Saturday, August 1, 2020

Extreme Switch - Troubleshooting DHCP issues in EXOS


This article will outline several common issues related to DHCP.


    • Case 1: DHCP Server and DHCP Client are in the same VLAN


    1. Locate a client that is not working. Determine its MAC address.

    1-1. Find the port that this client is connected to, then run show fdb port port_number

    exos-switch # show fdb ports 1
    MAC                VLAN Name( Tag)  Age    Flags   Port / Virtual Port List
    ------------------------------------------------------------------------------
    00:04:16:52:f6:ef  vlan100(0128)    0000   d mi       S   1

    1-2. Is the MAC address learned in the correct VLAN? 
    If yes, skip to Step 2. If not, check the items below.
     
    - Is the port active? 
    show ports no-refresh
    show ports 1 no-refresh

    - Is the VLAN tagging correct on the port?
    show vlan vlan_number
    show ports 1 information detail
     
    - Is the client directly connected, or is there something else in between?


    2. Configure the test client with a static IP address in the correct subnet. 

    - Is the test client able to ping the DHCP server? If not, there is a connectivity issue to the DHCP server. 
    - Repeat the troubleshooting from Step 1 for the DHCP server. If this is correct on both ends, verify the VLAN configuration and tagging on all switches between the client and DHCP server.
     

    3. If the client is able to reach the DHCP server with a static IP address, take a packet capture

    on both the client and the DHCP server to determine where the DHCP process is breaking down. 

    In Wireshark, a display filter can be applied to view just DHCP traffic for one specific client. The syntax of this filter is bootp.hw.mac_addr == client_mac_address.
     
     
    If the DHCP server sees the Request or Offer come in, but does not respond, ensure that the DHCP scope is configured correctly.
    If the client never sends a Request or Offer, ensure that DHCP is enabled on the client.


    • Case 2: DHCP Server and DHCP Client are in separate VLANs

     

    1. Locate a client that is not working. Determine its MAC address.

    1-1. Find the port that this client is connected to, then run show fdb port port_number

    - Is the MAC address learned in the correct VLAN? If yes, skip to Step 2. If not check the items below.
    - Is the port active?
    - Is the VLAN tagging correct on the port?
    - Is the client directly connected, or is there something else in between?

    2. Determine where routing is happening for the client's VLAN. 

    On the router for the VLAN, check to see if bootprelay is enabled for both the client and server VLANs.
     
    show bootprelay
    show config nettools
     

    3. If bootprelay is not configured, configure it pointing to the DHCP server.

     

    4. If bootprelay is configured correctly, verify that IP forwarding is enabled on both the client and server VLANs. 

    The output of show vlan should show an f flag for these VLANs.
    If this is not enabled, enable IP forwarding on both VLANs.
     

    5. If IP forwarding is enabled, verify that the DHCP server is reachable from the client VLAN.

    On the switch, you can specify the source address for a ping with the command ping DHCP_server from IP_of_client_VLAN.

    If this is not successful, repeat the test from the server VLAN. If this fails, there is likely a layer 2 connectivity issue to the server. Verify the same information from Step 1 for the DHCP server, as well as the VLAN configuration and tagging for the switches along the path to the server.
     

    6. In the router for the VLAN, confirm that the client's MAC address is present in the FDB with the command show fdb client_MAC_address

    If this is not present, there is likely a layer 1 or layer 2 issue between the edge switch and the router. Verify tagging for this VLAN along the downstream switches.

    7. Take a packet capture on both the client and the server to determine where the DHCP process is failing.

    In Wireshark, a display filter can be applied to view just DHCP traffic for one specific client. The syntax of this filter is bootp.hw.mac_addr == client_mac_address.​ The DHCP traffic seen on the server should be sent unicast, with the source address being the router's IP address in the client VLAN.
     
    7-1. If the DHCP server sees the Request or Offer come in, but does not respond, ensure that the DHCP scope is configured correctly.
    7-2. If the client never sends a Request or Offer, ensure that DHCP is enabled on the client.


    ※ Additional notes

    show port port# info detail command can be used to check the VLANs present on a port, and the tagging. An untagged VLAN will show "Internal Tag" in this output, while a tagged VLAN will show "802.1Q Tag".
    In the example below, VLAN Default is present untagged on this port, and VLAN voip
    is present with a tag of 100.


    exos-switch # show port 1 info detail
    Port:   1
            Virtual-router: VR-Default
            Type:           UTP
            Random Early drop:      Unsupported
            Admin state:    Enabled with  auto-speed sensing  auto-duplex
            Link State:     Ready
            Link Ups:       0        Last: --
            Link Downs:     0        Last: --

            VLAN cfg:
                     Name: Default, Internal Tag = 1, MAC-limit = No-limit, Virtual router:   VR-Default
                     Name: voip, 802.1Q Tag = 100, MAC-limit = No-limit, Virtual router:   VR-Default
                           Port-specific VLAN ID:  100


    • Case 3: Duplicate IP address is detected


    ※ Note

     The IPv4 DAD feature is deprecated in EXOS 30.1. There is no other feature that provides periodic IPv4 GARP. The best way to detect duplicate IP addresses is probably ACL counters or packet captures.


    ✓ Symptoms

    - A client system is getting an alert with 'Windows has detected an IP address conflict.'

    - When issuing the command show iparp or show iparp 0.0.0.0, a duplicate IP address is seen, and it is unsure where the conflicting IP is located and how many times the detection is occurring.

    exos-switch # show iparp 0.0.0.0
    VR            Destination      Mac                Age  Static  VLAN          VID   Port

    Dynamic Entries  :         343             Static Entries            :          0
    Pending Entries  :           3
    In Request       :   224859665             In Response               :    1873263
    Out Request      :    22162377             Out Response              :  121131715
    Failed Requests  :     3381061
    Proxy Answered   :           0
    Rx Error         :           0             Dup IP Addr               :      10.10.15.1
    Rejected Count   :       59214             Rejected IP               :   169.254.60.22
    Rejected Port    :        7:34             Rejected I/F              : workstation

    Max ARP entries  :        8192             Max ARP pending entries   :        256
    ARP address check:    Enabled              ARP refresh               :    Enabled
    Timeout          :          20 minutes     ARP Sender-Mac Learning   :   Disabled
    Locktime         :        1000 milliseconds
    Retransmit Time  :        1000 milliseconds
    Reachable Time   :      900000 milliseconds (Auto)
    Fast Convergence :         Off

    1. Enable DAD detection feature using the following command.

    configure ip dad [off | on | {on} attempts max_solicitations] {{vr} vr_name | vr all}
    exos-switch # configure ip dad on vr all


    2. Issue the command 'show ip dad' and check the Interface Failures account. 

    The output will look as follows and show the incrementing VLAN in which the duplicate is occurring, the MAC address from where the IP is duplicated, and the duplicate IP:

    exos-switch # show ip dad
    IPv4 Duplicate Address Detection

    DAD Status                 : On
    Max Solicitation Attempts  : 1

    Virtual Router         Interface              Flags   IP Address
        Conflict MAC         Failures
    --------------------------------------------------------------------------------
    VR-Default             Default                -PE-U   10.10.1.103
        00:00:00:00:00:00       0
    VR-Default             servers                -PE-U   10.10.10.1
        f4:cf:e2:47:c2:00     0
    VR-Default             storage                TPE--   10.10.11.1
        00:00:00:00:00:00       0
    VR-Default             video                  -PE-U   10.10.4.1
        f4:cf:e2:47:c2:00     0
    VR-Default             voice                  -PE-U   10.10.5.1
        f4:cf:e2:47:c2:00     0
    VR-Default             wireless               -PE-U   10.10.15.1
        f4:cf:e2:47:c2:00     175
    VR-Default             workstation            -PE-U   10.10.101.1
        f4:cf:e2:47:c2:00     191


    3. Check the logs and confirm the duplicate IP address. 

    The log will also confirm the same and populate when the duplicate IP is detected:

    10/25/2015 17:32:23.24 <Erro:vlan.dad.IPAddrDup> Slot-7: 10.10.15.1 on interface wireless is Duplicate. Neighbor F4:CF:E2:47:C2:00 has the same IP Address
    10/25/2015 17:32:23.24 <Erro:vlan.dad.IPAddrDup> Slot-7: 10.10.101.1 on interface workstation is Duplicate. Neighbor F4:CF:E2:47:C2:00 has the same IP Address

    4. Disable DAD detection feature using the following command.
    configure ip dad [off | on | {on} attempts max_solicitations] {{vr} vr_name | vr all}
    exos-switch # configure ip dad off


    * Related Articles:
    Extreme Switch - How to create an ACL in EXOS


    * References:

    1 comment:

    1. where is the "How to apply a bootprelay dhcp server to a specific VLAN " please update link

      ReplyDelete