be an issue with some other device between the endpoint
and DHCP server messing it up. It looks like the switch is lying
and eating the DHCPOFFER.
We have pretty much the same configuration on some WS-C3850-48P
running 03.06.03E. Works fine. Something with MGig ports or the
IOS-XE? Or am I missing something?
One other little tidbit that may be related. The CLI is hesitant
on this system. Went looking for a CPU hog and found this,
switch-mgig# sh proc cpu detail process iosd sort | ex 0.0
Core 0: CPU utilization for five seconds: 50%; one minute: 59%; five minutes: 65%
Core 1: CPU utilization for five seconds: 38%; one minute: 36%; five minutes: 40%
Core 2: CPU utilization for five seconds: 13%; one minute: 28%; five minutes: 35%
Core 3: CPU utilization for five seconds: 12%; one minute: 27%; five minutes: 29%
Core 4: CPU utilization for five seconds: 94%; one minute: 68%; five minutes: 44%
Core 5: CPU utilization for five seconds: 23%; one minute: 28%; five minutes: 32%
PID T C TID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
(%) (%) (%)
9168 L 2416230 3197929 755 16.94 17.08 17.53 0 iosd
9168 L 1 9168 920270 2777222 0 9.37 9.18 9.54 0 iosd
9168 L 0 10133 1491480 375100 0 7.54 7.88 7.98 0 iosd.fastpath
280 I 1513410 1585246 0 53.88 51.99 53.77 0 NGWC DHCP Snooping
233 I 12900 24355 0 0.66 0.44 0.44 0 Spanning Tree
19 I 3900 22511 0 0.33 0.11 0.11 0 CMI IOSd task
322 I 4660 45924 0 0.33 0.11 0.11 0 MMA DB TIMER
189 I 3470 45925 0 0.22 0.11 0.11 0 VRRS Main thread
--
Crist J. Clark
More information about the cisco-nsp
mailing list