01-23-2013 07:32 AM - edited 03-07-2019 11:16 AM
Dear all,
I have a strange behavior between a WLC 5508 (version 7.0.116.0) and NEXUS7010.
WLC
The WLC is configured in DHCP Bridging Mode (it sends DHCP requests without change)
Nexus
The VLAN interface is configured as follows
interface Vlan501
ip access-group acl-int-vlan501-in-1 in
no ip redirects
ip address 10.12.56.4/21
ip ospf network broadcast
ip router ospf 100 area 10.23.0.0
hsrp 51
preempt delay minimum 15
priority 80
ip 10.12.56.1
ip dhcp relay address 10.21.16.2
ip dhcp relay address 10.21.16.3
no shutdown
description - VLAN euh-wlan-bg-guest -
The "partial" ACL is as follows :
ip access-list acl-int-vlan501-in-1
10 remark -- hsrp ----
20 permit udp 10.12.56.0/29 224.0.0.2/32 eq 1985 log
40 remark -- dhcp ----
50 permit udp any eq bootpc any eq bootps log
60 ------
The issue is :
Clients can not obtain an IP address intermittently
If I deactivates the ACL when the problem appears(when the client can not obtain an IP@) the probleme is resolved
Note: Before the WLC was connected to Catalyst 6500 and worked properly for 2 years (with same configuration)
I saw this note about differences between DHCP relay on the NEXUS7000/NXOS an Ip helper one the 6500/IOS
https://supportforums.cisco.com/docs/DOC-14753
Do you think the problem may come from the DHCP relay or ACL on the NEXUS
If someone has an idea, do not hesitate
Best regards
René
01-23-2013 08:06 AM
What version of code are you running on the N7K?
At least in some 5.x versions of NX-OS, DHCP relay will not be treated specially in control-plane. This means that if you have drops in your class-default class in your control-plane policy, some of those drops could be DHCP that should have been relayed. You can check this with the command:
show policy-map interface control-plane class class-default
If this is the case you can workaround it by creating a class-map in control-plane policy to match this traffic separately.
The following is a trimmed down version from this config guide on 6.x which supports DHCP in control-plane. In 6.x they also set COS value -- you can reference the guide and include if you choose to.
ip access-list copp-system-p-acl-dhcp
permit udp any neq bootps any eq bootps
permit udp any eq bootpc any
ip access-list copp-system-p-acl-dhcp-relay-response
permit udp any eq bootps any
permit udp any any eq bootpc
class-map type control-plane match-any copp-system-p-class-normal-dhcp
match redirect dhcp-snoop
match access-group name copp-system-p-acl-dhcp
class-map type control-plane match-any copp-system-p-class-normal-dhcp-relay-response
match access-group name copp-system-p-acl-dhcp-relay-response
policy-map type control-plane copp-system-policy
class copp-system-p-class-normal-dhcp
police cir 680 kbps bc 250 ms conform transmit violate drop
class copp-system-p-class-normal-dhcp-relay-response
police cir 900 kbps bc 500 ms conform transmit violate drop
Hope this helps,
Matt
01-23-2013 11:40 PM
Hi,
Thank you for the quick response,
Version In N7K is 5.2(3a)
No DROP in control-plane
Best regards
07-31-2015 09:04 AM
Matt,
We recently had a similar issue with our Nexus 7000 running 5.2(3a), the same version as the OP. Our issue was that PXE clients would intermittently get an IP address via. DHCP. I implemented a similar control-plane policy on our Nexus 7000 and that fixed the issue. Thank you for your post and helping us fix our issue!
! Create ACLs to match DHCP traffic
ip access-list system-p-acl-dhcp
permit udp any neq bootps any eq bootps
permit udp any eq bootpc any
ip access-list system-p-acl-dhcp-relay-response
permit udp any eq bootps any
permit udp any any eq bootpc
! Modify existing class-map
class-map type control-plane match-any copp-system-class-redirect
no match redirect dhcp-snoop
! Create new class-maps
class-map type control-plane match-any system-p-class-normal-dhcp
match access-group name system-p-acl-dhcp
match redirect dhcp-snoop
class-map type control-plane match-any system-p-class-normal-dhcp-relay-response
match access-group name system-p-acl-dhcp-relay-response
! Add new class maps into system control plane policy
policy-map type control-plane copp-system-policy
class system-p-class-normal-dhcp
police cir 1 mbps bc 500 ms conform transmit violate drop
class system-p-class-normal-dhcp-relay-response
police cir 1 mbps kbps bc 500 ms conform transmit violate drop
! Verify DHCP traffic is now handled by the new classes with the higher CIR
show policy-map interface control-plane class system-p-class-normal-dhcp
Control Plane
service-policy input: copp-system-policy
class-map system-p-class-normal-dhcp (match-any)
match access-group name system-p-acl-dhcp
match redirect dhcp-snoop
police cir 1 mbps , bc 500 ms
module 1 :
conformed 556491 bytes; action: transmit
violated 0 bytes; action: drop
module 2 :
conformed 0 bytes; action: transmit
violated 0 bytes; action: drop
module 10 :
conformed 0 bytes; action: transmit
violated 0 bytes; action: drop
show policy-map interface control-plane class system-p-class-normal-dhcp-relay-response
Control Plane
service-policy input: copp-system-policy
class-map system-p-class-normal-dhcp-relay-response (match-any)
match access-group name system-p-acl-dhcp-relay-response
police cir 1 mbps , bc 500 ms
module 1 :
conformed 450674 bytes; action: transmit
violated 0 bytes; action: drop
module 2 :
conformed 0 bytes; action: transmit
violated 0 bytes; action: drop
module 10 :
conformed 0 bytes; action: transmit
violated 0 bytes; action: drop
Here’s what the default class looks like. As you can see, there are many drops… Should we raise the CIR on this class to prevent other issues?
show policy-map interface control-plane class class-default
Control Plane
service-policy input: copp-system-policy
class-map class-default (match-any)
police cir 100 kbps , bc 250 ms
module 1 :
conformed 17379304 bytes; action: transmit
violated 36271565 bytes; action: drop
module 2 :
conformed 106658 bytes; action: transmit
violated 963 bytes; action: drop
module 10 :
conformed 0 bytes; action: transmit
violated 0 bytes; action: drop
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: