Network Management

Reply
Highlighted
Frequent Contributor II

Why do some of my clients report 2 LAN IP addresses?

Airwave reports a number of clients with 2 IP addresses. I am trying to track down a recurring broadcast storm that clears when I momentarily disconnect the controller, and so I am trying to answer all "that's weird" questions.

 

Some of these, both addresses are pingable. Some report one address timing out and the other is unreachable. End devices run the gamut - iPhone, Anrdoid, Windows 7. About 10% of clients have 2 IP LAN Addresses reported by airwave.


Accepted Solutions
Highlighted
Moderator

Re: Why do some of my clients report 2 LAN IP addresses?

to configure validuseracl - you need to follow these steps, but it presumes you have a pefng license.

 

** note / disclaimer **

I have tried to follow your subnets, but you must doublecheck the below before just cut/pasting it into the controller CLI. Further, I strongly recommend you make a 'backup flash' just before doing this, in case you hit any issues and want to back out the changes (restore flash). You can also backup the flash from the controller webui , go to Maintenance -> Backup Flash -> Create Backup.


step 1> create a network destination called VALID_SUBNETS, add to it all your DHCP scopes for all VAPs. Note that in the future if you create a new subnet, you will need to add it to this list or the user will *not* appear in the controller, despite being able to associate.

 

 

configure t
netdestination VALID_SUBNETS network 10.20.4.0 255.255.252.0 network 10.114.138.0 255.255.255.0 network 10.170.138.0 255.255.255.0 network 10.1.1.0 255.255.252.0 !


step 2> create a network destination called PROTECTED_HOSTS, add to it all your important host IPs that reside within user subnets (i.e. default gateways, AD servers, radius servers, external captive portals etc.)

 

I have scraped the below from your config, please double check each one. These IPs can never become users in the controller (which is a good thing).

 

 

configure t
netdestination PROTECTED_HOSTS host 10.20.4.1 host 10.114.138.5 host 10.170.138.1 host 10.1.1.61 host 10.1.1.10 host 10.1.1.5 host 10.1.1.3 !

 

step 3> we are going to create two new rules in the valid user ACL, and delete one rule:

  i)   add a rule "deny anything that is using a source IP within PROTECTED_HOSTS"

  ii)  add a rule "allow anything with a source IP within VALID_SUBNETS"

  iii) delete the rule  "allow anything from anywhere" (rule 6 below)

 

the existing ACL looks like this (tidied slighly to fit in this screen)

 

# show ip access-list session validuser
validuser
---------
Priority  Source       Destination  Service  Application    Action
--------  ------            -----------  -------  -----------  ------  --------- 
1         127.0.0.0 255.0.0.0      any          any          deny  
2         169.254.0.0 255.255.0.0  any          any      deny 
3         224.0.0.0 240.0.0.0      any          any          deny 
4         255.255.255.255          any          any           deny
5         240.0.0.0 240.0.0.0      any          any           deny
6         any                               any          any          permit

 

so we need to insert our new two rules at position 6 and 7, and then delete the existing rule at position 6.

configure t
ip access-list session validuser
  alias PROTECTED_HOSTS any any deny position 6
  alias VALID_SUBNETS any any permit position 7
  no any any any permit
!

which we check after with "show ip access-list validuser", you should see now this (again tidied to fit, and ipv6 stuff removed)

(sg-7030) #show ip access-list validuser

ip access-list session validuser
validuser
---------
Priority  Source                   Destination  Service  Application  Action  
--------  -----------                   -----------    -------  -----------  ------  ---------  
1         127.0.0.0 255.0.0.0         any          any      deny
2         169.254.0.0 255.255.0.0  any         any       deny
3         224.0.0.0 240.0.0.0         any          any       deny
4         255.255.255.255             any          any       deny
5         240.0.0.0 240.0.0.0         any          any       deny
6         PROTECTED_HOSTS     any          any       deny
7         VALID_SUBNETS             any          any       permit
<ipv6 stuff below here>

at this point, you should be good to go - you should find that the junk IPs are no longer appearing in the usertable and Airwave. You can check it's working using "show acl hits", in this below example you can see a couple of allows and a reject, this is from a windows 8 client that is dual stack but also leaking the VPN IP into the controller, usually it has 3 IPs

