Wired Intelligent Edge

 View Only
last person joined: 16 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

DHCP Snooping and DHCP Relay issue in a campus network

This thread has been viewed 53 times
  • 1.  DHCP Snooping and DHCP Relay issue in a campus network

    Posted Jan 16, 2024 07:49 PM
    Hello Guys, 
    Hope you are doing well
    We have a problem with DHCP Snooping on Aruba 6100 release 10.13 switches. Below is the context:
     
    - The 6100 switches are operating as access below a Cisco distribution switch in star topology.
    - The Cisco distribution switch joins a campus-type OSPF network.
    - The distribution switch has DHCP Relay configured to be able to reach a single DHCP server (172.16.50.194) located on another node on the campus network
    - On the 6100 switches the configuration is quite simple: declare the DHCP server 172.16.50.194 as authorized, enable the uplink ports as trusted, declare the vlans to be protected by DHCP Snooping and enable dhcp snooping globally.
    - It happens that when DHCP Snooping is activated, clients stop receiving IP addresses.
    - The switch logs report that DHCP packets are received from unauthorized servers and many IP addresses appear. According to our client, these IP addresses are gateways or interfaces of our distribution switch, including interfaces of other distribution switches.
    - I tried trying to add all those IP addresses as authorized servers but it still doesn't work.
    - DHCP option 82 was disabled with the command no dhcpv4-snooping option 82 and it doesn't work either.
    - When dhcp snooping is disabled everything works fine again
     
    What can be done to resolve the problem?


    ------------------------------
    Reiko
    ------------------------------


  • 2.  RE: DHCP Snooping and DHCP Relay issue in a campus network

    Posted Jan 19, 2024 05:18 PM
    Hello Guys,

    Really nobody interested ?







  • 3.  RE: DHCP Snooping and DHCP Relay issue in a campus network

    Posted Jan 20, 2024 10:56 AM

    Do not mistake lack of response for lack of interest. DHCP snooping on L2 switches is a relatively new development for Aruba, only available since 10.09 on the 6000/6100 (I don't recall the 2530/2540 having DHCP snooping.) I doubt that there are many people who use 6000's/6100's in production with DHCP snooping active on them.

    Your best course of action is probably to open a TAC case.

    Tip for future posts: sharing a snippet of your config (and a snippet of the log entries you mention) helps others assess what you've done and search for specific caveats/issues around the config entries or log entries you see. People are more likely to respond if the first response isn't just going to be "please post a copy of your config."




  • 4.  RE: DHCP Snooping and DHCP Relay issue in a campus network

    MVP EXPERT
    Posted Jan 20, 2024 04:18 PM

    I test DHCP snooping with the CX simultator, see below. Be sure running latest LSR release software image.

    !Global enable DHCP Snooping
    dhcpv4-snooping
    
    !Global assign the DHCP Server IP address that is authorized, if not configured all DHCP server IP addresses are allowed.
    dhcpv4-snooping authorized-server 192.168.10.254 vrf default
    
    !Interface that is trusted for incoming DHCP requests need to be specified
    int 1/1/2
    	dhcpv4-snooping trust
    
    !Activate DHCP snooping on per vlan basis (10)
    vlan 10
        	dhcpv4-snooping
    



    ------------------------------
    Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 5.  RE: DHCP Snooping and DHCP Relay issue in a campus network

    Posted Jan 20, 2024 10:22 PM
      |   view attached

    Hello Guys, 

    @Jannie Hanekom thank you for the advice.

    I did not know that DHCP Snooping was a relatively new development for Aruba. Anyway, we already opened a TAC ticket, and now it has escalated to level 3 of engineering. It seems like is a very interesting issue but they are taking too long to reply and we have not had even a remote session. We are running out of time with our customer. 

    @mkk Thanks for your reply. We also have prepared a lab and proved that DHCP snooping works in a very basic topology. That is to say, in a topology where the DHCP server is connected to the same switch you're configuring DHCP Snooping. Also, we have tried lab topologies with two switches. The first switch is an access CX switch configured with DHCP Snooping and the uplink switch just has the authorized DHCP server. These scenarios worked. 

    However, the customer's real scenario is more complex since this is a campus network with one area OSPF involved. We are deploying DHCP Snooping within an OSPF node, which is completely different from the node where the DHCP Server is located. Therefore, DHCP relay function has to be in place. 

    The configuration we are using is quite straightforward and similar to the one shown by  @mkk:

    Note that in the above image, DHCP Snooping is disabled since is not working correctly.

    There is just one authorized DHCP Server: 172.16.50.194. The latter is the address shown when someone issues the command ipconfig -all. By looking at the switch CX logs we can identify that the switch is blocking a lot of DHCP packets coming from what Switch CX thinks is an unauthorized server: 

    Turns out that those unauthorized IP Addresses are not DHCP servers, instead, those addresses are gateways or OSPF interfaces of the whole network. Just for testing purposes, we added those IP addresses as authorized DHCP Servers:

    The customers still do not get the IP address because DHCP Snooping still blocks it. 

    here is a view of OSPF Customer's topology  (The image just shows distribution switches and not access ones): 

    I'm theorizing that the DHCP snooping function is confusing agent relay addresses with unauthorized DHCP servers despite the fact there is just one DHCP in the network (In fact, everyone can see it by issuing the command ipconfig -all). 

    Hopefully, these notes give more context about the issue we are facing. Also, I have uploaded the CX Access Switch configured with DHCP Snooping  

    Best regards 

     

     


    Attachment(s)

    txt
    switch acceso 7-1.txt   21 KB 1 version


  • 6.  RE: DHCP Snooping and DHCP Relay issue in a campus network

    Posted Jan 21, 2024 01:41 AM

    Glad you're making progress - having a reproducible problem always gets you past L2 support quicker!

    DHCP snooping has always been around for L3 Aruba switches (2900, 5400 etc., and now the 6200 & up), but never for L2 switches.

    Something I read is that the 6000/6100 platform has a maximum of 256 IP bindings per port, and that all subsequent DHCP responses would be blocked. Out of curiosity, when DHCP snooping is turned on, do you see that "Dynamic Bindings" approach the limit?

    Potentially useful: the switch feature navigator lets you see which switch features are available on what version of software for which switch, as well as what the limits for that feature is on that platform (that's a mouthful...): Aruba Switch Feature Navigator (arubanetworks.com)




  • 7.  RE: DHCP Snooping and DHCP Relay issue in a campus network

    Posted Jan 21, 2024 03:55 PM

    Hello Jannie, 

    Thank you for replying. 

    Regarding your observation about Dynamic Bindings, we also suspect about the 256 IP limit. When we started our initial test on the customer switches, we saw immediately that clients were not able to renew their IP addresses. We looked at the binding table (with the command show dhcpv4-snooping) and the count did not reach the max 256. 

    We looked at the dhcpv4 snooping statistics and we saw this: 

     

    This captures matches with the information obtained with the logs from my previous reply. That is to say, there are a bunch of IP addresses identified by dhcpv4 snooping function as unauthorized servers. 

    We read online that some kind of solution can be provided by disabling DHCPv4 Snooping option 82. We tried but with no satisfactory outcome. 

    Best regards




  • 8.  RE: DHCP Snooping and DHCP Relay issue in a campus network

    Posted Jan 22, 2024 09:38 AM

    Try this and see if it helps:



    dhcpv4-snooping
    dhcpv4-snooping option 82 remote-id mac untrusted-policy keep
    dhcpv4-snooping allow-overwrite-binding
    dhcpv4-snooping event-log client

    interface 1/1/48 description UPLINK_CON_SW_DISTRIBUCION no shutdown vlan trunk native 1 vlan trunk allowed all dhcpv4-snooping trust



  • 9.  RE: DHCP Snooping and DHCP Relay issue in a campus network

    Posted 27 days ago

    Hello Guys, 

    Mflowers@beta.team" data-itemmentionkey="704c30fc-48e2-44c1-a6c7-deeb6a4d9367" href="https://community.arubanetworks.com/network/members/profile?UserKey=f778aa81-7f17-4336-ad60-0f6d4583d23a" data-can-remove="False">@Mflowers@beta.team thank you for your suggestion. Unfortunately, it did not work. 

    At the moment we are waiting for a TAC response. If anyone has an idea is welcomed. 

    At work, we prepared a lab trying to simulate an OSPF network and DHCP relay function. We used mainly simulated CX Switches:

     

    Every thing worked as expected. 6100 switches bug ??

    Best regards