Wireless Access

Reply
Contributor II
Posts: 61
Registered: ‎02-20-2012

VLAN Mobility option picks up wrong DHCP scope

Hello,

 

I experienced the problem when I specified VLAN mobility, the client picks wrong DHCP scope.

Controller Aruba 3400  OS 5.0.4.6

 

Configuration

 

VLAN200 is configured in the 3400 controller only. VLAN200 does not have Interface.

VLAN200 has DHCP server enabled.

VirtualAP  V200 has Tunnel mode , WEP authentication and belongs to VLAN200. VLAN Mobility is enabled.

In 3400 controller, Inter-VLAN routing is enabled. so that VLAN200 can route to VLAN1.

VLAN1 is configured in the 3400 controller and has Interface 1/0. This Interface 1/0 is connected to

core switch.

 

In the Core switch, VLAN1 and VLAN250 is defined. VLAN1 and VLAN250 is routable in L3. (L3 switch)

There is DHCP scope for VLAN1 and VLAN250.

 

Remote AP is connected under VLAN250.

 

The problem is - when I connect Virtual AP V200, ip should be supplied by Aruba 3400 DHCP server,

but sometimes ip is supplied from VLAN1.

 

When I disabled VLAN Mobility option, this behavior does not occur again.

 

 

Thinking of how VLAN Mobility works, Aruba 3400 ask around other switches if MAC address is already in the mac-address-table and if it does, Aruba 3400 tries to find which VLAN it used to belong. Actually, this pc used to belong VLAN1 a week ago and IP address which was wrongly assigned seems to be the same IP address when the pc was in VLAN1.

 

In past, I experienced a scanner which never belonged to VLAN1, picked up VLAN1 DHCP scope IP address.

 

Reading the concept how VLAN Mobility works, my understanding is - VLAN Mobility should work if all AP connects to the same controller? In this case, two APs are connected under same VLAN250, and Tunnel mode VirtualAP V200 let the device being connected to VLAN200 within the controller. I believed that everything works fine within VLAN200 in the same Aruba 3400 controller, since it is Tunnel Mode! (Not a bridge Mode)

 

Remote AP1 - VLAN250 - Core Switch - VLAN1 - [Aruba 3400 VLAN1 - VLAN200]

Remote AP2 - VLAN250 - Core Switch - VLAN1 - [Aruba 3400 VLAN1 - VLAN200]

 

Does someone know why this behavior happens? I guess - as long as wrong mac-address-table exists in core switch, this behavior can happen. Therefore to make VLAN Mobility work ( to pick up right DHCP scope), we should shorten mac-address-table lifetime?

Or is there any misconfiguration that VLAN Mobility should not work?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contributor II
Posts: 61
Registered: ‎02-20-2012

Re: VLAN Mobility option picks up wrong DHCP scope

I captured wireshark trace on the pc and found that DHCP server which is commonly used for all VLAN, sent DHCP Offer to this pc. At the matter of fact, this pc used to join in VLAN1, therefore DHCP server remembers the mac address and IP address which was assigned last time.

 

I assume - if we set VLAN Mobility on, Aruba controller tries to forward DHCP Request packet from controller-inside VLANs through VLAN1 which is connected to the other VLANs. Does anyone know if this behavior is working as expected?

Contributor II
Posts: 61
Registered: ‎02-20-2012

Re: VLAN Mobility option picks up wrong DHCP scope

Sorry for self replies ..

 

I set Debugging log level for DHCP and compared two cases.

 

If VLAN Mobility is enabled, DHCP Discover from a client (MAC XX:XX:XX:75:92:84) is shown from Datapath vlan1. But actually a client (MAC XX:XX:XX:75:92:84) tries to authenticate through inside-controller VLAN200.

 

May 16 16:52:45 dhcpdwrap[1435]: <202541> <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x40 opcode 0x5a ingress 0x1089 vlan 1 egress 0x1 src mac XX:XX:XX:75:92:84
May 16 16:52:45 dhcpdwrap[1435]: <202534> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER XX:XX:XX:75:92:84
May 16 16:52:45 dhcpdwrap[1435]: <202523> <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=300, from_port=68, op=1, giaddr=0.0.0.0
May 16 16:52:45 dhcpdwrap[1435]: <202532> <DBUG> |dhcpdwrap| |dhcp| got 0 relay servers
May 16 16:52:45 dhcpdwrap[1435]: <202541> <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x1040 vlan 1 egress 0x1 src mac XX:XX:XX:4e:1b:bc
May 16 16:52:45 dhcpdwrap[1435]: <202546> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: OFFER XX:XX:XX:75:92:84 clientIP=172.200.1.74
May 16 16:52:45 dhcpdwrap[1435]: <202541> <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x40 opcode 0x5a ingress 0x1089 vlan 1 egress 0x1 src mac XX:XX:XX:75:92:84
May 16 16:52:45 dhcpdwrap[1435]: <202536> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST XX:XX:XX:75:92:84 reqIP=172.200.1.74
May 16 16:52:45 dhcpdwrap[1435]: <202523> <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=327, from_port=68, op=1, giaddr=0.0.0.0
May 16 16:52:45 dhcpdwrap[1435]: <202532> <DBUG> |dhcpdwrap| |dhcp| got 0 relay servers
May 16 16:52:45 dhcpdwrap[1435]: <202541> <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x1040 vlan 1 egress 0x1 src mac XX:XX:XX:4e:1b:bc
May 16 16:52:45 dhcpdwrap[1435]: <202544> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: ACK XX:XX:XX:75:92:84 clientIP=172.200.1.74

 

If the VLAN Mobility is disabled, DHCP Discover from a client (MAC XX:XX:XX:75:92:84) is shown from Datapath vlan200 which is correct.

May 16 16:59:59 dhcpdwrap[1435]: <202541> <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x40 opcode 0x5a ingress 0x1089 vlan 200 egress 0xbb src mac XX:XX:XX:75:92:84
May 16 16:59:59 dhcpdwrap[1435]: <202534> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan200: DISCOVER XX:XX:XX:75:92:84
May 16 16:59:59 dhcpdwrap[1435]: <202523> <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=300, from_port=68, op=1, giaddr=0.0.0.0
May 16 16:59:59 dhcpdwrap[1435]: <202532> <DBUG> |dhcpdwrap| |dhcp| got 0 relay servers
May 16 17:00:00 dhcpdwrap[1435]: <202541> <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x0 vlan 200 egress 0x1089 src mac XX:XX:XX:6d:a6:98
May 16 17:00:00 dhcpdwrap[1435]: <202546> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan200: OFFER XX:XX:XX:75:92:84 clientIP=172.200.187.254
May 16 17:00:00 dhcpdwrap[1435]: <202541> <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x40 opcode 0x5a ingress 0x1089 vlan 200 egress 0xbb src mac XX:XX:XX:75:92:84
May 16 17:00:00 dhcpdwrap[1435]: <202536> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan200: REQUEST XX:XX:XX:75:92:84 reqIP=172.200.187.254
May 16 17:00:00 dhcpdwrap[1435]: <202523> <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=327, from_port=68, op=1, giaddr=0.0.0.0
May 16 17:00:00 dhcpdwrap[1435]: <202532> <DBUG> |dhcpdwrap| |dhcp| got 0 relay servers
May 16 17:00:00 dhcpdwrap[1435]: <202541> <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x0 vlan 200 egress 0x1089 src mac XX:XX:XX:6d:a6:98
May 16 17:00:00 dhcpdwrap[1435]: <202544> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan200: ACK XX:XX:XX:75:92:84 clientIP=172.200.187.254

 

Therefore, I think this behavior is caused by VLAN Mobility setting.

 

What I need to implement is L2 roaming. I do not need "VLAN Mobility" since VLAN is always same - VLAN200.

But if I choose VLAN Mobility, this behavior occur.

To fix this behavior, purge DHCP cache may work.

Is there any setting not to forward DHCP Discover from VLAN1 to outside, or not to forward controller-inside VLAN200 to VLAN1?

My understanding is that VLAN-VLAN routing works only for layer3 (IP level) and should not relay any broadcast-type packets unless DHCP Relay is specified...

Guru Elite
Posts: 21,260
Registered: ‎03-29-2007

Re: VLAN Mobility option picks up wrong DHCP scope

Vlan mobility is not relevant to your situation or in a single-controller environment.  It seems that you have Vlan 200 bridged and both the internal DHCP server on the controller and external DHCP server both answer to the client, is your problem.  You need to turn one off.

 

Clients receive ip addresses from the VLAN in the virtual AP.  If you put more than one VLAN in the virtual AP, clients will be load-balanced into both VLANs.

 

What are you trying to do?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 61
Registered: ‎02-20-2012

Re: VLAN Mobility option picks up wrong DHCP scope

Hi cjoseph,

 

What I am trying to do is - expect L2 roaming when the device moves from one AP to another.

In virtual ap configuration, just checking IP mobility makes L3 roaming,

and checking VLAN mobility makes L2 roaming.

 

I defined Tunnel mode WEP-authentication for handy scanner. VLAN200 is defined for this. Internal DHCP is defined for VLAN200 in Aruba3400 controller.

VLAN200 does not have interface in Aruba 3400.

Aruba 3400 has VLAN1, and this VLAN1 interface connects to DHCP server  and core switch (L3 switch, Cisco)

Core switch has VLAN1 and VLAN250 defined. All APs are connected under VLAN250.

 

I expect handy scanner to work as L2 roaming when moving one AP to another. In this case, VLAN200 is always used for roaming and roaming should be taken place within the controller. Therefore, VLAN mobility, such as moving scanner device from VLAN200 to VLAN1, is not nesessary here (I just want to implement L2 roaming ;)

 

 

 

 

 

Contributor II
Posts: 61
Registered: ‎02-20-2012

Re: VLAN Mobility option picks up wrong DHCP scope

Hi cjoseph,

 

One more thing. AP-105 is working as a RAP(Remote Access Point), not a Campus AP.

Contributor II
Posts: 61
Registered: ‎02-20-2012

Re: VLAN Mobility option picks up wrong DHCP scope

I am thinking if we can create a policy to block DHCP request (UDP 68) from VLAN200 towards VLAN1, we can stop this behavior.

Guru Elite
Posts: 21,260
Registered: ‎03-29-2007

Re: VLAN Mobility option picks up wrong DHCP scope

By default, devices should be able to roam from one AP to another, when the Virtual AP mode is tunneled.  you should not have to do anything special for this to happen.

 

The controller just has to have an interface in VLAN 200.  You do not need two DHCP servers...?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 61
Registered: ‎02-20-2012

Re: VLAN Mobility option picks up wrong DHCP scope

Hi cjoseph,

 

I thought that there are choices - L3 roaming by choosing IP mobility, and L2 roaming by choosing VLAN mobiliy.

By default, if we choose IP mobility only, the roaming mode is L3 mobility I think.

To make L2 mobility happen, I have to choose VLAN mobility option - that is what I thought.

 

Today I will face 3200 with 5.0.4.6.and see if VLAN mobility option simply relay broadcast domain from origin VLAN to another .... I thought Aruba's design of VLAN mobility is not just simple ..

Guru Elite
Posts: 21,260
Registered: ‎03-29-2007

Re: VLAN Mobility option picks up wrong DHCP scope

Here is what you do:

 

1.  Configure a controller with a Vlan for your users

2.  Assign that VLAN to  a port on the controller

3.  Configure a WLAN with the WLAN/LAN Wizard to put users on that VLAN

4.  Users on that WLAN can roam seamlessly to every access point that you deploy in that AP group.

5.  No need to change any mobility settings

 

 

The mobility settings on the controller are for multiple controller deployments.  They do not come into play here...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: