We are experiencing something that sounds very similar... We have 3850 operating as layer-3 switch with SVI for clients on the 3850... Initial DHCP lease populates binding table but subsequent renewals do not refresh the timer... It appears that initial lease all communication happens via broadcast but renewal is unicast direct to DHCP server, so we are leaning towards unicast somehow being the issue... Same 3850 in layer-2 mode connecting to 6800 distribution layer does not exhibit the problem... We have TAC case open with Cisco... If anyone can confirm any of what we're seeing or provide additional information that would be most excellent... If I learn more from Cisco I will share here... Thanks...
Bill Murphy UT Health Science Center -----Original Message----- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mike Sent: Monday, August 10, 2015 11:39 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] dai / dhcp snooping bug On 08/10/2015 08:21 AM, Antoine Monnier wrote: > so, for my own understanding, are we saying unicast DHCP refresh is > still handled ok by the DHCP snooping feature? > Is it more a problem of DHCP server restart and/or switch reload? > > Thanks! > The problem is that, if an entry is not in the switch dhcp snooping database, and the clients are using unicast DHCP, that is not enough to get an entry into the dhcp snooping database. It also doesn't appear to be enough to 'refresh' the lease timer either. Combined with dynamic arp inspection, this is a bigger problem since those clients then will be blocked from using arp and thus can't talk to anyone. It appears this would not be an issue for a switch with a populated database that is reloaded provided you use the "ip dhcp snooping database ..." command. The open question for me is, how did I get to a place where my clients were all talking but the switch database expired bunches of entries and causing the afterforementioned side effects with dai? Mike- _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=BQICAg&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=KfZDYG9Z0HjJnyM7sFaf--H7klz6hYbHw7jZxQxoDkc&m=xBDrp73Ifz-rwvzHesfYhYyEHkqaQ69wGFdFnarUUTo&s=gLyyJkUa5ZxNnAeR1C7URjsWZmaKHCogYxKIO9vIryk&e= archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=BQICAg&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=KfZDYG9Z0HjJnyM7sFaf--H7klz6hYbHw7jZxQxoDkc&m=xBDrp73Ifz-rwvzHesfYhYyEHkqaQ69wGFdFnarUUTo&s=f2mzPfOkirFWz_f0SVS9iVInoWyBo-jaRptTra6ditc&e= _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/