11 Replies Latest reply: Jun 21, 2012 10:21 AM by Steven Williams

DHCP Snooping on Cisco 3750X Blocks Access Point DHCP Request

Mike Jun 20, 2012 6:46 AM

It appears that DHCP Snooping turned on, on our 3750x switches is blocking access ports for our Wireless Access Points.

My question is why? How are these any different then a pc plugged into an access port in a vlan requesting a DHCP reservation?

The access point ports are not trusted and when they are rebooted they do not receive their DHCP reservation.

However when the ports are trusted they do.

Thanks,

Mike

1. Re: DHCP Snooping on Cisco 3750X Blocks Access Point DHCP Request

Steven Williams Jun 20, 2012 8:04 AM (in response to Mike)

What is the configuration of the switch ports?
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
2. Re: DHCP Snooping on Cisco 3750X Blocks Access Point DHCP Request

Steven Williams Jun 20, 2012 8:21 AM (in response to Steven Williams)

make sure all your trunk ports to the DHCP server are trusted.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
3. Re: DHCP Snooping on Cisco 3750X Blocks Access Point DHCP Request

Mike Jun 21, 2012 6:24 AM (in response to Steven Williams)

Now
=================
interface FastEthernet2/0/44
switchport access vlan 100
switchport mode access
mls qos trust dscp
storm-control broadcast level 5.00
storm-control action trap
spanning-tree portfast
ip dhcp snooping trust

Before though
=================
interface FastEthernet2/0/44
switchport access vlan 100
switchport mode access
mls qos trust dscp
storm-control broadcast level 5.00
storm-control action trap
spanning-tree portfast
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
4. Re: DHCP Snooping on Cisco 3750X Blocks Access Point DHCP Request

Mike Jun 20, 2012 10:52 AM (in response to Mike)

I should also note, there is nothing in the logs of the switch saying dhcp_snooping is blocking anything. Also once the access ports the AP's are on were trusted, they were able to get their normal dhcp reservation.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
5. Re: DHCP Snooping on Cisco 3750X Blocks Access Point DHCP Request

Steven Williams Jun 20, 2012 11:08 AM (in response to Mike)

Where is your DHCP addressing coming from? The 3750 itself? Or another server? What does your ingress trunk ports look like?
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
6. Re: DHCP Snooping on Cisco 3750X Blocks Access Point DHCP Request

Mike Jun 20, 2012 11:46 AM (in response to Steven Williams)

We have 3 seperate DHCP Servers. We don't use the switches as the DHCP server.

switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-15,26,27,33,100,101,254,301,308,309,319,327
switchport trunk allowed vlan add 399,700,720,820,888,889,900,999
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
auto qos voip trust
storm-control broadcast level 5.00
storm-control action trap
ip dhcp snooping trust
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
7. Re: DHCP Snooping on Cisco 3750X Blocks Access Point DHCP Request

Steven Williams Jun 20, 2012 12:23 PM (in response to Mike)

Can you do a show vlan br and a show int trunk

Also this is configured on your trunk ports leading to the DHCP server? I run DHCP snooping in over 50 locations with DHCP enabled AP's and do not have any issues. Are you using a controller? If so what model? Do you have any ACL's?
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
8. Re: DHCP Snooping on Cisco 3750X Blocks Access Point DHCP Request

Mike Jun 21, 2012 6:23 AM (in response to Steven Williams)

The controller we are testing on right now is a cisco 5508.
No ACL's.

show int trunk
===============
3750-1#show int trunk
Port        Mode             Encapsulation Status        Native vlan
Gi1/0/1     on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/1     1-15,26-27,33,100-101,254,301,308-309,319,327,399,700,720,820,888-889,900,999

Port        Vlans allowed on trunk
Gi1/0/1     1-15,26-27,33,100-101,254,301,308-309,319,327,399,700,720,820,888-889,900,999
Port        Vlans allowed and active in management domain
Gi1/0/1     1-15,26-27,33,100-101,254,301,308-309,319,327,399,700,720,820,888-889,900,999

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/1     1-15,26-27,33,100-101,254,301,308-309,319,327,399,700,720,820,888-889,900,999

show vlan br (only showing the LWAP vlan)
===============
100 V100-LWAP                        active    Fa2/0/39, Fa2/0/40, Fa2/0/41, Fa2/0/42,
                                                              Fa2/0/43, Fa2/0/44, Fa2/0/45, Fa2/0/46

Basically we have a 5508 controller connected to our 6500 core. Turned on DHCP snooping. Upgraded Controller code and ap code. When the controller and AP's rebooted they were unable to get their DHCP reservations. Added the AP access ports as trusted ports like the above example f2/0/44 and then they got their dhcp reservations.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
9. Re: DHCP Snooping on Cisco 3750X Blocks Access Point DHCP Request

Steven Williams Jun 21, 2012 6:40 AM (in response to Mike)
My setup is very similar. My 5508's are plugged into my core 6500, but I am not running dhcp snooping on my core, because my AP's are not plugged into that device. Take a look at my diagram. Its not very complicated at all. See if it helps. Otherwise I would need some more specifics to lab it up at my desk and see if I can replicate the problem

New Microsoft Office Visio Drawing.jpg 70.3 K
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
10. Re: DHCP Snooping on Cisco 3750X Blocks Access Point DHCP Request

Mike Jun 21, 2012 10:05 AM (in response to Steven Williams)

Ya, our core ports aren't running dhcp snooping either. Just the uplink trunk ports from the core to our edge switches.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
11. Re: DHCP Snooping on Cisco 3750X Blocks Access Point DHCP Request

Steven Williams Jun 21, 2012 10:21 AM (in response to Mike)

The trust command only needs to be configured on the inbound trunk port on the switch where the AP is attached. So in your case...the trunk interface on your access switch that goes to the core.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register

Go to original post