Hello,
we have a strange issue regarding DHCP snooping on C9200 with IOS-XE 16.12.02.
It seems that ports with connected Meraki AP MR16 or MR72 DHCP Snooping is not working.
Feb 7 10:21:21.868: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Gi1/0/30, MAC da: ffff.ffff.ffff, MAC sa: 3c6a.a78e.4969, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 3c6a.a78e.4969, efp_id: 0, vlan_id: 673
Feb 7 10:21:21.868: DHCP_SNOOPING: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (673)
Feb 7 10:21:21.880: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Po1, MAC da: ffff.ffff.ffff, MAC sa: 00ea.bd9e.c1ee, IP da: 255.255.255.255, IP sa: 172.22.173.3, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 172.22.173.90, DHCP siaddr: 172.24.86.200, DHCP giaddr: 172.22.173.3, DHCP chaddr: 3c6a.a78e.4969, efp_id: 0, vlan_id: 673
Feb 7 10:21:21.881: DHCP_SNOOPING: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
Feb 7 10:21:21.881: DHCP_SNOOPING: lookup packet destination port failed to get mat entry for mac: 3c6a.a78e.4969 vlan_id 673
Feb 7 10:21:21.881: DHCP_SNOOPING: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
Feb 7 10:21:21.881: DHCP_SNOOPING: lookup packet destination port failed to get mat entry for mac: 3c6a.a78e.4969 vlan_id 673
Feb 7 10:21:21.881: DHCP_SNOOPING: can't find output interface for dhcp reply. the message is dropped.
Feb 7 10:21:21.881: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Po1, MAC da: ffff.ffff.ffff, MAC sa: 00ea.bd9e.c1ee, IP da: 255.255.255.255, IP sa: 172.22.173.3, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 172.22.173.90, DHCP siaddr: 172.24.86.200, DHCP giaddr: 172.22.173.3, DHCP chaddr: 3c6a.a78e.4969, efp_id: 0, vlan_id: 673
Feb 7 10:21:21.881: DHCP_SNOOPING: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
Feb 7 10:21:21.881: DHCP_SNOOPING: lookup packet destination port failed to get mat entry for mac: 3c6a.a78e.4969 vlan_id 673
DE-HAU-HUH-S24#
Feb 7 10:21:21.881: DHCP_SNOOPING: client address lookup failed to locate client interface, retry lookup using packet mac DA: ffff.ffff.ffff
Feb 7 10:21:21.881: DHCP_SNOOPING: lookup packet destination port failed to get mat entry for mac: 3c6a.a78e.4969 vlan_id 673
Feb 7 10:21:21.881: DHCP_SNOOPING: can't find output interface for dhcp reply. the message is dropped.
DE-HAU-HUH-S24#
DHCP Snooping configuration is as following:
DE-HAU-HUH-S24#sh ip dhcp snooping
Switch DHCP snooping is disabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
1-4094
DHCP snooping is operational on following VLANs:
1-4094
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 10b3.d58f.8200 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is disabled
Verification of giaddr field is disabled
My understanding is that the switch should learn the "source MAC" from the DHCPDISCOVER.
It should then check the DHCPOFFER for "chaddr" and lookup the MAC table.
It seems - for some very strange reason - the source MAC is not learned within the MAC Table.
Therefore the DHCPOFFER gets dropped of course.
When you disable dhcp snooping the client receives an IP address and is full functional!
Nevertheless - even when the client is full functional! - there is no Client MAC on the Switch (show mac add table).
But you can see the Client IP and MAC with "IP Device Tracking".
It seems that the ASIC is programmed correct and that the IOS software information is not correct.
Therefore dhcp snooping is not working. I asked our partner to open a TAC Case.
It seems we are hitting a BUG ...
Does anyone have a similar issue or has any feedback ?
Best regards,
steffen
