HPE Community
Switches, Hubs, and Modems
1753660 Members
5867 Online
108798 Solutions
New Discussion юеВ

Re: DHCP-Snooping Problem on HP5412zl with DHCP-Reservations

 
SOLVED
Go to solution
Ulrich Keller
Advisor

тАО10-14-2009 03:59 AM

тАО10-14-2009 03:59 AM

DHCP-Snooping Problem on HP5412zl with DHCP-Reservations

Hello at all, we are currently testing the dhcp-snooping feature on the 5412 Switch FW 14.41

Everything works fine except one thing:

When a client should use a adress from the Reservation Pool deployed by the DHCP-Server, it can take up to 20 Minutes until the client gets it┬┤s adress from that pool.

After turning off the dhcp-snooping - the same client gets its adress (from the Reservation Pool) quickly.

This behaviour occurs only by DHCP Reservation Addresses - all other Adresses works fine.

So is there a problem with "snooping" ?

Thank you for your help.

ulli
0 Kudos
11 REPLIES 11
GhostDog
Advisor

тАО10-14-2009 05:35 AM

тАО10-14-2009 05:35 AM

Re: DHCP-Snooping Problem on HP5412zl with DHCP-Reservations

We use snooping and reservations for quite a while and there were no such problems like you mentioned above. Not sure for the firmware 14.41, 'cause not all our switches were updated recently, but for the 13.xx it works fine.
Any errors in logs? Try tcpdump to look at what's going on on the wire.
0 Kudos
Pieter 't Hart
Honored Contributor

тАО10-15-2009 12:05 AM

тАО10-15-2009 12:05 AM

Re: DHCP-Snooping Problem on HP5412zl with DHCP-Reservations

dhcp-snooping has many options...
check (and post) output from "show dhcp-snooping" and "show dhcp-snooping stats".
maybe this gives some clue.

page 11-5 and -6 from the "access and security guide" say default option-82 is added when dhcp-snooping is configured.
page 11-9 tells more about this option.
It also has a remark about requests where option-82 is allredy present (edge switch with dhcp-snooping enabled).
Check behaviour when this option is off.

You can also configure the port connected to the DHCP-server as "trusted". So the switch knows DHCP-server packets from this port are legal.
0 Kudos
Ulrich Keller
Advisor

тАО10-15-2009 12:58 AM

тАО10-15-2009 12:58 AM

Re: DHCP-Snooping Problem on HP5412zl with DHCP-Reservations

Hi Pieter - thanks for your answer.

Please have a look at the attachment - where you can find the config.


On the client i have entered ipconifg / release Command - and after a while ipconfig / renew to cause the client to renew its IP-address. The next lines in the Syslog server gives a NACK for the client requests - for 12 Minutes.

After that time - the client gets its ipAdress - but i don├В┬┤t know why this happens.... This behaviour is strange...


As you wrote, i have switched off the Option 82 - but nothing changed.

I m not sure, did i have something forgotten ?

ulli
0 Kudos
Pieter 't Hart
Honored Contributor

тАО10-15-2009 01:38 AM

тАО10-15-2009 01:38 AM

Re: DHCP-Snooping Problem on HP5412zl with DHCP-Reservations

Oct 15 10:25:29 10.99.3.125 DSNP: DSNP mIpPktRecv:BOOTREQUEST 000B5D-2A26A9 allow: on vlan 99 trusted ports
Oct 15 10:25:28 10.99.3.125 DSNP: DSNP mIpPktRecv:DHCP NACK for 000B5D-2A26A9 received


Oct 15 10:25:10 10.99.3.125 DSNP: DSNP mIpPktRecv:BOOTREQUEST 000B5D-2A26A9 allow: output port 21 trusted <- IPCONFIG / RENEW


I read this as :
- the client with mac-address 000B5D-2A26A9 sends a DHCP-address
- the request is forwarded to "trusted" port 21
- the server at this port responds with a nack
- subsequent requests are not forwarded anymore to port-21 but only to other trusted ports in vlan-99

do you have multiple dhcp-servers?
if so do they have the same reservations?

what's connected to port-21?
Is this also vlan-99?
if not, what vlan is the dhcp-server connected and more detail about vlan's/subnets/ ip-helpers, dhcp-scopes.

0 Kudos
Ulrich Keller
Advisor

тАО10-15-2009 09:29 PM

тАО10-15-2009 09:29 PM

Re: DHCP-Snooping Problem on HP5412zl with DHCP-Reservations

Hi Pieter,

thanks for your answer.

We have only one DHCP Server on trustetd Port 21 which is the uplink in the backbone. The vlan-99 is tagged on Port 21 - where the clients are untagged in VLAN 99.

The DHCP Server is located in the Default VLAN - therefore we have the ip helper address in the Vlan 99 configuration on all 20 Campus Switches. Can this be the reason ? Too much ip-helpers ?

Normaly, whitout dhcp-snooping enabled, everything works fine. The client get its ip-adress - and it makes no difference if the adress is from the reservation pool - or not.

0 Kudos
Pieter 't Hart
Honored Contributor

тАО10-15-2009 10:26 PM

тАО10-15-2009 10:26 PM

Re: DHCP-Snooping Problem on HP5412zl with DHCP-Reservations

Hi there Ulli,

>>>Too much ip-helpers ? <<<
the ip-helper only needs to be configured on the device that does the routing for vlan-99/subnet to the subnet where the dhcp-server is

As the dhcp-request is a broadcast, probably all current-ip-helpers (edge switches) try to help :-D but fail to do so resulting in all the NACK's :-(
As the client gets so many nacks it probably misses the offer from the real dhcp server.
unless this is one of the first responses.

So what is the default-gateway for the vlan-99 subnet?
There you must configure the ip-helper.
This could be in the backbone, not the edge.

If other edge switches service other vlan's, then the router for each vlan needs it's own ip helper config.
0 Kudos
Pieter 't Hart
Honored Contributor

тАО10-15-2009 10:32 PM

тАО10-15-2009 10:32 PM

Re: DHCP-Snooping Problem on HP5412zl with DHCP-Reservations

The dhcp-snooping acts port-based.
As the NACKs come from the same port (uplink)
for both the other edge switches as where the dhcp-offer should come from, DHCP-snooping cannot distinguish between the response from the dhcp-server and those fromm the other "helpers".
0 Kudos
Ulrich Keller
Advisor

тАО10-16-2009 12:25 AM

тАО10-16-2009 12:25 AM

Re: DHCP-Snooping Problem on HP5412zl with DHCP-Reservations

Hi Pieter - thanks for your reply.

At our Campus, there are 30 Edge Devices (Switches) and everyone of them has had the ip helper in VLAN 99 enabled.
As your wrote, i removed them all - only at the Core Device there is the ip helper enabled.
So now, the only one ip helper in VLAN 99 is located in the Core Device.

Now, it seems to be working !!! But we will make further tests, to be sure about the solution.

I will give you a feedback at Monday.

Thank you for your assistance.

ulli
0 Kudos
Ulrich Keller
Advisor

тАО10-19-2009 05:34 AM

тАО10-19-2009 05:34 AM

Re: DHCP-Snooping Problem on HP5412zl with DHCP-Reservations

Hi Pieter - here is my feedback

Everything works fine - even with the reservations!

So we are happy, that the "snooping" works fine.

Thank you - for helping us to solve our problem.

Ulli
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.