Wired Intelligent Edge

------------------------------
Reiko
------------------------------

I test DHCP snooping with the CX simultator, see below. Be sure running latest LSR release software image.

!Global enable DHCP Snoopingdhcpv4-snooping!Global assign the DHCP Server IP address that is authorized, if not configured all DHCP server IP addresses are allowed.dhcpv4-snooping authorized-server 192.168.10.254 vrf default!Interface that is trusted for incoming DHCP requests need to be specifiedint 1/1/2	dhcpv4-snooping trust!Activate DHCP snooping on per vlan basis (10)vlan 10    	dhcpv4-snooping

------------------------------
Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Jan 19, 2024 05:18 PM
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network

Hello Guys,

Really nobody interested ?





Original Message:
Sent: Jan 16, 2024
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network

------------------------------
Reiko
------------------------------

Hello Guys, 

@Jannie Hanekom thank you for the advice.

I did not know that DHCP Snooping was a relatively new development for Aruba. Anyway, we already opened a TAC ticket, and now it has escalated to level 3 of engineering. It seems like is a very interesting issue but they are taking too long to reply and we have not had even a remote session. We are running out of time with our customer. 

@mkk Thanks for your reply. We also have prepared a lab and proved that DHCP snooping works in a very basic topology. That is to say, in a topology where the DHCP server is connected to the same switch you're configuring DHCP Snooping. Also, we have tried lab topologies with two switches. The first switch is an access CX switch configured with DHCP Snooping and the uplink switch just has the authorized DHCP server. These scenarios worked. 

However, the customer's real scenario is more complex since this is a campus network with one area OSPF involved. We are deploying DHCP Snooping within an OSPF node, which is completely different from the node where the DHCP Server is located. Therefore, DHCP relay function has to be in place. 

The configuration we are using is quite straightforward and similar to the one shown by  @mkk:

Note that in the above image, DHCP Snooping is disabled since is not working correctly.

There is just one authorized DHCP Server: 172.16.50.194. The latter is the address shown when someone issues the command ipconfig -all. By looking at the switch CX logs we can identify that the switch is blocking a lot of DHCP packets coming from what Switch CX thinks is an unauthorized server: 

Turns out that those unauthorized IP Addresses are not DHCP servers, instead, those addresses are gateways or OSPF interfaces of the whole network. Just for testing purposes, we added those IP addresses as authorized DHCP Servers:

The customers still do not get the IP address because DHCP Snooping still blocks it. 

here is a view of OSPF Customer's topology  (The image just shows distribution switches and not access ones): 

I'm theorizing that the DHCP snooping function is confusing agent relay addresses with unauthorized DHCP servers despite the fact there is just one DHCP in the network (In fact, everyone can see it by issuing the command ipconfig -all). 

Hopefully, these notes give more context about the issue we are facing. Also, I have uploaded the CX Access Switch configured with DHCP Snooping  

Best regards 

I test DHCP snooping with the CX simultator, see below. Be sure running latest LSR release software image.

!Global enable DHCP Snoopingdhcpv4-snooping!Global assign the DHCP Server IP address that is authorized, if not configured all DHCP server IP addresses are allowed.dhcpv4-snooping authorized-server 192.168.10.254 vrf default!Interface that is trusted for incoming DHCP requests need to be specifiedint 1/1/2	dhcpv4-snooping trust!Activate DHCP snooping on per vlan basis (10)vlan 10    	dhcpv4-snooping

------------------------------
Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Jan 19, 2024 05:18 PM
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network

Hello Guys,

Really nobody interested ?





Original Message:
Sent: Jan 16, 2024
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network

------------------------------
Reiko
------------------------------

Glad you're making progress - having a reproducible problem always gets you past L2 support quicker!

DHCP snooping has always been around for L3 Aruba switches (2900, 5400 etc., and now the 6200 & up), but never for L2 switches.

Something I read is that the 6000/6100 platform has a maximum of 256 IP bindings per port, and that all subsequent DHCP responses would be blocked. Out of curiosity, when DHCP snooping is turned on, do you see that "Dynamic Bindings" approach the limit?

