Controller-less WLANs

Clients connected on native vlan of mesh link are unable to get an IP address.
Problem:

Clients connected on native vlan of mesh link are unable to get an IP address.

 

DHCP (vlan 100,vlan 350)<----Switch1======Trunk======IAP Mesh Portal ==========IAP Mesh Point====Trunk====Switch2 --->Wired Client (vlan 350)
     
Network Topology:

1. Mesh Portal is connected to a trunk port on the switch1

Native vlan:    350
Allowed vlan :  1,350,100     
  
2. Mesh point's E0 port is connected to a switch2 & will act as downlink port.

Switch port config:

Native vlan:    350
Allowed vlan :  1,350,100

Requirement:

1. Client connected to Switch2 on access port for vlan 350  should get an IP from the DHCP present on Switch1

This is the same vlan on which mesh portal/point are getting an IP address.

However, if we connect a client on vlan 100 (non native vlan), it gets an IP address without any issues.



Diagnostics:

We need to enable debug pkt dump for DHCP one mesh portal/point to understand the issue in a better way.

IAP#debug pkt match mac <mac-address of the client>

IAP# debug pkt type dhcp

IAP# debug pkt dump

 

Mesh Point :

1. We can see that the discover is seen on vlan 350 as expected.

Received packet from bond0 (timestamp (2016-5-13 16:04:07:246802))
[asap_firewall_forward(5055):firewall entry] len 342, vlan 0, egress CP, ingress bond0:
  #mac: etype 0800 smac f0:1f:af:64:d6:c3 dmac ff:ff:ff:ff:ff:ff
  #ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 0, fragment ok, last fragment, fragment offset 0
    #udp: sport 68 dport 67 len 308
      #dhcp: message-type: request
             hardware type: 1, len: 6, hops: 0
             txn id: 0x69466a51, seconds elapsed: 768
             client mac: f0:1f:af:64:d6:c3
             magic cookie: 0x63825363
      #dhcp-option: message-type: discover   ----------------------------------------------------------------------------->>DISCOVER
[asap_firewall_forward(5229):vlan decision] len 342, vlan 350, egress CP, ingress bond0:-------------->> VLAN 350
[asap_firewall_check_dhcp_packet(2388):dhcp packet from client] len 342, vlan 350, egress CP, ingress bond0:
[asap_firewall_forward(5632):looking up bridge entry] len 342, vlan 350, egress CP, ingress bond0:
 

2. The OFFER packet is seen on vlan 1 rather than vlan 350 due to which the client is unable to get an IP address.

 

Received packet from aruba000 (timestamp (2016-5-13 16:04:07:366126))
[asap_firewall_forward(5055):firewall entry] len 342, vlan 0, egress CP, ingress aruba000:
  #mac: etype 0800 smac 00:0b:86:95:b9:77 dmac f0:1f:af:64:d6:c3
  #ip: sip 10.17.171.176, dip 10.17.171.183, proto 17, dscp 4, fragment ok, last fragment, fragment offset 0
   #udp: sport 67 dport 68 len 308
    #dhcp: message-type: reply
             hardware type: 1, len: 6, hops: 0
             txn id: 0x69466a51, seconds elapsed: 768
             your ip: 10.17.171.183
             next server ip: 10.17.171.176
             client mac: f0:1f:af:64:d6:c3
             magic cookie: 0x63825363
     #dhcp-option: netmask: 255.255.255.224
     #dhcp-option: router: 10.17.171.161
     #dhcp-option: dns-server: 4.2.2.2
     #dhcp-option: dns-name: tac.com
     #dhcp-option: message-type: offer----------------------------------------------------------------------------------------------------->>OFFER
     #dhcp-option: dhcp-server: 10.17.171.176
[asap_firewall_forward(5229):vlan decision] len 342, vlan 1, egress CP, ingress aruba000:------------------------------->>VLAN 1
[asap_firewall_check_dhcp_packet(2428):dhcp packet to client] len 342, vlan 1, egress CP, ingress aruba000:
 

 

Mesh Portal :

 

1. Mesh Portal also receives the DISCOVER on vlan 350.

Received packet from aruba000 (timestamp (2016-4-13 16:04:13:357822))
[asap_firewall_forward(5055):firewall entry] len 346, vlan 0, egress CP, ingress aruba000:
  #mac: etype 8100 smac f0:1f:af:64:d6:c3 dmac ff:ff:ff:ff:ff:ff
  #vlan 350, prio 0, etype 0800
  #ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 0, fragment ok, last fragment, fragment offset 0
   #udp: sport 68 dport 67 len 308
   #dhcp: message-type: request
             hardware type: 1, len: 6, hops: 0
             txn id: 0x69466a51, seconds elapsed: 2816
             client mac: f0:1f:af:64:d6:c3
             magic cookie: 0x63825363
   #dhcp-option: message-type: discover
[asap_firewall_forward(5229):vlan decision] len 346, vlan 350, egress CP, ingress aruba000:
[asap_firewall_forward(5632):looking up bridge entry] len 346, vlan 350, egress CP, ingress aruba000:
[asap_firewall_forward(5943):bridge section] len 346, vlan 350, egress CP, ingress aruba000:
[asap_firewall_forward(6072):session section] len 346, vlan 350, egress vlan 350, ingress aruba000:

 

2. However, the OFFER from the uplink switch is sent over vlan 1.

 

Received packet from bond0 (timestamp (2016-4-13 16:04:13:360343))
[asap_firewall_forward(5055):firewall entry] len 342, vlan 0, egress CP, ingress bond0:
  #mac: etype 0800 smac 00:0b:86:95:b9:77 dmac f0:1f:af:64:d6:c3
  #ip: sip 10.17.171.176, dip 10.17.171.183, proto 17, dscp 4, fragment ok, last fragment, fragment offset 0
  #udp: sport 67 dport 68 len 308
   #dhcp: message-type: reply
             hardware type: 1, len: 6, hops: 0
             txn id: 0x69466a51, seconds elapsed: 2816
             your ip: 10.17.171.183
             next server ip: 10.17.171.176
             client mac: f0:1f:af:64:d6:c3
             magic cookie: 0x63825363
     #dhcp-option: netmask: 255.255.255.224
     #dhcp-option: router: 10.17.171.161
     #dhcp-option: dns-server: 4.2.2.2
     #dhcp-option: dns-name: tac.com
     #dhcp-option: message-type: offer
     #dhcp-option: dhcp-server: 10.17.171.176
[asap_firewall_forward(5229):vlan decision] len 342, vlan 1, egress CP, ingress bond0:
[asap_firewall_check_dhcp_packet(2428):dhcp packet to client] len 342, vlan 1, egress CP, ingress bond0:
[asap_firewall_forward(5632):looking up bridge entry] len 342, vlan 1, egress CP, ingress bond0:
[asap_firewall_forward(5943):bridge section] len 342, vlan 1, egress CP, ingress bond0:

 

3.  Wired Port profile that we map to E0  profile has native vlan set to 350.

However, wired-port profile only works on downlink port.  We enable enet0 bridging on the mesh point which makes its E0 port as downlink which starts using this wired profile.

Hence, the native vlan for the mesh point changes to vlan 350.

4.  The native vlan on E0 port of mesh portal is still vlan 1 (by default)

 

This causes the DHCP OFFER to be sent over vlan 1.



Solution

1. We need to configure Enet-vlan on the Mesh Portal .

This will be pushed to the mesh point as well.

 

The above command informs the AP about the native-vlan of the upstream switch it is connected . By default , AP assumes it to be vlan 1. This ensures that AP does not send out tagged frames  for the clients connected on the vlan which has the same vlan

as native vlan of the switch.

 

2. After running the above command, we can see that native vlan of  the mesh portal changes to 350 as well.

 

3. We will check the DHCP packet dump again.

 

Mesh Point :

Received packet from aruba000 (timestamp (2016-5-13 16:07:37:490309))
[asap_firewall_forward(5055):firewall entry] len 342, vlan 0, egress CP, ingress aruba000:
  #mac: etype 0800 smac f0:1f:af:64:d6:c3 dmac ff:ff:ff:ff:ff:ff
  #ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 0, fragment ok, last fragment, fragment offset 0
  #udp: sport 68 dport 67 len 308
  #dhcp: message-type: request
             hardware type: 1, len: 6, hops: 0
             txn id: 0xb249e8c7, seconds elapsed: 768
             client mac: f0:1f:af:64:d6:c3
             magic cookie: 0x63825363
   #dhcp-option: message-type: discover
[asap_firewall_forward(5229):vlan decision] len 342, vlan 350, egress CP, ingress aruba000:
[asap_firewall_check_dhcp_packet(2388):dhcp packet from client] len 342, vlan 350, egress CP, ingress aruba000:
 

Received packet from aruba000 (timestamp (2016-5-13 16:07:38:365811))
[asap_firewall_forward(5055):firewall entry] len 342, vlan 0, egress CP, ingress aruba000:
  #mac: etype 0800 smac 00:0b:86:95:b9:77 dmac f0:1f:af:64:d6:c3
  #ip: sip 10.17.171.176, dip 10.17.171.183, proto 17, dscp 4, fragment ok, last fragment, fragment offset 0
  #udp: sport 67 dport 68 len 308
  #dhcp: message-type: reply
             hardware type: 1, len: 6, hops: 0
             txn id: 0xb249e8c7, seconds elapsed: 768
             your ip: 10.17.171.183
             next server ip: 10.17.171.176
             client mac: f0:1f:af:64:d6:c3
             magic cookie: 0x63825363
    #dhcp-option: netmask: 255.255.255.224
    #dhcp-option: router: 10.17.171.161
    #dhcp-option: dns-server: 4.2.2.2
    #dhcp-option: dns-name: tac.com
    #dhcp-option: message-type: offer
    #dhcp-option: dhcp-server: 10.17.171.176
[asap_firewall_forward(5229):vlan decision] len 342, vlan 350, egress CP, ingress aruba000:
[asap_firewall_check_dhcp_packet(2428):dhcp packet to client] len 342, vlan 350, egress CP, ingress aruba000:
 

Mesh Portal :

 

Received packet from aruba000 (timestamp (2016-4-13 16:07:35:911962))
[asap_firewall_forward(5055):firewall entry] len 342, vlan 0, egress CP, ingress aruba000:
  #mac: etype 0800 smac f0:1f:af:64:d6:c3 dmac ff:ff:ff:ff:ff:ff
  #ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 0, fragment ok, last fragment, fragment offset 0
  #udp: sport 68 dport 67 len 308
  #dhcp: message-type: request
             hardware type: 1, len: 6, hops: 0
             txn id: 0xb249e8c7, seconds elapsed: 768
             client mac: f0:1f:af:64:d6:c3
             magic cookie: 0x63825363
  #dhcp-option: message-type: discover
[asap_firewall_forward(5229):vlan decision] len 342, vlan 350, egress CP, ingress aruba000:
[asap_firewall_forward(5632):looking up bridge entry] len 342, vlan 350, egress CP, ingress aruba000:

Received packet from bond0 (timestamp (2016-4-13 16:07:36:788040))
[asap_firewall_forward(5055):firewall entry] len 342, vlan 0, egress CP, ingress bond0:
  #mac: etype 0800 smac 00:0b:86:95:b9:77 dmac f0:1f:af:64:d6:c3
  #ip: sip 10.17.171.176, dip 10.17.171.183, proto 17, dscp 4, fragment ok, last fragment, fragment offset 0
  #udp: sport 67 dport 68 len 308
  #dhcp: message-type: reply
             hardware type: 1, len: 6, hops: 0
             txn id: 0xb249e8c7, seconds elapsed: 768
             your ip: 10.17.171.183
             next server ip: 10.17.171.176
             client mac: f0:1f:af:64:d6:c3
             magic cookie: 0x63825363
   #dhcp-option: netmask: 255.255.255.224
   #dhcp-option: router: 10.17.171.161
   #dhcp-option: dns-server: 4.2.2.2
   #dhcp-option: dns-name: tac.com
   #dhcp-option: message-type: offer
   #dhcp-option: dhcp-server: 10.17.171.176
[asap_firewall_forward(5229):vlan decision] len 342, vlan 350, egress CP, ingress bond0:
[asap_firewall_check_dhcp_packet(2428):dhcp packet to client] len 342, vlan 350, egress CP, ingress bond0:
 

18:64:72:c1:d3:fa# show clients wired

Wired Client List
-----------------
Name             IP Address     MAC Address        OS  Network  Access Point       Role  Speed (mbps)
----             ----------     -----------        --  -------  ------------       ----  ------------
SATTY-BLR-02-PC  10.17.171.183  f0:1f:af:64:d6:c3      eth0     18:64:72:c9:c4:9c  Mesh  -
Info timestamp      :1048

 

 

 

 

 

Version History
Revision #:
2 of 2
Last update:
‎05-18-2016 01:23 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.