Cisco confirmed we are hitting bug DHCP snooping fails with unicast DHCP request CSCup02384... I don't think it should be classified as enhancement severity... If Cisco says they do DHCP snooping then they should be able to cover the case of unicast renewal... I'm going to try the ACL suggestion made be Gert... Thanks...
Bill -----Original Message----- From: cisco-nsp [mailto:[email protected]] On Behalf Of Mattias Gyllenvarg Sent: Tuesday, August 11, 2015 6:49 AM To: Mike Cc: [email protected] Subject: Re: [c-nsp] dai / dhcp snooping bug Mike I recently solved an issue a client had with a very similar setup and the same symptoms. They had a very complex PBR setup and the unicasts in the renew process got misplaced . tis 11 aug. 2015 kl 00:40 skrev Mike <[email protected]>: > On 08/10/2015 12:37 PM, Gert Doering wrote: > > Hi, > > > > On Mon, Aug 10, 2015 at 06:31:16AM -0700, Mike wrote: > >> I've loaded SE7 and - suprise - same problem, so it's not fixed. I > >> have a directly connected device I can cause to refresh it's dhcp > >> lease, and sure enough, a refresh doesn't do it, but a reboot of > >> that device which casues a new round of dhcp discovery, does in > >> fact work. A packet capture seems to confirm the unicast case > >> failing - a client with an existing lease renewing will use unicast > >> to the dhcp server, whereas a client starting up will use broadcast > >> to find servers, and both the 'discover' and 'request' phases in that case > >> are broadcast destination. > >> That was painful. > > Wild idea... put an ACL into place that will block the unicast renewal? > > > > gert > > > I had that idea too. Another idea was to see if there might be some > way to work with it... My dhcp model is one where the server is > directly connected to the vlans being served, but I recently made > changes in the direction of going to a full-on dhcp relay model > instead where all switches are doing that instead. The open question > then is, does it work correctly if the switch is acting as a dhcp > relay? I unfortunately don't have the equipment on standby to set up a > lab and test this out (story of my life), but if it worked then my problem > would mostly be solved. > Another idea would be to see if I could configure the dhcp server to > just ignore unicast requests (easier than putting ACL's on the the > switches). > > Mike- > _______________________________________________ > cisco-nsp mailing list [email protected] > https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m > ailman_listinfo_cisco-2Dnsp&d=BQICAg&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8J > VoF8oWH1AgfQ&r=KfZDYG9Z0HjJnyM7sFaf--H7klz6hYbHw7jZxQxoDkc&m=RjDtK8Ah9 > sHcaAbWTIRskjhoXqlJsHwOKWQ7dtgKt58&s=w_igARzvwkhYUQ6jNsujzXgVFxgtnMI4X > 9hgrchnIII&e= archive at > https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi > permail_cisco-2Dnsp_&d=BQICAg&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH > 1AgfQ&r=KfZDYG9Z0HjJnyM7sFaf--H7klz6hYbHw7jZxQxoDkc&m=RjDtK8Ah9sHcaAbW > TIRskjhoXqlJsHwOKWQ7dtgKt58&s=YXosNe2_6omw3uBhkZymvn8whS9Q3mGrb9X9Taex > Fps&e= > _______________________________________________ cisco-nsp mailing list [email protected] https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=BQICAg&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=KfZDYG9Z0HjJnyM7sFaf--H7klz6hYbHw7jZxQxoDkc&m=RjDtK8Ah9sHcaAbWTIRskjhoXqlJsHwOKWQ7dtgKt58&s=w_igARzvwkhYUQ6jNsujzXgVFxgtnMI4X9hgrchnIII&e= archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=BQICAg&c=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ&r=KfZDYG9Z0HjJnyM7sFaf--H7klz6hYbHw7jZxQxoDkc&m=RjDtK8Ah9sHcaAbWTIRskjhoXqlJsHwOKWQ7dtgKt58&s=YXosNe2_6omw3uBhkZymvn8whS9Q3mGrb9X9TaexFps&e= _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