Potentially useful: the switch feature navigator lets you see which switch features are available on what version of software for which switch, as well as what the limits for that feature is on that platform (that's a mouthful...): Aruba Switch Feature Navigator (arubanetworks.com)

Hello Guys, 

@Jannie Hanekom thank you for the advice.

I did not know that DHCP Snooping was a relatively new development for Aruba. Anyway, we already opened a TAC ticket, and now it has escalated to level 3 of engineering. It seems like is a very interesting issue but they are taking too long to reply and we have not had even a remote session. We are running out of time with our customer. 

@mkk Thanks for your reply. We also have prepared a lab and proved that DHCP snooping works in a very basic topology. That is to say, in a topology where the DHCP server is connected to the same switch you're configuring DHCP Snooping. Also, we have tried lab topologies with two switches. The first switch is an access CX switch configured with DHCP Snooping and the uplink switch just has the authorized DHCP server. These scenarios worked. 

However, the customer's real scenario is more complex since this is a campus network with one area OSPF involved. We are deploying DHCP Snooping within an OSPF node, which is completely different from the node where the DHCP Server is located. Therefore, DHCP relay function has to be in place. 

The configuration we are using is quite straightforward and similar to the one shown by  @mkk:

Note that in the above image, DHCP Snooping is disabled since is not working correctly.

There is just one authorized DHCP Server: 172.16.50.194. The latter is the address shown when someone issues the command ipconfig -all. By looking at the switch CX logs we can identify that the switch is blocking a lot of DHCP packets coming from what Switch CX thinks is an unauthorized server: 

Turns out that those unauthorized IP Addresses are not DHCP servers, instead, those addresses are gateways or OSPF interfaces of the whole network. Just for testing purposes, we added those IP addresses as authorized DHCP Servers:

The customers still do not get the IP address because DHCP Snooping still blocks it. 

here is a view of OSPF Customer's topology  (The image just shows distribution switches and not access ones): 

I'm theorizing that the DHCP snooping function is confusing agent relay addresses with unauthorized DHCP servers despite the fact there is just one DHCP in the network (In fact, everyone can see it by issuing the command ipconfig -all). 

Hopefully, these notes give more context about the issue we are facing. Also, I have uploaded the CX Access Switch configured with DHCP Snooping  

Best regards 

I test DHCP snooping with the CX simultator, see below. Be sure running latest LSR release software image.

!Global enable DHCP Snoopingdhcpv4-snooping!Global assign the DHCP Server IP address that is authorized, if not configured all DHCP server IP addresses are allowed.dhcpv4-snooping authorized-server 192.168.10.254 vrf default!Interface that is trusted for incoming DHCP requests need to be specifiedint 1/1/2	dhcpv4-snooping trust!Activate DHCP snooping on per vlan basis (10)vlan 10    	dhcpv4-snooping

------------------------------
Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Jan 19, 2024 05:18 PM
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network

Hello Guys,

Really nobody interested ?





Original Message:
Sent: Jan 16, 2024
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network

------------------------------
Reiko
------------------------------

Hello Jannie, 

Thank you for replying. 

Regarding your observation about Dynamic Bindings, we also suspect about the 256 IP limit. When we started our initial test on the customer switches, we saw immediately that clients were not able to renew their IP addresses. We looked at the binding table (with the command show dhcpv4-snooping) and the count did not reach the max 256. 

We looked at the dhcpv4 snooping statistics and we saw this: 

This captures matches with the information obtained with the logs from my previous reply. That is to say, there are a bunch of IP addresses identified by dhcpv4 snooping function as unauthorized servers. 

We read online that some kind of solution can be provided by disabling DHCPv4 Snooping option 82. We tried but with no satisfactory outcome. 

Best regards

Glad you're making progress - having a reproducible problem always gets you past L2 support quicker!

DHCP snooping has always been around for L3 Aruba switches (2900, 5400 etc., and now the 6200 & up), but never for L2 switches.

