DHCPSNOOP(hlfm_set_if_input)

Hi All,
We have upgraded our 3750 switches from IOS 122-53.SE2 to 122-55.SE8.
Since this update users from several vlans (not all) have issues renewing their ip address.
For all vlans DHCP-snooping is activated.
no ip dhcp snooping information option allow-untrusted
no ip dhcp snooping information option
no ip dhcp snooping database
ip dhcp snooping database write-delay 300
ip dhcp snooping database timeout 300
ip dhcp snooping verify mac-address
ip dhcp snooping verify no-relay-agent-address
ip dhcp snooping
000844: Oct 21 12:08:08.948: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak.  Was Fa1/0/4
000845: Oct 21 12:08:08.956: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Po1 for pak.  Was not set
000846: Oct 21 12:08:08.956: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak.  Was Po1
000847: Oct 21 12:08:09.543: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/12 for pak.  Was not set
000848: Oct 21 12:08:09.543: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak.  Was Fa1/0/12
When we disabled the ip dhcp snooping for the affected vlan, everything works fine.
Cisco tac has already proposed to add command "no ip dhcp relay information check"  related to Option 82 of DHCP.
However after applying this command and reactication ip DHCP snooping. We still have the same issue.
We can see these alerts in the logs:
000844: Oct 21 12:08:08.948: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak.  Was Fa1/0/4
000845: Oct 21 12:08:08.956: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Po1 for pak.  Was not set
000846: Oct 21 12:08:08.956: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak.  Was Po1
000847: Oct 21 12:08:09.543: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Fa1/0/12 for pak.  Was not set
000848: Oct 21 12:08:09.543: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak.  Was Fa1/0/1
Did someone see this issue before?
Thanks,
Joris

Hi,
I have read the first post
https://cciereview.wordpress.com/tag/dhcp
The solution there is to configure the affected ports with command "ip dhcp snoop trust". I ask myself, what's the point of Ip dhcp snooping when you trust every port on the switch.
On the second post
http://blog.ine.com/2009/07/22/understanding-dhcp-option-82/
It seems to me the command "no ip dhcp relay information check" is activated on the router.
We only applied it on the L2 switches. Could that be the issue?
Joris

Similar Messages

  • ARP Inspection Question

    All,
    I don't have a way of labbing this up at the moment, so I have a question to see what everyone else has seen in the past. Consider the following topology (attached).
    DHCP Snooping and DAI are enabled across all switches. The dhcp snooping binding table has host A listed on the switch that host A connects to, and there is a dhcp snooping database on the dhcp server. Host A is in an office, but this person needs to go to a conference room that connects to switch C. Switch C doesn't know anything about the dhcp snooping entry from switch B. Will host A be able to pass traffic, or will DAI stop the traffic from being passed until an arp acl is configured on switch c or the port is trusted that host A connects to? If it's able to pass traffic, how is switch C learning it? Does it request the mac address/ip pair from the dhcp server and then enter it into it's own binding table? This is what I'm thinking because otherwise dai is going to be hard for me to manage.
    Also, I couldn't find a way of doing this, but is there a way of sharing a database across switches? It seemed like it was creating a new file even though the same name was given, so I ended up naming them by switch - switcha.dhcpBinding, etc.
    Thanks!
    John

    Hi Rolf,
    I have some concerns regarding DAI in our organization. i have applied DAI on all our access switches(Cisco), our DHCP server is Cisco 6509 core switch. All teh trunk ports connecting to core switch are "Trusted Interfaces with rate limit unlimited".
    all the client systems are getting proper IPs from DHCP. But there is something missing behind the scene.
    Please see the below DHCP DAI inspection logs taken from one of access switch.
    PDOWN: Interface GigabitEthernet0/30, changed state to down
    250566: Mar  9 11:30:56: %LINK-3-UPDOWN: Interface GigabitEthernet0/30, changed state to up
    250567: Mar  9 11:30:57: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/30, changed state to up
    250568: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/30 for pak.  Was not set
    250569: 2w2d: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak.  Was Gi0/30
    250570: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/30 for pak.  Was not set
    250571: 2w2d: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/30)
    250572: 2w2d: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi0/30, MAC da: ffff.ffff.ffff, MAC sa: 18a9.05ed.8b87, IP da: 255.255.255.255, IP sa: 0.0.0.0,
    DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 18a9.05ed.8b87
    250573: 2w2d: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (120)
    250574: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/50 for pak.  Was not set
    250575: 2w2d: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak.  Was Gi0/50
    250576: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/50 for pak.  Was not set
    250577: 2w2d: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/50)
    250578: 2w2d: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Gi0/50, MAC da: 18a9.05ed.8b87, MAC sa: 0015.2c31.4800, IP da: 192.168.120.104, IP sa: 192.168.120.1,
    DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 192.168.120.104, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 18a9.05ed.8b87
    250579: 2w2d: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 18a9.05ed.8b87
    250580: 2w2d: DHCP_SNOOPING: can't find client's destination port, packet is assumed to be not from local switch, no binding update is needed.
    250581: 2w2d: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 18a9.05ed.8b87
    250582: 2w2d: DHCP_SNOOPING_SW: lookup packet destination port failed to get mat entry for mac: 18a9.05ed.8b87
    250583: 2w2d: DHCP_SNOOPING: can't find output interface for dhcp reply. the message is dropped.
    250584: Mar  9 11:31:05: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi0/30, vlan 120.([18a9.05ed.8b87/169.254.93.237/0000.0000.0000/169.254.93.237/14:31:04 Sun Mar 9 2014])
    250585: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/30 for pak.  Was not set
    250586: 2w2d: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak.  Was Gi0/30
    250587: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/30 for pak.  Was not set
    250588: 2w2d: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/30)
    250589: 2w2d: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Gi0/30, MAC da: ffff.ffff.ffff, MAC sa: 18a9.05ed.8b87, IP da: 255.255.255.255, IP sa: 0.0.0.0,
    DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 18a9.05ed.8b87
    250590: 2w2d: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (120)
    250591: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/50 for pak.  Was not set
    250592: 2w2d: DHCPSNOOP(hlfm_set_if_input): Clearing if_input for pak.  Was Gi0/50
    250593: 2w2d: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/50 for pak.  Was not set
    250594: 2w2d: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/50)
    250595: 2w2d: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Gi0/50, MAC da: 18a9.05ed.8b87, MAC sa: 0015.2c31.4800, IP da: 192.168.120.104, IP sa: 192.168.120.1,
    DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 192.168.120.104, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 18a9.05ed.8b87
    250596: 2w2d: DHCP_SNOOPING: direct forward dhcp replyto output port: GigabitEthernet0/30.
    I have no idea what i am missing??
    could you please help me out to fix this issue as soon as possible.
    You can reach me at [email protected]
    Regards,
    Azeem

  • IOS 15.0(2)SE5 DHCP Snooping Problem

    I have just upgraded a single production switch from IOS 12.2(50)SE1 to 15.0(2)SE5 to test out new ipv6 security features that we will soon require for our deployment. upon booting into the newer IOS the DHCP snooping feature stopped working, this caused ARP inspection to start dropping traffic so we had to disable it. after going through the normal troublehsooting procedures (check config, reboot, re-apply config, check clients, renew IP address etc) it still is not working.
    has anyone else experience this problem or anything similar?
    I would be interested to hear from people on recent experiences when upgrading software as we have been having a bad time recently with cisco software across a range of products.

    Aurelien
    I just tested this on a 2960-S running SE5 with no issues.
    2960-1#debug ip dhcp snooping packet
    DHCP Snooping Packet debugging is on
    2960-1#
    Mar 30 01:30:23.963: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Po1 for pak.  Was Vl1
    Mar 30 01:30:23.963: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Po1
    Mar 30 01:30:23.963: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Po1 for pak.  Was Vl1
    Mar 30 01:30:23.963: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel1)
    2960-1#
    Mar 30 01:30:23.968: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Po1, MAC da: ffff.ffff.ffff, MAC sa: 3037.a696.3640, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 3037.a696.3640
    Mar 30 01:30:23.968: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (1)
    Mar 30 01:30:23.968: DHCP_SNOOPING_SW: bridge packet send pac
    2960-1#ket to cpu port: Vlan1.
    Mar 30 01:30:25.976: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/24 for pak.  Was Vl1
    Mar 30 01:30:25.976: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Gi0/24
    Mar 30 01:30:25.976: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/24 for pak.  Was Vl1
    Mar 30 01:30:25.976: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/24)
    Mar 30 01:30:25.976: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, inpu
    2960-1#t interface: Gi0/24, MAC da: ffff.ffff.ffff, MAC sa: 001c.0e86.6f4a, IP da: 255.255.255.255, IP sa: 172.16.156.33, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 172.16.156.47, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 3037.a696.3640
    Mar 30 01:30:25.981: DHCP_SNOOPING: direct forward dhcp replyto output port: Port-channel1.
    Mar 30 01:30:25.987: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Po1 for pak.  Was Vl1
    Mar 30 01:30:25.987: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  W
    2960-1#as Po1
    Mar 30 01:30:25.987: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Po1 for pak.  Was Vl1
    Mar 30 01:30:25.987: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel1)
    Mar 30 01:30:25.987: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Po1, MAC da: ffff.ffff.ffff, MAC sa: 3037.a696.3640, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 3037.a696.3
    2960-1#640
    Mar 30 01:30:25.987: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (1)
    Mar 30 01:30:25.987: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan1.
    Mar 30 01:30:25.987: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/24 for pak.  Was Vl1
    Mar 30 01:30:25.987: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak.  Was Gi0/24
    Mar 30 01:30:25.987: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/24 for pak.  Was Vl
    2960-1#1
    Mar 30 01:30:25.987: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/24)
    Mar 30 01:30:25.992: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Gi0/24, MAC da: ffff.ffff.ffff, MAC sa: 001c.0e86.6f4a, IP da: 255.255.255.255, IP sa: 172.16.156.33, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 172.16.156.47, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 3037.a696.3640
    Mar 30 01:30:25.992: DHCP_SNOOPING: direct forward dhcp replyto output port:
    2960-1#Port-channel1.
    2960-1#sh ip dhc
    2960-1#sh ip dhcp no
    2960-1#sh ip dhcp sno
    2960-1#sh ip dhcp snooping b
    2960-1#sh ip dhcp snooping binding
    MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
    30:37:A6:96:36:40   172.16.156.47    86387       dhcp-snooping   1     Port-channel1
    Total number of bindings: 1
    2960-1#sh ver | in IOS  
    Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.0(2)SE5, RELEASE SOFTWARE (fc1)
    2960-1#

  • IP DHCP snooping, IP source Guard, and DIA

    Hi All,
    I have Configured DHCP snooping and IP source guard and Dynamic arp inspection on my 3560 and 3750 Network Switches,
    on both of them I'm facing that issue. (the printers and access points are configured to get ip addresses via DHCP), but when the lease time expires, they don't get ip addresses, and become unreacheable.
    while all other clients get thier ip addresses normally
    below you can find the Configuration configuration
    ip dhcp snooping vlan 98,105,111
    no ip dhcp snooping information option
    ip dhcp snooping database flash:dhcpsnooping
    ip dhcp snooping database write-delay 15
    ip dhcp snooping
    ip arp inspection vlan 98,105,111
    ip verify trust on all access ports including printers and access point ports
    all access ports are DHCP snooping untrusted
    also when I create a static dhcp snooping binding record for these devices on the switch it resolves the Issue, but when I reload the switch it's removed automatically.
    any resolution will be much appreciated.
    regards,
    Maher

    check the following link for configuration of DHCP snooping
    http://packetlife.net/blog/2010/aug/18/dhcp-snooping-and-dynamic-arp-inspection/
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

