Hi,
I have a 3560G switch running 15.0(2)SE and in my config I am using
dhcp snooping / dai on a few customer facing vlans. Everything works,
and I have certifiably received protection against mis-configured
clients / plugged in backwards home networking equipment as a direct
result. Been running this way and with same software and configs for
more than 2 years now. But there seems to also be a bug where,
sometimes, some valid entries are incorrectly dropped from the dhcp
snooping binding database, causing DAI to start dropping arp to that
address, and I can't determine why.
Consider this example: I have a client 00:27:22:ee:27:4d which
lives in vlan 311, which receives it's ip assignment via dhcp. The lease
time it's given is 3 days, and going thru my dhcp server logs I can see
clearly that - yes - every 1.5 days this client refreshes it's dhcp
lease. Its been doing it correctly for untold months and nothing has
changed in the network itself. But now, the most recent refresh of it's
lease:
Aug 9 06:23:44 dnsfixer dhcpd: DHCPREQUEST for 172.16.35.115 from
00:27:22:ee:27:4d (<hostname>) via eth1
Aug 9 06:23:44 dnsfixer dhcpd: DHCPACK on 172.16.35.115 to
00:27:22:ee:27:4d (<hostname>) via eth1
The above shows the dhcp server acking' the lease, just like all
previous times. But DAI on that switch is now complaining:
Aug 9 06:24:02.436 PST: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs
(Req) on Gi0/15, vlan
311.([0027.22ee.274d/172.16.35.115/0000.0000.0000/172.16.32.1/06:24:02
PST Sun Aug 9 2015])
And when I show ip dhcp snooping binding, the entry isn't there.
I have other switches, running same software, where this problem
also has become apparent. And, the problem is growing, with more of
these clients suddently being removed without explanation from the dhcp
snooping database on their home switch and then DAI stepping in the
block them. Its almost as if the switch simply wasn't paying attention
at the time the client was renewing it's dhcp lease and did not
therefore update the lease time in the dhcp snooping database
accordingly, allowing it to expire instead.
The only event I know of which I think could be related, is the
fact that I did interrupt the dhcp server maybe 1.5 days ago for a time
and destroyed the dhcp lease database (my fault, clumsy me). But - the
clients asking to refresh their lease are being permitted to keep their
current IP as per the above, the server config has not changed, and I am
not sure what aspect of this would have been visible to the switch and
doubt it makes any difference in the packets at all. This problem has
cropped up at other times without any such events to the dhcp server -
there are client cpe that occasionally have experienced this problem
which I have ignored, but I recognise this now as a larger problem that
needs to be figured out.
All I can do right now is to simply disable ip arp inspection for
the vlans in question and hope the dhcp snooping database gets populated
so I can turn this back on. But I'd like to figure out a fix instead.
Any ideas?
Mike-
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