Something I read is that the 6000/6100 platform has a maximum of 256 IP bindings per port, and that all subsequent DHCP responses would be blocked. Out of curiosity, when DHCP snooping is turned on, do you see that "Dynamic Bindings" approach the limit?

Potentially useful: the switch feature navigator lets you see which switch features are available on what version of software for which switch, as well as what the limits for that feature is on that platform (that's a mouthful...): Aruba Switch Feature Navigator (arubanetworks.com)

Hello Guys, 

@Jannie Hanekom thank you for the advice.

I did not know that DHCP Snooping was a relatively new development for Aruba. Anyway, we already opened a TAC ticket, and now it has escalated to level 3 of engineering. It seems like is a very interesting issue but they are taking too long to reply and we have not had even a remote session. We are running out of time with our customer. 

@mkk Thanks for your reply. We also have prepared a lab and proved that DHCP snooping works in a very basic topology. That is to say, in a topology where the DHCP server is connected to the same switch you're configuring DHCP Snooping. Also, we have tried lab topologies with two switches. The first switch is an access CX switch configured with DHCP Snooping and the uplink switch just has the authorized DHCP server. These scenarios worked. 

However, the customer's real scenario is more complex since this is a campus network with one area OSPF involved. We are deploying DHCP Snooping within an OSPF node, which is completely different from the node where the DHCP Server is located. Therefore, DHCP relay function has to be in place. 

The configuration we are using is quite straightforward and similar to the one shown by  @mkk:

Note that in the above image, DHCP Snooping is disabled since is not working correctly.

There is just one authorized DHCP Server: 172.16.50.194. The latter is the address shown when someone issues the command ipconfig -all. By looking at the switch CX logs we can identify that the switch is blocking a lot of DHCP packets coming from what Switch CX thinks is an unauthorized server: 

Turns out that those unauthorized IP Addresses are not DHCP servers, instead, those addresses are gateways or OSPF interfaces of the whole network. Just for testing purposes, we added those IP addresses as authorized DHCP Servers:

The customers still do not get the IP address because DHCP Snooping still blocks it. 

here is a view of OSPF Customer's topology  (The image just shows distribution switches and not access ones): 

I'm theorizing that the DHCP snooping function is confusing agent relay addresses with unauthorized DHCP servers despite the fact there is just one DHCP in the network (In fact, everyone can see it by issuing the command ipconfig -all). 

Hopefully, these notes give more context about the issue we are facing. Also, I have uploaded the CX Access Switch configured with DHCP Snooping  

Best regards 

I test DHCP snooping with the CX simultator, see below. Be sure running latest LSR release software image.

!Global enable DHCP Snoopingdhcpv4-snooping!Global assign the DHCP Server IP address that is authorized, if not configured all DHCP server IP addresses are allowed.dhcpv4-snooping authorized-server 192.168.10.254 vrf default!Interface that is trusted for incoming DHCP requests need to be specifiedint 1/1/2	dhcpv4-snooping trust!Activate DHCP snooping on per vlan basis (10)vlan 10    	dhcpv4-snooping

------------------------------
Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Jan 19, 2024 05:18 PM
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network

Hello Guys,

Really nobody interested ?





Original Message:
Sent: Jan 16, 2024
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network

------------------------------
Reiko
------------------------------

Try this and see if it helps:

dhcpv4-snooping
dhcpv4-snooping option 82 remote-id mac untrusted-policy keep
dhcpv4-snooping allow-overwrite-binding
dhcpv4-snooping event-log client

interface 1/1/48    description UPLINK_CON_SW_DISTRIBUCION    no shutdown    vlan trunk native 1    vlan trunk allowed all    dhcpv4-snooping trust

Hello Jannie, 

Thank you for replying. 

Regarding your observation about Dynamic Bindings, we also suspect about the 256 IP limit. When we started our initial test on the customer switches, we saw immediately that clients were not able to renew their IP addresses. We looked at the binding table (with the command show dhcpv4-snooping) and the count did not reach the max 256. 

