cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

DHCP-relay config on l3vsn with dynamic assignment of VLAN from NAC

DHCP-relay config on l3vsn with dynamic assignment of VLAN from NAC

Antonio_Opromol
Contributor II

Hi, I've got a Fabric engine where I use the NAC to assign the VLANs, and I've configured DHCP-Relay for dynamic ip address assignment for both L2VSN and L3VSN.

In L2VSN all works well and the client connected to a port of the switch when unauthorized is on a vlan where receive correctly and ip address and when the user autenticate and I assign a L2VSN with the new VLAN also the new ip address in the new vlan is obtained correctly.

The problem is when the autenticated user belong to a L3vsn vlan and no ip address is obtained (the dhcp relay on the vrf is configured as admin guide and knowledge base) and NAC correctly indicate the correct per-user-acl rule and also on the switch the show eapol sessions eap verbose show me the correct autentication and I-SID and also on the interface I see the correct VLAN.

On the client if I capture the pachet on the interface I see the dhcp requests, but seems nothing happens on the switch because the dhcp-realy counters on the VRF remains to 0.

If on the same client I configure a static IP address all works well, also the multicast routing.

Enabling debug on eapol I see the message EAP ingored DHCP packet in my VLAN 202 that is the l3vsn vlan configured on the switch (i attach the debug message).

How I can solve and debug more the problem?

1 ACCEPTED SOLUTION

Ludovico_Steven
Extreme Employee

Make sure DHCP Snooping is not globally enabled on the switch where you configured DHCP Relay. The former kills the latter. But they are usually mutually exclusive as the former is applied on core/distribution L3 BEBs while the latter is used on access L2 BEBs.

View solution in original post

11 REPLIES 11

Antonio,

What is the output of "traceroute 192.168.30.2 vrf purple source 10.9.202.2" on the CORE?

Mig

Miguel,

here are the output from all the Fabric engine switches of my lab:

Distribution1:1#traceroute 192.168.30.2 vrf purple source 10.9.202.2

Sending traceroute in context vrf purple
traceroute to 192.168.30.2, 30 hops max, 56 byte packets (vrf purple)
1 * * *
2 10.9.201.2 1.425 ms 1.090 ms 1.094 ms
3 10.9.201.254 3.088 ms 2.351 ms 2.280 ms
4 192.168.30.2 2.943 ms * 1.604 ms
Distribution1:1#

 


Core1:1#traceroute 192.168.30.2 vrf purple source 10.9.202.2

Sending traceroute in context vrf purple
traceroute to 192.168.30.2, 30 hops max, 56 byte packets (vrf purple)
1 10.9.201.254 1.326 ms 1.226 ms 1.007 ms
2 192.168.30.2 1.159 ms 0.990 ms 0.960 ms
Core1:1#


Core2:1#traceroute 192.168.30.2 vrf purple source 10.9.202.2

Sending traceroute in context vrf purple
traceroute to 192.168.30.2, 30 hops max, 56 byte packets (vrf purple)
1 10.9.201.254 1.907 ms 0.933 ms 0.841 ms
2 192.168.30.2 1.403 ms 1.184 ms 1.076 ms
Core2:1#


Distribution2:1#traceroute 192.168.30.2 vrf purple source 10.9.202.3

Sending traceroute in context vrf purple
traceroute to 192.168.30.2, 30 hops max, 56 byte packets (vrf purple)
1 * * *
2 10.9.201.3 1.345 ms 1.185 ms 1.182 ms
3 10.9.201.254 1.147 ms 0.969 ms 0.972 ms
4 192.168.30.2 1.251 ms 0.995 ms 0.974 ms
Distribution2:1#

 

GTM-P2G8KFN