Solved: ISE and F5 DHCP Persistence Question

csco11552159 · ‎08-11-2017

Hi Folks,

After deployed ISE behind F5 LB for a while, we noticed the Endpoints ownership keep changing. So we took a look the LB Irule configure on F5 for Radius and DHCP.

We found the DHCP iRule from Cisco How-to Document seems not working and follow the guide to configure F5. But every time, DHCP profiling traffic sent from routers still "round-robin" sent to both group PSN. Also we dont see it created Persistence records on F5 persistence table, it caused our endpoint ownership keep flapping.

Anyone here saw similar thing? Anyone has a irule for DHCP profiling working one to share?

Thank you.

csco11552159 · ‎08-11-2017

NVM, i found the problem.

we were using CLIENT_DATA for DHCP profiling. After I changed it to CLIENT_ACCEPTED, everything works.

Also found out some DHCP request from old phones dont have Option61 ........

View solution in original post

csco11552159 · ‎08-11-2017

NVM, i found the problem.

we were using CLIENT_DATA for DHCP profiling. After I changed it to CLIENT_ACCEPTED, everything works.

Also found out some DHCP request from old phones dont have Option61 ........

Craig Hyps · ‎08-14-2017

Here is an updated iRule (F5-iRule-dhcp_mac_sticky(June 2016).txt) which is not yet updated to guide...

# iRule dhcp_mac_sticky rev 0.5 (2016/05/23)

#

# Written By: Shun Takahashi

# Updated By: Jay Cedrone (2014)

# Updated By: Craig Hyps (2015)

# Updated By: Brad Parker (2016)

#

# Original By: Jun Chen (j.chen at f5.com)

# Original At: https://devcentral.f5.com/community/group/aft/25727/asg/50

#

# RFC2131 defines DHCP packet structure. This irule is to scan

# UDP payload and store information into session tables with

# your_mac as a key.

#

# Requirement: The rule requires virtual server to listen on DHCP traffic in the

# middle either in inline or out of band.

#

# 1) In-Line to DHCP traffic

#

# profile udp udp_dhcp {

# allow-no-payload disabled

# app-service none

# datagram-load-balancing disabled

# idle-timeout immediate

# ip-tos-to-client 0

# link-qos-to-client 0

# proxy-mss disabled

# }

#

# ltm virtual vs_dhcp {

# destination 0.0.0.0:bootps

# ip-protocol udp

# mask any

# profiles {

# udp_dhcp { }

# }

# rules {

# dhcp_mac_sticky

# }

# source 0.0.0.0/0

# translate-address disabled

# vlans {

# local

# }

# vlans-enabled

# }

#

# 2) Receiving mirrored DHCP stream

#

# References: RFC 2132 DHCP Options and BOOTP Vendor Extensions

# RFC 1533 DHCP Options and BOOTP Vendor Extensions (Obsoleted)

# RFC 4702 The Dynamic Host Configuration Protocol (DHCP) Client

# Fully Qualified Domain Name (FQDN) Option

#

timing off

when RULE_INIT {

# Rule Name and Version shown in the log

set static::RULE_NAME "DHCP MAC Sticky v0.5"

set static::RULE_ID "dhcp_mac_sticky"

# 0: No Debug Logging 1: Debug Logging

set static::debug 0

# Persist timeout (seconds)

set static::persist_ttl 7200

}

when CLIENT_ACCEPTED priority 100 {

# Using High-Speed Logging in thie rule

set log_prefix "\[$static::RULE_ID\]([IP::client_addr])"

set log_prefix_d "$log_prefix$debug$"

if {$static::debug}{log local0.debug "$log_prefix_d ***** iRule: $static::RULE_NAME executed *****"}

if { [UDP::payload length] < 200 } {

log local0.info "$log_prefix Ignored due to length$less than 200 octet$"

drop

return

}

else {

# BOOTP

binary scan [UDP::payload] ccccH8SB1xa4a4a4a4H2H2H2H2H2H2 \

msg_type hw_type hw_len hops transaction_id seconds\

bootp_flags client_ip_hex your_ip_hex server_ip_hex \

relay_ip_hex m(a) m(b) m(c) m(d) m(e) m(f)

# Put client address into variables for session key

set your_ip [IP::addr $your_ip_hex mask 255.255.255.255]

set client_mac "$m(a):$m(b):$m(c):$m(d):$m(e):$m(f)"

binary scan [UDP::payload] H32H64H128H8 \

padding server_host_name boot_file magic_cookie

if {$static::debug}{log local0.debug "$log_prefix_d BOOTP: $your_ip $client_mac"}

# DHCP

binary scan [UDP::payload] x240H* dhcp_option_payload

set option_hex 0

set options_length [expr {([UDP::payload length] -240) * 2 }]

for {set i 0} {$i < $options_length} {incr i [expr { $length * 2 + 2 }]} {

# extract option value and convert into decimal

# for human readability

binary scan $dhcp_option_payload x[expr $i]a2 option_hex

set option [expr 0x$option_hex]

# move index to get length field

incr i 2

# extract length value and convert length from Hex string to decimal

binary scan $dhcp_option_payload x[expr $i]a2 length_hex

set length [expr 0x$length_hex]

# extract value field in hexadecimal format

binary scan $dhcp_option_payload x[expr $i + 2]a[expr { $length * 2 }] value_hex

switch $option {

61 {

# Client Identifier

# This option is used by DHCP clients to specify their unique

# identifier. DHCP servers use this value to index their database of

# address bindings. This value is expected to be unique for all

# clients in an administrative domain.

#

binary scan $value_hex a2a* ht id

switch $ht {

01 {

binary scan $id a2a2a2a2a2a2 m(a) m(b) m(c) m(d) m(e) m(f)

# Normalize MAC address to upper case

set value [string toupper "$m(a)-$m(b)-$m(c)-$m(d)-$m(e)-$m(f)"]

}

default {

set value "$id"

}

persist uie $value $static::persist_ttl

# if {$static::debug}{log local0.debug "$log_prefix_d ***** iRule: $static::RULE_NAME completed ***** OPTION61=$value TARGET=[persist lookup uie $value]"}

if {$static::debug}{log local0.debug "$log_prefix_d ***** iRule: $static::RULE_NAME completed ***** OPTION61=$value TARGET=[persist lookup uie "$value any virtual"]"}

}

csco11552159 · ‎08-17-2017

this is perfect thank you very much.