Symptom

On Catalyst 3k and Catalyst 9k switches running 16.X and 17.X releases, enabling DHCP Snooping also enables a programmatic device tracking policy. This device-tracking policy is enabled globally on all ports for a given VLAN and will glean ARP / ICMPv6 traffic to track hosts. This can lead to unwanted behavior such as increased CPU usage or a larger than needed device-tracking database. Typical symptom: In device-tracking database, a large number of link-local IPv6 addresses (FE80::xxx) were in INCOMPLETE state. #show device-tracking database Network Layer Address Link Layer Address Interface vlan prlvl age state Time left ND FE80::FDDC:C60B:E15C:E75A xxxx.xxxx.xxxx Te1/1/1 29 0005 14s INCOMPLETE 256 ms try 1 ND FE80::FDDB:EE59:70C5:2C61 xxxx.xxxx.xxxx Te1/1/1 29 0005 0s INCOMPLETE 9 s ND FE80::FDA5:AB91:B66F:56F5 xxxx.xxxx.xxyy Te1/1/1 29 0005 3s INCOMPLETE 9 s ND FE80::FD92:1A5E:6269:4C03 xxxx.xxxx.xxyy Te1/1/1 29 0005 9s INCOMPLETE 3 s ND FE80::F98C:7CB:A8FA:90E3 xxxx.xxxx.xxyy Te1/1/1 29 0005 0s INCOMPLETE 9 s ND FE80::F937:B431:5EB0:8AE8 zzzz.zzzz.zzzz Te1/1/1 29 0005 3s INCOMPLETE 9 s ND FE80::F81A:4021:15A1:5285 zzzz.zzzz.zzzz Te1/1/1 29 0005 0s INCOMPLETE 9 s ND FE80::F816:AE03:D9B3:69DC zzzz.zzzz.zzzz Te1/1/1 29 0005 14s INCOMPLETE 1280 ms try 2

Conditions

1. The switch must be running a 16.X and 17.X release. Currently this consists of the Catalyst C3650 / C3850 and the entire Catalyst 9k lineup (Cat9200/9300/9400/9500/9600). 2. Multiple access switches are inter-connected through uplink port (trunk port) via a distributed switch 3. cli "ip snooping vlan " is configured on access switches 4. Access switches are pure L2 switch or SVI of a vlan is not configured with "ipv6 enable" Example configuration: #show running-config | inc ip dhcp ip dhcp snooping vlan 20 show command to confirm the programmatic device-tracking policy is applied to the vlan: #show device-tracking policies Target Type Policy Feature Target range vlan 20 VLAN DT-PROGRAMMATIC Device-tracking vlan all

Workaround

** Disable MAC-IP binding learning on Trunk ports (Recommended) For optimal performance and to prevent high CPU utilization issues often seen from configuring "ip dhcp snooping vlan", which enables the 'DT-PROGRAMMATIC' policy on trunk ports, it is recommended to prevent MAC-IP binding learning by overriding the programmatic policy with the user-created 'DT_trunk_policy' below, on all inter-switch trunk links and uplinks to the rest of the network. This approach is advised for Cat9k switches running software versions before 17.3.2 and all Cat3k switches, as they do not support the improvements made in release 17.3.2. ** Steps to Disable Device-Tracking: 1. Define and apply a custom device-tracking policy: configure terminal (config)# device-tracking policy DT_trunk_policy (config-device-tracking)# trusted-port (config-device-tracking)# device-role switch (config-device-tracking)# exit (config)# interface po1 (config-if)# device-tracking attach-policy DT_trunk_policy (config-if)# end Apply this policy to any trunk interfaces, particularly those serving as uplinks. 2. If the switch rejects the "device-tracking policy DT_trunk_policy" command, upgrade the IPv4 device tracking CLI with the following command before reattempting: Switch(config)# device-tracking upgrade-cli After the upgrade, the switch should accept the policy configuration without issues. ** Context for the Recommendation: While the improvement introduced in release 17.3.2 eliminates liveness tracking for entries learned from trunk ports, it does not fully address the potential for high CPU utilization due to extensive network traffic (e.g., ARP and NDP control packets). Therefore, disabling device-tracking on trunk ports remains the preferred workaround to mitigate unnecessary system memory consumption and maintain CPU efficiency. ** Note for Cat3k Users: Since Cat3k switches are not supported in release 17.x, the above workaround is particularly relevant and should be implemented to avoid high CPU utilization issues.

Further Problem Description