  • SG300 : erreurs de DHCP

    Bonjour,
    J'ai plusieurs switchs SG300-20 et SG300-10 en cascades avec une topologie qui ressemble à ceci :
    SW0 => SW2 : connexion par trois liens en LACP
    SW1 => SW2 : connexion par un seul lien
    SW3 => SW2 : connexion par trois liens en LACP
    SW4 => SW2 : connexion par un seul lien
    J'ai des PC connectés sur  tous les switchs.
    Mon serveur DHCP est connecté sur SW2. Le port est en trust et le DHCP snooping activé. Dans tous les switchs j'ai activé le relai DHCP avec l'adresse IP du serveur DHCP.
    Malheureusement, j'ai des erreurs qui arrivent sur SW2 :
    %DHCPSNOOP-E-HDRMAC: DHCP packet mac addresses verification problem - packet dropped: vlan - 20, port - Po2, mac source address - <ADRESSE_MAC_DE_SW0>, mac dest ad dress - <ADRESSE_MAC_DU_SERVEUR_DHCP>, hw client address - <ADRESSE_MAC_D_UN_POSTE_CLIENT>, error - DHCPSnP_packet_callback    
    J'ai donc plusieurs questions :
      - est-ce que quelqu'un sait d'où viennent ces erreurs ? Je les ai tous les jours
      - est-ce qu'il faut activer le relai DHCP sur tous les switchs ou seulement SW2 puisque le serveur DHCP est dessus ?
      - est-ce qu'il faut activer le relai DHCP + DHCP snooping comme je l'ai fait ?
    Je vous remercie d'avance.
    Bertrand

    Tom,
    Thanks ... I followed the steps you outlined and it worked!  The only difference being that I have an Asus RT-AC66U router and the there is no "enable multiple subnet" option.  So, I just followed your instructions on creating the static routes in the RT-AC66U and everything worked.  The DHCP addresses were correct and I had internet connectivity when I plugged a laptop into the gi8 port.
    I did make one tweak to the Network Pools screen as follows:
    My DHCP configuration for gi8 on VLAN 2 now looks like:
    ip dhcp server
    ip dhcp pool network InternalWAN
    address low 192.168.2.1 high 192.168.2.99 255.255.255.0
    lease infinite
    domain-name MYSTIC
    default-router 192.168.2.254
    dns-server 8.8.8.8
    Previously I had followed your advice in the article "Need help configuring SG300-10 switch" and had setup everything using CLI.  However, I didn't think about needing the static routes.  So, I think it was probably setup correctly beforehand but had no chance to work because the routes were not setup.
    Thanks very much for your help!
    Clint

Maybe you are looking for

  • How do you disable "Network Cable unplugged" icon in systray

    Both my current K8N Neo2 and my previous K2N mb's often pop up the "Network Cable Uplugged" icon in the systray when in fact the cable in plugged in and everything is running just fine.  I tried unchecking "Notify me when the connection has no or lim

  • Hidden photos in iPhoto

    I worked on an image stored in an event folder in iPhoto and saved it as a newly named jpg file and also as a psd file back to the same event folder, but when I open iPhoto and look through the contents of the event folder, I can't see either of thes

  • Issues in processing the Parameter as a set of values

    Hi Group, I have a requirement as under: In my selection screen, I am using a parameter ( name : Sales order ) and on click of this, all the Sales orders and Sales order Items will be shown as : Sales order     Item  S0100               0001 S0100   

  • Alerts for HTTP adapter

    Hi All: I am working on JDBC to HTTP scenario. Now If my target service is down how I can throw an alert specific to HTTP adapeter? I am not seeing HTTP adapter in the adapter list( RWB->Alert configuration) Please let me know how can I achieve it? T

  • Workflow Question - Creating an iPad App?

    I have created my interactive publication InDesign. I've tested it in Content Viewer on my Mac I've created a Folio and sent it to my Adobe online account and tried to view it on my iPad (but got the error, waiting for the app update). How do I go ab