Extreme Networks

Antonio_Opromol · ‎11-27-2023

Hi, I've got a Fabric engine where I use the NAC to assign the VLANs, and I've configured DHCP-Relay for dynamic ip address assignment for both L2VSN and L3VSN.

In L2VSN all works well and the client connected to a port of the switch when unauthorized is on a vlan where receive correctly and ip address and when the user autenticate and I assign a L2VSN with the new VLAN also the new ip address in the new vlan is obtained correctly.

The problem is when the autenticated user belong to a L3vsn vlan and no ip address is obtained (the dhcp relay on the vrf is configured as admin guide and knowledge base) and NAC correctly indicate the correct per-user-acl rule and also on the switch the show eapol sessions eap verbose show me the correct autentication and I-SID and also on the interface I see the correct VLAN.

On the client if I capture the pachet on the interface I see the dhcp requests, but seems nothing happens on the switch because the dhcp-realy counters on the VRF remains to 0.

If on the same client I configure a static IP address all works well, also the multicast routing.

Enabling debug on eapol I see the message EAP ingored DHCP packet in my VLAN 202 that is the l3vsn vlan configured on the switch (i attach the debug message).

How I can solve and debug more the problem?

Ludovico_Steven · ‎11-30-2023

Make sure DHCP Snooping is not globally enabled on the switch where you configured DHCP Relay. The former kills the latter. But they are usually mutually exclusive as the former is applied on core/distribution L3 BEBs while the latter is used on access L2 BEBs.

View solution in original post

Antonio_Opromol · ‎11-29-2023

I'm using Site Engine and also the ExtremeControl to push VLAN and I-SID with a per-user-acl and 802.1x authentication, so the radius attribute list is correctly assigned to the port from the NAC (the prove is the fact that if on this machine I assign a static IP address all works well), but I don't see the forwarding of the dhcp requests in case I want to use a dynamic ip address.

Thanks anyway

ItsJaredKushner · ‎11-27-2023

As far as i know, our network has working eapol & properly forwards dhcp packets within l3vsn vlans

Would you be okay sharing some config info?
show run mod vlan (display only vlan 202)
show run mod eap
show run mod ip (looking for "ip dhcp-relay fwd-path <vlan interface IP address> <DHCP Relay IP address>" of relevant vlan / vrf)
show run mod spbm (relavant vrf)
show run mod port (looking for specific interface gigbitethernet you tested on)

That's all i can think of at the moment.

Antonio_Opromol · ‎11-28-2023

No problem to share the configurations (it's a lab environment)

I attach the schema of the lab (4 fabric engine switches and one Switche Engine, but in my test the client is attached to port 1/23 of BEB switch named Distribution1 and I uplod the file with the output of the show command on this switch filtered to VRF Purple and port 1/23.

Thanks in advance for help.

Miguel-Angel_RO · ‎11-29-2023

Antonio,

All ok from my side forwarding DHCP as relay in a L3VSN.

I would also redistribute the static routes in the vrf.

Could you share a "show ip route vrf purple"?

Mig

Antonio_Opromol · ‎11-29-2023

Miguel,

attached there are my ip routes for vrf Purple.

Extreme Networks

DHCP-relay config on l3vsn with dynamic assignment of VLAN from NAC

DHCP-relay config on l3vsn with dynamic assignment of VLAN from NAC