We looked at the dhcpv4 snooping statistics and we saw this: 

This captures matches with the information obtained with the logs from my previous reply. That is to say, there are a bunch of IP addresses identified by dhcpv4 snooping function as unauthorized servers. 

We read online that some kind of solution can be provided by disabling DHCPv4 Snooping option 82. We tried but with no satisfactory outcome. 

Best regards

Glad you're making progress - having a reproducible problem always gets you past L2 support quicker!

DHCP snooping has always been around for L3 Aruba switches (2900, 5400 etc., and now the 6200 & up), but never for L2 switches.

Something I read is that the 6000/6100 platform has a maximum of 256 IP bindings per port, and that all subsequent DHCP responses would be blocked. Out of curiosity, when DHCP snooping is turned on, do you see that "Dynamic Bindings" approach the limit?

Potentially useful: the switch feature navigator lets you see which switch features are available on what version of software for which switch, as well as what the limits for that feature is on that platform (that's a mouthful...): Aruba Switch Feature Navigator (arubanetworks.com)

Hello Guys, 

@Jannie Hanekom thank you for the advice.

I did not know that DHCP Snooping was a relatively new development for Aruba. Anyway, we already opened a TAC ticket, and now it has escalated to level 3 of engineering. It seems like is a very interesting issue but they are taking too long to reply and we have not had even a remote session. We are running out of time with our customer. 

@mkk Thanks for your reply. We also have prepared a lab and proved that DHCP snooping works in a very basic topology. That is to say, in a topology where the DHCP server is connected to the same switch you're configuring DHCP Snooping. Also, we have tried lab topologies with two switches. The first switch is an access CX switch configured with DHCP Snooping and the uplink switch just has the authorized DHCP server. These scenarios worked. 

However, the customer's real scenario is more complex since this is a campus network with one area OSPF involved. We are deploying DHCP Snooping within an OSPF node, which is completely different from the node where the DHCP Server is located. Therefore, DHCP relay function has to be in place. 

The configuration we are using is quite straightforward and similar to the one shown by  @mkk:

Note that in the above image, DHCP Snooping is disabled since is not working correctly.

There is just one authorized DHCP Server: 172.16.50.194. The latter is the address shown when someone issues the command ipconfig -all. By looking at the switch CX logs we can identify that the switch is blocking a lot of DHCP packets coming from what Switch CX thinks is an unauthorized server: 

Turns out that those unauthorized IP Addresses are not DHCP servers, instead, those addresses are gateways or OSPF interfaces of the whole network. Just for testing purposes, we added those IP addresses as authorized DHCP Servers:

The customers still do not get the IP address because DHCP Snooping still blocks it. 

here is a view of OSPF Customer's topology  (The image just shows distribution switches and not access ones): 

I'm theorizing that the DHCP snooping function is confusing agent relay addresses with unauthorized DHCP servers despite the fact there is just one DHCP in the network (In fact, everyone can see it by issuing the command ipconfig -all). 

Hopefully, these notes give more context about the issue we are facing. Also, I have uploaded the CX Access Switch configured with DHCP Snooping  

Best regards 

I test DHCP snooping with the CX simultator, see below. Be sure running latest LSR release software image.

!Global enable DHCP Snoopingdhcpv4-snooping!Global assign the DHCP Server IP address that is authorized, if not configured all DHCP server IP addresses are allowed.dhcpv4-snooping authorized-server 192.168.10.254 vrf default!Interface that is trusted for incoming DHCP requests need to be specifiedint 1/1/2	dhcpv4-snooping trust!Activate DHCP snooping on per vlan basis (10)vlan 10    	dhcpv4-snooping

------------------------------
Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Jan 19, 2024 05:18 PM
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network

Hello Guys,

Really nobody interested ?





Original Message:
Sent: Jan 16, 2024
From: Reiko
Subject: DHCP Snooping and DHCP Relay issue in a campus network

------------------------------
Reiko
------------------------------