Saturday, August 1, 2020

Extreme Switch - Troubleshooting DHCP issues in EXOS


This article will outline several common issues related to DHCP.

  • Case 1: DHCP Server and DHCP Client are in the same VLAN


1. Locate a client that is not working. Determine its MAC address.

1-1. Find the port that this client is connected to, then run show fdb port port_number

exos-switch # show fdb ports 1
MAC                VLAN Name( Tag)  Age    Flags   Port / Virtual Port List
------------------------------------------------------------------------------
00:04:16:52:f6:ef  vlan100(0128)    0000   d mi       S   1

1-2. Is the MAC address learned in the correct VLAN? 
If yes, skip to Step 2. If not, check the items below.
 
- Is the port active? 
show ports no-refresh
show ports 1 no-refresh

- Is the VLAN tagging correct on the port?
show vlan vlan_number
show ports 1 information detail
 
- Is the client directly connected, or is there something else in between?


2. Configure the test client with a static IP address in the correct subnet. 

- Is the test client able to ping the DHCP server? If not, there is a connectivity issue to the DHCP server. 
- Repeat the troubleshooting from Step 1 for the DHCP server. If this is correct on both ends, verify the VLAN configuration and tagging on all switches between the client and DHCP server.
 

3. If the client is able to reach the DHCP server with a static IP address, take a packet capture

on both the client and the DHCP server to determine where the DHCP process is breaking down. 

In Wireshark, a display filter can be applied to view just DHCP traffic for one specific client. The syntax of this filter is bootp.hw.mac_addr == client_mac_address.
 
 
If the DHCP server sees the Request or Offer come in, but does not respond, ensure that the DHCP scope is configured correctly.
If the client never sends a Request or Offer, ensure that DHCP is enabled on the client.


  • Case 2: DHCP Server and DHCP Client are in separate VLANs

 

1. Locate a client that is not working. Determine its MAC address.

1-1. Find the port that this client is connected to, then run show fdb port port_number

- Is the MAC address learned in the correct VLAN? If yes, skip to Step 2. If not check the items below.
- Is the port active?
- Is the VLAN tagging correct on the port?
- Is the client directly connected, or is there something else in between?

2. Determine where routing is happening for the client's VLAN. 

On the router for the VLAN, check to see if bootprelay is enabled for both the client and server VLANs.
 
show bootprelay
show config nettools
 

3. If bootprelay is not configured, configure it pointing to the DHCP server.

 

4. If bootprelay is configured correctly, verify that IP forwarding is enabled on both the client and server VLANs. 

The output of show vlan should show an f flag for these VLANs.
If this is not enabled, enable IP forwarding on both VLANs.
 

5. If IP forwarding is enabled, verify that the DHCP server is reachable from the client VLAN.

On the switch, you can specify the source address for a ping with the command ping DHCP_server from IP_of_client_VLAN.

If this is not successful, repeat the test from the server VLAN. If this fails, there is likely a layer 2 connectivity issue to the server. Verify the same information from Step 1 for the DHCP server, as well as the VLAN configuration and tagging for the switches along the path to the server.
 

6. In the router for the VLAN, confirm that the client's MAC address is present in the FDB with the command show fdb client_MAC_address

If this is not present, there is likely a layer 1 or layer 2 issue between the edge switch and the router. Verify tagging for this VLAN along the downstream switches.

7. Take a packet capture on both the client and the server to determine where the DHCP process is failing.

In Wireshark, a display filter can be applied to view just DHCP traffic for one specific client. The syntax of this filter is bootp.hw.mac_addr == client_mac_address.​ The DHCP traffic seen on the server should be sent unicast, with the source address being the router's IP address in the client VLAN.
 
7-1. If the DHCP server sees the Request or Offer come in, but does not respond, ensure that the DHCP scope is configured correctly.
7-2. If the client never sends a Request or Offer, ensure that DHCP is enabled on the client.