 

> before validuseracl

(sg-7030) #show user
fe80::a4ae:a862:2451:2211  5c:c5:d4:00:00:01    authenticated  
10.11.12.13 5c:c5:d4:00:00:01 authenticated 192.168.1.3 5c:c5:d4:00:00:01 authenticated
(sg-7030) #

> added validuser acl to allow 192.168.1.0/24, disconnect -> reconnect client

(sg-7030) #show acl hit
User Role ACL Hits
------------------
<snip>

Port Based Session ACL
----------------------
Policy     Src         Dst   Service/Application  Action  New Hits  Total Hits  
------ --- --- ------------------- ------ ----------- ---------- ----- --------- validuser VALID_SUBNETS any any permit 0 1 validuser fe80::/64 any any-v6 permit 1 1
validuser any any 0 deny 2 2

> can see two hits on deny, and an allow in VALID_SUBNET - now the usertable shows:

(sg-7030) #show user
fe80::a4ae:a862:2451:2211  5c:c5:d4:00:00:01    authenticated  
192.168.1.3                5c:c5:d4:00:00:01              authenticated  
(sg-7030) #

and if all is well, "write memory" at the end.

 

regards

-jeff

 

* edited a few times for clarity/typos etc. *

 

 

 

 

View solution in original post

Highlighted
All-Decade MVP 2020

Re: Why do some of my clients report 2 LAN IP addresses?

broadcast-filter-arp is the "Convert broadcast ARP" option.  It is on by default now, did not used to be, and the warning fires whether or not it is already on.

 

BTW, If it were not for Win7 hosts also showing duplicate IPs I would write that off as dhcp clients misbehaving.  This happens a lot on Andriod and sometime on Apple stuff.  You either have to pin those guys with a dhcp reservation or run bleeding edge dhcp servers to keep it from happening.

 

View solution in original post


All Replies
Highlighted
Moderator

Re: Why do some of my clients report 2 LAN IP addresses?

Hi Kevets

2 IP from your user subnets, or, 1 IP from user vlan scopes, and 1 UFO from 'somewhere'?  Both are common, reasons are different, let me know which, can make some suggestions.

regards

-jeff

Highlighted
Frequent Contributor II

Re: Why do some of my clients report 2 LAN IP addresses?

I have all four of these scenarios:

- 2 IPs on my default VLAN 1's DHCP address scope

- 1 on the internal scope and 1 on the guest scope

- guest IP + something off net like 192.168 or even a routable IP

- internal IP + something off net like 192.168 or even a routable IP

 

But it's really the first one that is concerning me.

 

Thanks!

 

Highlighted
Moderator

Re: Why do some of my clients report 2 LAN IP addresses?

 

- 2 IPs on my default VLAN 1's DHCP address scope

>> this is potentially trickier - possible causes including 2 controllers serving APs at same location , with vlan pooling but different vlans configured. Could also be due to use of even vlan pooling without preserve vlan. May i suggest getting syslog setup, even if temporarily, and sending the output of "logging level debugging user" to the syslog, this may aid in backtracing the cause of this if none of the above jump out as possible causes. I may also be missing something obvious, maybe others will chime in here too.

 

- 1 on the internal scope and 1 on the guest scope

>> I am assuming internal scope means something you expect for clients doing PEAP or something like this, guest being guest. This could be due to clients having both configured/have connected to both at some point. Potentially you could try something like adding a space on the end of the guest ESSID which might stop people for a while moving between the two. I suppose you could also check in Airwave to see if these are legit connections to guest, or this could also be due to the same as below for the 'offnet' case, depending the subnet of your guest network.

 

- guest IP + something off net like 192.168 or even a routable IP

- internal IP + something off net like 192.168 or even a routable IP

 >> in these two cases, likely it's leakage from the clients 3g/4g IP, virtual machines, VPNs etc. The typical case is you see random ip's like 192.168.56.x which is coming usually from vmware on machines

 

To deal with this - you should configure a validuseracl allowing the DHCP subnets and specifically denying protected hosts (i.e. default gateways within the vlan, RADIUS if it's on any user subnet etc).

 

If you're not familiar with validuseracl, let me know, I will post here about it.

 

regards

-jeff

 

 

 

 

Highlighted
Frequent Contributor II

Re: Why do some of my clients report 2 LAN IP addresses?

wow, many thanks!

 

I just have the 1 controller. I am syslogging the controller currently (and wow, does it spew the info!). I'll see about adding the debugging user.

 

I am out of my depth quickly with Aruba, so it might take a while to figure out VLAN preserve. I am attaching my 7210's config file.

 

My guest SSID comes over a tunneled VLAN and they get their addresses from the 7210. My Private SSID is VLAN 1 and it gets addresses from my DHCP server.

 

I am having some strange network problems, and if I pull the Aruba controller interface for a few seconds, it clears my problems (which are manifest as a broadcast storm and spanning tree flapping). I generally only have that problem once or twice in the opening hours of the business, and once I clear it with the controller cable pull, it's good until the next day. I've been chasing any number of possibilities, so now am wondering if I have a wired+wireless PC that is somehow causing a loop on power-up

 

Highlighted
Moderator

Re: Why do some of my clients report 2 LAN IP addresses?


@Kevets wrote:

wow, many thanks!

 

I just have the 1 controller. I am syslogging the controller currently (and wow, does it spew the info!). I'll see about adding the debugging user.

 

I am out of my depth quickly with Aruba, so it might take a while to figure out VLAN preserve. I am attaching my 7210's config file.

[-jeff] ignore about the preserve vlan (you only have one). Based on your config, seems maybe nothing as complicated as I was thinking. is there any possibility of another DHCP server on vlan 1?

 

My guest SSID comes over a tunneled VLAN and they get their addresses from the 7210. My Private SSID is VLAN 1 and it gets addresses from my DHCP server.

 

I am having some strange network problems, and if I pull the Aruba controller interface for a few seconds, it clears my problems (which are manifest as a broadcast storm and spanning tree flapping). I generally only have that problem once or twice in the opening hours of the business, and once I clear it with the controller cable pull, it's good until the next day. I've been chasing any number of possibilities, so now am wondering if I have a wired+wireless PC that is somehow causing a loop on power-up

[-jeff] i see you have bcmc-opt turned on in the vlans, please also go to each virtual-ap profile and enable "Broadcast Filter All". This may help any problem with a bridged client causing a problem. It is also good practice, keeps various L2 junk off the WLAN (like bpdus etc.)

 


 

Highlighted
Frequent Contributor II

Re: Why do some of my clients report 2 LAN IP addresses?

thanks so much Jeff. Any details you can post on validuser acl would be appreciated. Maybe something I could cut and paste into a cli config? The controller screens are too many!

 

I only have a Windows Server domain controller providing DHCP leases on VLAN 1.

Frequent Contributor II

Re: Why do some of my clients report 2 LAN IP addresses?

I'm probably looking in the wrong place, but I don't see "broadcast filter all"

 

In VAP, I see 3 related options:

Dynamic/Multicast Optimization (currently off)

Drop Broadcast and unknown multicast (currently off)

Convert broadcast ARP request to unicast (currently on)

Highlighted
Frequent Contributor II

Re: Why do some of my clients report 2 LAN IP addresses?

should my "Forward Mode" in VAP's that use VLAN 1 be set to tunnel? That's how they are currently

Highlighted
Moderator

Re: Why do some of my clients report 2 LAN IP addresses?

In VAP, I see 3 related options:

Dynamic/Multicast Optimization (currently off)

Drop Broadcast and unknown multicast (currently off)

Convert broadcast ARP request to unicast (currently on)


it is the middle one (sorry, in the CLI it's called broadcast filter all). "Drop broadcast and unknown multicast" - enable it.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: