Summary: An ATN device function as a DHCP relay agent, and base stations of two vendors
are connected to different DHCP servers. A server or firewall discards packets sent by a base
station of a specific vendor. As a result, users attached to the base station fail to get online.
[Problem Description]
Usage scenario:
The login failure occurs only on a Layer 3 HVPN, not on a Layer 2+ Layer 3 L3VPN.
Base stations of two or more vendors connected to the ATN device attempt to get online
through different DHCP servers.
Firewall rules are specified for private IP addresses on a wireless network management
system (NMS) to drop packets with IP addresses that are not in the specified wireless
network segment.
Trigger conditions:
The problem occurs if the following conditions are met:
An HVPN is configured on an ATN device.
Base stations of two or more vendors are connected to the ATN device.
The base stations obtain IP addresses assigned by different DHCP servers.
Firewall rules are specified for private IP addresses on at least one wireless NMS to
drop packets with IP addresses that are not in the specified wireless network segment.
Symptom:
Users attached to a base station of a specific vendor can get online, and users attached
to a base station of another vendor fail to get online.
Identification method:
Query the device version.
Run the display version command in the user view.
Check that DHCP relay is configured on an L3VPN interface.
Run the display interface GigabitEthernet 0/3/1.200 command in the user view.
In the preceding command, 0 indicates the slot number, 3 indicates the subcard number,
1 indicates the interface number, and 200 indicates the sub-interface number. Specify these
figures based on real-world situations.
Check that multiple L3VPN interfaces are configured on the ATN device. In addition,
DHCP relay is enabled and different DHCP server IP addresses are specified on the
interfaces.
Run the display interface GigabitEthernet 0/3/2.200 command in the user view.
In the preceding command, 0 indicates the slot number, 3 indicates the subcard
number, 2 indicates the interface number. and 200 indicates the sub-interface
number. Specify these figures based on real-world situations.
A DHCP login failure occurs
Note that when users attached to a base station fail to get online using DHCP through
an ATN device, the ATN device needs to be notified of the event from the wireless side.
[Root Cause]
No RFC defines which source IP address is added to a DHCP Request message to be
forwarded by a DHCP relay agent. The ATN device automatically users the IP address
of an outbound interface as the source IP address and adds it to a DHCP Request
message in a VRF or native IP scenario.
In an L3VPN scenario, an ATN device functioning as a DHCP relay agent sets the
source IP address to the first valid private IP address in a VRF for all DHCP Request
messages. The base station of each vendor is connected to a specific NMS that
functions a DHCP server for the ATN device. NMS server hardware or firewall rules
are specified for private IP addresses to drop packets with IP addresses that are not
in the specified network segment. As a result, the DHCP Request message in which
the source IP address should have been set to the second valid private IP address in
a VRF carries the first valid private IP address in a VRF and therefore is dropped.
[Impact and Risk]
Users on a base station attached to the ATN device fail to get online using DHCP.
[Measures and Solutions]
Recovery measures:
Run the ip relay source-ip-address 24.1.1.2 command on the faulty DHCP
relay-enabled interface of the ATN device. 24.1.1.2 is the source IP address to be
carried in DHCP Request messages.
Note that 24.1.1.2 is the IP address of an interface connected to a base station.
Workarounds:
Run the ip relay source-ip-address 24.1.1.2 command on the faulty DHCP
relay-enabled interface of the ATN device. 24.1.1.2 is the source IP address
to be carried in DHCP Request messages.
Solutions:
Install one of the following patches to a specific type of ATN device running a
specific version. After the patch is installed, the ip relay source-ip-address
command is automatically added.
On ATN 910 and ATN 950 devices running versions earlier than V200R001C02SPC200,
upgrade them to V200R001C02SPC200 and install the patch V200R001SPH009 or later.
On ATN 910 and ATN 910I devices running V200R002C00, install the patch
V200R002SPH005 or later.
On ATN 950B devices running versions earlier than V200R001C02, upgrade
them to V200R001C02 and install the patch V200R001SPH008 or later.
On ATN 950B devices running V200R002C00, install the patch V200R002SPH002
or later.
No responses yet