Extreme Networks

Antonio_Opromol · ‎11-27-2023

Hi, I've got a Fabric engine where I use the NAC to assign the VLANs, and I've configured DHCP-Relay for dynamic ip address assignment for both L2VSN and L3VSN.

In L2VSN all works well and the client connected to a port of the switch when unauthorized is on a vlan where receive correctly and ip address and when the user autenticate and I assign a L2VSN with the new VLAN also the new ip address in the new vlan is obtained correctly.

The problem is when the autenticated user belong to a L3vsn vlan and no ip address is obtained (the dhcp relay on the vrf is configured as admin guide and knowledge base) and NAC correctly indicate the correct per-user-acl rule and also on the switch the show eapol sessions eap verbose show me the correct autentication and I-SID and also on the interface I see the correct VLAN.

On the client if I capture the pachet on the interface I see the dhcp requests, but seems nothing happens on the switch because the dhcp-realy counters on the VRF remains to 0.

If on the same client I configure a static IP address all works well, also the multicast routing.

Enabling debug on eapol I see the message EAP ingored DHCP packet in my VLAN 202 that is the l3vsn vlan configured on the switch (i attach the debug message).

How I can solve and debug more the problem?

Ludovico_Steven · ‎11-30-2023

Make sure DHCP Snooping is not globally enabled on the switch where you configured DHCP Relay. The former kills the latter. But they are usually mutually exclusive as the former is applied on core/distribution L3 BEBs while the latter is used on access L2 BEBs.

View solution in original post

Ludovico_Steven · ‎11-30-2023

Make sure DHCP Snooping is not globally enabled on the switch where you configured DHCP Relay. The former kills the latter. But they are usually mutually exclusive as the former is applied on core/distribution L3 BEBs while the latter is used on access L2 BEBs.

Antonio_Opromol · ‎12-05-2023

Hi Ludovico, removing on the switch the ip dhcp-snooping enable setting, now dhcp-relay on the L3VSN works well.

Thanks for your support.

Antonio_Opromol · ‎12-01-2023

Thanks Ludovico, in effect in my switch I've the setting: ip dhcp-snooping enable at global level also.

Next week when I'll return in office I try to disable this as you suggest and I'll give a you a feedback.

Thanks in davance

ItsJaredKushner · ‎11-28-2023

so, something I noticed in the port configuration when compared to what we have.

eapol multihost non-eap-mac-max 3
eapol re-authentication-period 1800
eapol re-authentication enable

^ Is missing from the config context for port 1/23.

Then again, I'm not sure if you are using site engine & or using MAC Authenticaion, but we have to have those three lines in the config context to for site engine to see the request, and for the switch to properly forward traffic to the requesting client.

We also have a slightly modified radius attribute in site engine.

Passport-Access-Priority=%MGMT_SERV_TYPE%
FA-VLAN-ISID=0:%CUSTOM1%
%ORG1_RADIUS_ATTRS_LIST%

But again, this works for us as we use Mac authentication through site engine, or "NEAP"

Good Luck

Extreme Networks

DHCP-relay config on l3vsn with dynamic assignment of VLAN from NAC

DHCP-relay config on l3vsn with dynamic assignment of VLAN from NAC