Original Message:
Sent: Jan 26, 2024 09:06 PM
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network
Hello Guys,
Mflowers@beta.team" data-itemmentionkey="704c30fc-48e2-44c1-a6c7-deeb6a4d9367" href="https://community.arubanetworks.com/network/members/profile?UserKey=f778aa81-7f17-4336-ad60-0f6d4583d23a" data-can-remove="False">@Mflowers@beta.team thank you for your suggestion. Unfortunately, it did not work.
At the moment we are waiting for a TAC response. If anyone has an idea is welcomed.
At work, we prepared a lab trying to simulate an OSPF network and DHCP relay function. We used mainly simulated CX Switches:
Every thing worked as expected. 6100 switches bug ??
Best regards
Original Message:
Sent: Jan 22, 2024 09:38 AM
From: Mflowers@beta.team
Subject: DHCP Snooping and DHCP Relay issue in a campus network
Try this and see if it helps:
dhcpv4-snooping
dhcpv4-snooping option 82 remote-id mac untrusted-policy keep
dhcpv4-snooping allow-overwrite-binding
dhcpv4-snooping event-log client
interface 1/1/48 description UPLINK_CON_SW_DISTRIBUCION no shutdown vlan trunk native 1 vlan trunk allowed all dhcpv4-snooping trust
Original Message:
Sent: Jan 21, 2024 03:54 PM
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network
Hello Jannie,
Thank you for replying.
Regarding your observation about Dynamic Bindings, we also suspect about the 256 IP limit. When we started our initial test on the customer switches, we saw immediately that clients were not able to renew their IP addresses. We looked at the binding table (with the command show dhcpv4-snooping) and the count did not reach the max 256.
We looked at the dhcpv4 snooping statistics and we saw this:
This captures matches with the information obtained with the logs from my previous reply. That is to say, there are a bunch of IP addresses identified by dhcpv4 snooping function as unauthorized servers.
We read online that some kind of solution can be provided by disabling DHCPv4 Snooping option 82. We tried but with no satisfactory outcome.
Best regards
Original Message:
Sent: Jan 21, 2024 01:40 AM
From: Jannie Hanekom
Subject: DHCP Snooping and DHCP Relay issue in a campus network
Glad you're making progress - having a reproducible problem always gets you past L2 support quicker!
DHCP snooping has always been around for L3 Aruba switches (2900, 5400 etc., and now the 6200 & up), but never for L2 switches.
Something I read is that the 6000/6100 platform has a maximum of 256 IP bindings per port, and that all subsequent DHCP responses would be blocked. Out of curiosity, when DHCP snooping is turned on, do you see that "Dynamic Bindings" approach the limit?
Potentially useful: the switch feature navigator lets you see which switch features are available on what version of software for which switch, as well as what the limits for that feature is on that platform (that's a mouthful...): Aruba Switch Feature Navigator (arubanetworks.com)
Original Message:
Sent: Jan 20, 2024 10:22 PM
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network
Hello Guys,
@Jannie Hanekom thank you for the advice.
I did not know that DHCP Snooping was a relatively new development for Aruba. Anyway, we already opened a TAC ticket, and now it has escalated to level 3 of engineering. It seems like is a very interesting issue but they are taking too long to reply and we have not had even a remote session. We are running out of time with our customer.
@mkk Thanks for your reply. We also have prepared a lab and proved that DHCP snooping works in a very basic topology. That is to say, in a topology where the DHCP server is connected to the same switch you're configuring DHCP Snooping. Also, we have tried lab topologies with two switches. The first switch is an access CX switch configured with DHCP Snooping and the uplink switch just has the authorized DHCP server. These scenarios worked.
However, the customer's real scenario is more complex since this is a campus network with one area OSPF involved. We are deploying DHCP Snooping within an OSPF node, which is completely different from the node where the DHCP Server is located. Therefore, DHCP relay function has to be in place.
The configuration we are using is quite straightforward and similar to the one shown by @mkk:
Note that in the above image, DHCP Snooping is disabled since is not working correctly.
There is just one authorized DHCP Server: 172.16.50.194. The latter is the address shown when someone issues the command ipconfig -all. By looking at the switch CX logs we can identify that the switch is blocking a lot of DHCP packets coming from what Switch CX thinks is an unauthorized server:
Turns out that those unauthorized IP Addresses are not DHCP servers, instead, those addresses are gateways or OSPF interfaces of the whole network. Just for testing purposes, we added those IP addresses as authorized DHCP Servers:
The customers still do not get the IP address because DHCP Snooping still blocks it.
here is a view of OSPF Customer's topology (The image just shows distribution switches and not access ones):
I'm theorizing that the DHCP snooping function is confusing agent relay addresses with unauthorized DHCP servers despite the fact there is just one DHCP in the network (In fact, everyone can see it by issuing the command ipconfig -all).
Hopefully, these notes give more context about the issue we are facing. Also, I have uploaded the CX Access Switch configured with DHCP Snooping
Best regards
Original Message:
Sent: Jan 20, 2024 04:18 PM
From: mkk
Subject: DHCP Snooping and DHCP Relay issue in a campus network
I test DHCP snooping with the CX simultator, see below. Be sure running latest LSR release software image.
!Global enable DHCP Snoopingdhcpv4-snooping!Global assign the DHCP Server IP address that is authorized, if not configured all DHCP server IP addresses are allowed.dhcpv4-snooping authorized-server 192.168.10.254 vrf default!Interface that is trusted for incoming DHCP requests need to be specifiedint 1/1/2 dhcpv4-snooping trust!Activate DHCP snooping on per vlan basis (10)vlan 10 dhcpv4-snooping
------------------------------
Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
Original Message:
Sent: Jan 19, 2024 05:18 PM
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network
Hello Guys,
Really nobody interested ?
Original Message:
Sent: Jan 16, 2024
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network
Hello Guys,
Hope you are doing well
We have a problem with DHCP Snooping on Aruba 6100 release 10.13 switches. Below is the context:
- The 6100 switches are operating as access below a Cisco distribution switch in star topology.
- The Cisco distribution switch joins a campus-type OSPF network.
- The distribution switch has DHCP Relay configured to be able to reach a single DHCP server (172.16.50.194) located on another node on the campus network
- On the 6100 switches the configuration is quite simple: declare the DHCP server 172.16.50.194 as authorized, enable the uplink ports as trusted, declare the vlans to be protected by DHCP Snooping and enable dhcp snooping globally.
- It happens that when DHCP Snooping is activated, clients stop receiving IP addresses.
- The switch logs report that DHCP packets are received from unauthorized servers and many IP addresses appear. According to our client, these IP addresses are gateways or interfaces of our distribution switch, including interfaces of other distribution switches.
- I tried trying to add all those IP addresses as authorized servers but it still doesn't work.
- DHCP option 82 was disabled with the command no dhcpv4-snooping option 82 and it doesn't work either.
- When dhcp snooping is disabled everything works fine again
What can be done to resolve the problem?
------------------------------
Reiko
------------------------------