Re: [cisco-ttl] dhcp snooping

From: Cagatay Avsar <cagataya_at_....>
Date: Tue, 28 Oct 2008 11:05:43 +0200


Merhaba Cihan,

Ben de konuyu biraz unutmusum ama hem Abdullah'in soylediklerini okuyunca hem de su dokumana bakinca,
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dhcp.html Abdullah'in belirttigi gibi, Layer3 routing'in gerceklestigi bir ust seviye switch ortaminda da trust iliskisini kurman gerekiyor. 3560 ile bagli oldugu layer3 switch arasindaki trunk'ta ip dhcp snooping trust demen gerekiyor. Tabii orada dhcp snooping'i enable edince diger tum trunklarda da enable etmek gerekiyor. Prod ortaminda mesai saatleri disinda uygun bir zaman diliminde bunu test edebilirsin, sonucda bir sorun olsa bile o anda DHCP'den ip almasi gereken client'lar ip alamazlar, o kadar ciddi bir sorun cikmaz ortaya diye dusunuyorum.. Ancak en güzeli 3560'in kendi üzerinde doğrudan bir DHCP server ile test yapman. Ongorulemeyen problemler cikabilir, sonucda tum LAN'da kullandigin zaman operasyonel yuk getirebilir.

The following configuration describes the DHCP snooping configuration steps if routing is defined on another Catalyst switch (for example, Catalyst 6500):
// Trust the uplink gigabit Ethernet trunk port

interface range GigabitEthernet 1/1 - 2
switchport mode trunk
switchport trunk encapsulation dot1q
ip dhcp snooping trust

!

interface VLAN 14
ip address 10.33.234.1 255.255.254.0
ip helper-address 10.5.1.2



Note If you are enabling trunking on uplink gigabit interfaces and have the above routing defined on Catalyst 6500, you must configure the "trust" relationship with downstream DHCP Snooping (4500) which adds Option 82. On Catalyst 6500, this is accomplished with ip dhcp relay information trusted VLAN configuration command.

 kolay gelsin.

On Mon, Oct 27, 2008 at 12:39 PM, Cihan Akgün <cihan.akgun_at_zaman.com.tr>wrote:

> Cagatay Merhaba;
>
> Test bilgisayarin unplugged edip tekrardan plug ettim asagidaki ciktilari
> aldim.
>
> Switch#debug ip dhcp snooping event
> DHCP Snooping Event debugging is on
> Switch#
> 4d22h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1,
> changed state to down
> 4d22h: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
> 4d22h: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
> 4d22h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1,
> changed state to up
> 4d22h: DHCP_SNOOPING: checking expired snoop binding entries
>
> Switch#sh ip dhcp snooping
> Switch DHCP snooping is enabled
> DHCP snooping is configured on following VLANs:
> 1-30,32-33,80
> Insertion of option 82 is enabled
> circuit-id format: vlan-mod-port
> remote-id format: MAC
> Option 82 on untrusted port is not allowed
> Verification of hwaddr field is enabled
> Interface Trusted Rate limit (pps)
> ------------------------ ------- ----------------
> GigabitEthernet0/48 yes 100
>
> Switch#show ip dhcp snooping binding
> MacAddress IpAddress Lease(sec) Type VLAN
> Interface
> ------------------ --------------- ---------- ------------- ----
> --------------------
> Total number of bindings: 0
>
>
>
> Switch#show ip dhcp snooping database
> Agent URL : tftp://10.34.2.64
> Write delay Timer : 300 seconds
> Abort Timer : 300 seconds
>
> Agent Running : No
> Delay Timer Expiry : Not Running
> Abort Timer Expiry : Not Running
>
> Last Succeded Time : None
> Last Failed Time : 01:54:58 GMT+2 Wed Mar 3 1993
> Last Failed Reason : Unable to access URL.
>
> Total Attempts : 20 Startup Failures : 20
> Successful Transfers : 0 Failed Transfers : 20
> Successful Reads : 0 Failed Reads : 0
> Successful Writes : 0 Failed Writes : 0
> Media Failures : 0
>
> From: cisco-ttl_at_yahoogroups.com [mailto:cisco-ttl_at_yahoogroups.com] On
> Behalf Of Cagatay Avsar
> Sent: Monday, October 27, 2008 9:39 AM
> To: cisco-ttl_at_yahoogroups.com
> Subject: Re: [cisco-ttl] dhcp snooping
>
>
> Merhaba Cihan,
>
> Konfigurasyon dogru gorunuyor eger gozumden kacan birsey yoksa,
> show ip dhcp snooping
> show ip dhcp snooping statistics
> ciktilarini ve bir de test ederken "debug ip dhcp snooping" ciktisi
> gonderirsen sorunun sebebini anlayabiliriz saniyorum...
>
> iyi calismalar
> Cagatay Avsar
>
> On Fri, Oct 24, 2008 at 9:41 AM, Cihan Akgün <cihan.akgun_at_zaman.com.tr
> <mailto:cihan.akgun%40zaman.com.tr <cihan.akgun%2540zaman.com.tr>>>wrote:
>
> > Merhaba;
> >
> > Sirkette guvenlik acisindan icerideki kenar switchlerde dhcp snooping
> > konfigurasyonunu enable etmek istiyorum. Bir takim test konfigurasyonlari
> > yaptim fakat sonuc alamadim. Yapiyi aciklamam gerekirse hsrp ile
> redundant
> > calisan 2 adet core switch uzerinde yaklasik 40 vlan in oldugu vlan
> > interface leri var. DHCP server bu vlanlarlandan bir tanesinin icerisinde
> ve
> > Core switchlerde vlan interface lerinin altinda ip helper address
> komutuyla
> > dhcp server I tanimladim. Kenar switchlerdeki tum userlar hangi vlan da
> > olurlarsa olsunlar ip alabiliyorlar. Daha sonra core switch e trunk
> linkler
> > ile 3560g bir test switch I bagladim. Test switchin gi0/48 portunu trunk
> > olarak tanimladim. Sonra asagidaki konfigurasyonu yaptim, fakat bu
> > switchdeki userlar ip alamadilar.
> >
> > 3560G konfigurasyonu
> >
> > ip dhcp snooping vlan 1-35
> > ip dhcp snooping
> > !
> > !
> > !
> > errdisable recovery cause psecure-violation
> > errdisable recovery interval 30
> > !
> > interface GigabitEthernet0/1
> > description test-client
> > switchport access vlan 14
> > switchport mode access
> > switchport port-security
> > switchport port-security aging time 1
> > switchport port-security violation restrict
> > !
> > interface GigabitEthernet0/48
> > desc uplink
> > switchport trunk encapsulation dot1q
> > switchport mode trunk
> > ip dhcp snooping trust
> >
> > yukaridaki configler haricinde herhangi bir ayar yapmadim. Yardimci
> > olabilirseniz sevinirim.
> >
> > Simdiden tesekkurler
> >
> > Cihan Akgun
> >
> > [Non-text portions of this message have been removed]
> >
> >
> >
>
> --
> Cagatay AVSAR
>
> [Non-text portions of this message have been removed]
>
>
>
> [Non-text portions of this message have been removed]
>
>
> ------------------------------------
>
> --
> Cisco Teknik Tartisma Listesi (Cisco-ttl)
>
> Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk
> kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da
> bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu
> tutulamazlar.Yahoo! Groups Links
>
>
>
>

-- 
Cagatay AVSAR


[Non-text portions of this message have been removed]


------------------------------------

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/cisco-ttl/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/cisco-ttl/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:cisco-ttl-digest_at_yahoogroups.com 
    mailto:cisco-ttl-fullfeatured_at_yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    cisco-ttl-unsubscribe_at_yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
Received on Tue Oct 28 2008 - 11:26:07 CET

This archive was generated by hypermail 2.2.0 : Tue Oct 28 2008 - 11:26:13 CET