※ Additional notes

show port port# info detail command can be used to check the VLANs present on a port, and the tagging. An untagged VLAN will show "Internal Tag" in this output, while a tagged VLAN will show "802.1Q Tag".
In the example below, VLAN Default is present untagged on this port, and VLAN voip
is present with a tag of 100.


exos-switch # show port 1 info detail
Port:   1
        Virtual-router: VR-Default
        Type:           UTP
        Random Early drop:      Unsupported
        Admin state:    Enabled with  auto-speed sensing  auto-duplex
        Link State:     Ready
        Link Ups:       0        Last: --
        Link Downs:     0        Last: --

        VLAN cfg:
                 Name: Default, Internal Tag = 1, MAC-limit = No-limit, Virtual router:   VR-Default
                 Name: voip, 802.1Q Tag = 100, MAC-limit = No-limit, Virtual router:   VR-Default
                       Port-specific VLAN ID:  100


  • Case 3: Duplicate IP address is detected

 

✓ Symptoms

- A client system is getting an alert with 'Windows has detected an IP address conflict.'

- When issuing the command show iparp or show iparp 0.0.0.0, a duplicate IP address is seen, and it is unsure where the conflicting IP is located and how many times the detection is occurring.

exos-switch # show iparp 0.0.0.0
VR            Destination      Mac                Age  Static  VLAN          VID   Port

Dynamic Entries  :         343             Static Entries            :          0
Pending Entries  :           3
In Request       :   224859665             In Response               :    1873263
Out Request      :    22162377             Out Response              :  121131715
Failed Requests  :     3381061
Proxy Answered   :           0
Rx Error         :           0             Dup IP Addr               :      10.10.15.1
Rejected Count   :       59214             Rejected IP               :   169.254.60.22
Rejected Port    :        7:34             Rejected I/F              : workstation

Max ARP entries  :        8192             Max ARP pending entries   :        256
ARP address check:    Enabled              ARP refresh               :    Enabled
Timeout          :          20 minutes     ARP Sender-Mac Learning   :   Disabled
Locktime         :        1000 milliseconds
Retransmit Time  :        1000 milliseconds
Reachable Time   :      900000 milliseconds (Auto)
Fast Convergence :         Off

1. Enable DAD detection feature using the following command.

configure ip dad [off | on | {on} attempts max_solicitations] {{vr} vr_name | vr all}
exos-switch # configure ip dad on vr all


2. Issue the command 'show ip dad' and check the Interface Failures account. 

The output will look as follows and show the incrementing VLAN in which the duplicate is occurring, the MAC address from where the IP is duplicated, and the duplicate IP:

exos-switch # show ip dad
IPv4 Duplicate Address Detection

DAD Status                 : On
Max Solicitation Attempts  : 1

Virtual Router         Interface              Flags   IP Address
    Conflict MAC         Failures
--------------------------------------------------------------------------------
VR-Default             Default                -PE-U   10.10.1.103
    00:00:00:00:00:00       0
VR-Default             servers                -PE-U   10.10.10.1
    f4:cf:e2:47:c2:00     0
VR-Default             storage                TPE--   10.10.11.1
    00:00:00:00:00:00       0
VR-Default             video                  -PE-U   10.10.4.1
    f4:cf:e2:47:c2:00     0
VR-Default             voice                  -PE-U   10.10.5.1
    f4:cf:e2:47:c2:00     0
VR-Default             wireless               -PE-U   10.10.15.1
    f4:cf:e2:47:c2:00     175
VR-Default             workstation            -PE-U   10.10.101.1
    f4:cf:e2:47:c2:00     191


3. Check the logs and confirm the duplicate IP address. 

The log will also confirm the same and populate when the duplicate IP is detected:

10/25/2015 17:32:23.24 <Erro:vlan.dad.IPAddrDup> Slot-7: 10.10.15.1 on interface wireless is Duplicate. Neighbor F4:CF:E2:47:C2:00 has the same IP Address
10/25/2015 17:32:23.24 <Erro:vlan.dad.IPAddrDup> Slot-7: 10.10.101.1 on interface workstation is Duplicate. Neighbor F4:CF:E2:47:C2:00 has the same IP Address

4. Disable DAD detection feature using the following command.
configure ip dad [off | on | {on} attempts max_solicitations] {{vr} vr_name | vr all}
exos-switch # configure ip dad off


* Related Articles:
DHCP server sending DHCPNAK packets
DHCP Clients sending DHCPDECLINE packets
How to apply a bootprelay dhcp server to a specific VLAN
How to configure bootprelay

No comments: