DHCP forwarding with Cisco and Fortigate

When configuring a network with a central Fortigate firewall and a Cisco 871 router placed on the site I had a problem getting the DHCP relay feature to work.

On the Cisco router I configured the interface as shown below:

interface Vlan1
 ip address 10.10.10.10 255.255.255.0
 ip helper-address 1.1.1.1

The Cisco router forwarded the DHCP packet but I did not get any IP address. When using a packet sniffer I found that the Cisco router sent out the packet with source address=0.0.0.0. The Fortigate firewall did not approve this.

To solve this I removed the helper-address and typed in these lines instead:

service dhcp
ip dhcp relay information policy keep
ip dhcp pool LAN
 relay source 10.10.10.0 255.255.255.0
 relay destination 1.1.1.1

This changed the source address and solved my DHCP forwarding issue.

How to Upgrade Cisco IOS in a Cisco Router or a Switch | ItsyourIP.com

How to Upgrade Cisco IOS in a Cisco Router or a Switch | ItsyourIP.com: "How to Upgrade Cisco IOS in a Cisco Router or a Switch"

CEF and unequal traffic sharing

Today I stumbled across a Cisco switch where the layer 3 CEF switching resulted in an unequal sharing of the outgoing load. The incoming traffic is from a Fortigate router which handles load sharing differently.

First I looked into the routing table and verified that I have two active routes to the destination.

Switch#sho ip ro 192.168.1.1
Routing entry for 192.168.1.0/24
  Known via "ospf 1", distance 110, metric 10, type extern 2, forward metric 1
  Last update from 10.47.1.1 on Vlan3800, 2w2d ago
  Routing Descriptor Blocks:
  * 172.30.254.249, from 10.47.1.1, 2w2d ago, via Vlan3800
      Route metric is 10, traffic share count is 1
    172.30.254.241, from 10.48.1.1, 2w2d ago, via Vlan200
      Route metric is 10, traffic share count is 1

I then looked into CEF.

Switch#sho ip cef 192.168.1.1 internal
192.168.1.0/24, epoch 1, RIB, refcount 6, per-destination sharing

The destination here is 192.168.1.0/24 - and it seems like Cisco is sending everything to that destination out on only one interface. Investigating further I found this command that also confirms this. (Run it several times!)

Switch#sho ip cef exact-route 10.0.0.1 192.168.1.1
10.0.0.1 -> 192.168.1.1 => IP adj out of Vlan3800, addr 10.47.1.1

I went looking on the Internet and found a great resource on Cisco and CEF on Cisco IOS hints and tricks.

Unfortunately, I did not find a solution that helped me.

Shr Dispute in Cisco switches

I did some tests on some Cisco switches the other day and came across an error I have not seen before. Then I looked into a port's spanning tree I found a port was blocking with the message Dispute Shr. I have not seen this message before and could not find anything when I tried to Google on it.

nede#sho span int g0/1

Mst Instance Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- --------
MST0 Desg BLK 2000000 128.1 Dispute Shr
 

So I had to investigate this. Luckily for me Cisco have very good documentation. In an article discussing something I found the answer I was looking for.

A dispute flag appears when a designated port receives inferior designated information until the port returns to the forwarding state or ceases to be designated.

The Shr simply indicates that the port is on a shared network. The reason for that is that the link is half duplex.

Cisco switch with 5 years uptime

Cisco switch with 5 years uptime

It is not often I come across this, but this Cisco switch in our computer room have for some reason never been booted. Given this uptime I guess the switch never have been powered on since we purchased it.

The Uptime Project does not support switches so I can't register it there.

Tags: Cisco, uptime