Options
DHCP snooping; No bindings are forming
Just decided to do a DHCP snooping lab and nothing is going as planned. I am using the book and online guide from cisco, but still cannot fathom why it does not work.
Below is the configuration. I have my PC on port fa0/7. My dhcp server (Actually a Linksys) is on port fa0/1 and that port is trusted. All dhcp and internet traffic is on vlan 1. I disabled any vlan filters on vlan 1. The DHCP server/clients and everything concerned here are limited to 192.168.2.0/24.
Right now dhcp works fine. The client gets the IP address and can surf the internet. However, it does not create any bindings which makes it impossible to do DAI. I could do a static binding, but that doesn't help me figure out what is wrong.
I turned on debug ip dhcp snooping packet & event & agent, but none of those generate any informative traffic
Any Ideas I am stumped.
3550_24#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- ---------- ---------- Total number of bindings: 0
Below is the configuration. I have my PC on port fa0/7. My dhcp server (Actually a Linksys) is on port fa0/1 and that port is trusted. All dhcp and internet traffic is on vlan 1. I disabled any vlan filters on vlan 1. The DHCP server/clients and everything concerned here are limited to 192.168.2.0/24.
Right now dhcp works fine. The client gets the IP address and can surf the internet. However, it does not create any bindings which makes it impossible to do DAI. I could do a static binding, but that doesn't help me figure out what is wrong.
I turned on debug ip dhcp snooping packet & event & agent, but none of those generate any informative traffic
*Mar 1 04:12:38.050: DHCP_SNOOPING: checking expired snoop binding entries
Any Ideas I am stumped.
version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname 3550_24 ! ! username holmesjrh privilege 15 secret 5 $1$M.A1$/LPF1K3EIUPDIRav.oHUz. ! ! aaa new-model ! ! aaa authentication login default local aaa authentication dot1x default group radius aaa authorization exec default local ! ! ! aaa session-id common ! authentication mac-move permit ip subnet-zero ip routing ip name-server 4.2.2.1 ! ! ip dhcp snooping vlan 1 ! ! crypto pki trustpoint TP-self-signed-885241216 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-885241216 revocation-check none rsakeypair TP-self-signed-885241216 ! ! crypto pki certificate chain TP-self-signed-885241216 certificate self-signed 01 3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 38383532 34313231 36301E17 0D393330 33303130 30303035 395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3838 35323431 32313630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 D9820BBE 4769131C E1BA1EAC 4C5FED6A 324574DA 58ECF980 C40D4A69 0873AFB2 2288748D F32084C1 2556E7FA 8E7BC0E7 E22F579E 96C80FD1 0423631C 9A30B292 F39683A2 C2A8235A 7DE9AB98 5487330E B0BEF744 7014FEFA 1BBDE6A3 40A2044B AD4310BE 119B0B94 8404A754 FA651AA6 361EE9D5 1C178326 9C61B8B1 A037C9B1 02030100 01A36830 66300F06 03551D13 0101FF04 05300301 01FF3013 0603551D 11040C30 0A820833 3535305F 32342E30 1F060355 1D230418 30168014 4CCBF7E7 18ED9CA9 EEEDBD9A 29DAB905 4671082D 301D0603 551D0E04 1604144C CBF7E718 ED9CA9EE EDBD9A29 DAB90546 71082D30 0D06092A 864886F7 0D010104 05000381 81000F10 648867BC 02C86676 C3E2DA51 B2202E5D E970B2A0 B9E42717 8EF75E9F 5D90F51A 7BE398E6 B67C98CE EEFC4819 D097E5D4 7D802967 F5A8579B 50B3599E 84ABA02C 375BA9CF 4F7BC6AA 4ACB06E7 1167C0EB 09CA2FE8 F7C24035 7B821B29 247A0609 13C86837 570C08AA 2C88C81F 59201BA8 B29947F5 9892A66E 146843CF A8D9 quit ! spanning-tree mode rapid-pvst spanning-tree etherchannel guard misconfig spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan access-map INET 10 action forward match ip address 10 vlan access-map LAN 5 action forward vlan access-map LAN 10 action forward match ip address 50 vlan access-map LAN 20 action forward match ip address 99 vlan access-map DROP 10 action drop match ip address 10 vlan access-map DROP 20 action forward match ip address 50 ! vlan filter DROP vlan-list 5 vlan filter LAN vlan-list 10 ! ! ! ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.252 ! interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/1 switchport mode access ip dhcp snooping limit rate 300 ip dhcp snooping trust ip dhcp snooping information option allow-untrusted ! interface FastEthernet0/2 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/3 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/4 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/5 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/6 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/7 switchport trunk encapsulation dot1q switchport mode access spanning-tree portfast ! interface FastEthernet0/8 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/9 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode access switchport nonegotiate spanning-tree portfast ! interface FastEthernet0/10 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/11 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/12 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/13 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/14 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/15 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/16 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/17 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/18 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/19 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/20 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/21 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/22 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/23 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface FastEthernet0/24 switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode dynamic desirable ! interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/2 switchport mode dynamic desirable ! interface Vlan1 ip address 192.168.2.3 255.255.255.0 ip helper-address 192.168.2.1 ! interface Vlan4 no ip address ! interface Vlan5 ip address 192.168.3.1 255.255.255.0 ! interface Vlan10 ip address 192.168.5.1 255.255.255.0 ! ! router eigrp 1 network 192.168.2.0 network 192.168.3.0 network 192.168.5.0 ! ip default-gateway 192.168.2.1 ip classless no ip route static inter-vrf ip route profile ip route 0.0.0.0 0.0.0.0 192.168.2.1 ip http server ip http secure-server ! ! ip access-list extended VLAN5TRAFFIC permit ip 192.168.3.0 0.0.0.255 any log ! ip sla enable reaction-alerts access-list 10 permit 192.168.2.0 0.0.0.255 access-list 50 permit 192.168.3.0 0.0.0.255 access-list 99 permit 192.168.5.0 0.0.0.255 access-list 100 permit ip 192.168.3.0 0.0.0.255 any log fragments access-list 100 permit ip 192.168.3.0 0.0.0.255 any log radius-server host 192.168.0.85 auth-port 1645 acct-port 1646 key cisco ! control-plane ! ! line con 0 line vty 0 4 transport input ssh line vty 5 15 transport input ssh ! end
Struggling through the re-certification process after 2 years of no OJT for the CCNP.
Comments
-
Options
jeanathan
Member Posts: 163
You have got to be kidding me. I got so caught up in my lab I forgot I had at one point disabled dhcp snooping globally!no ip dhcp snooping
I just turned it back on and boom I have a binding! Sorry, too much studying and coffee I guess.Struggling through the re-certification process after 2 years of no OJT for the CCNP.