Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1527
Views
5
Helpful
3
Replies

DHCP ISSUE between WLC and Nexus 7K

Rene Paul Huet
Level 1
Level 1

‎01-23-2013 07:32 AM - edited ‎03-07-2019 11:16 AM

Dear all,

I have a strange behavior between a WLC 5508 (version 7.0.116.0) and NEXUS7010.

WLC

The WLC is configured in DHCP Bridging Mode (it sends DHCP requests without change)

Nexus

The VLAN interface is configured as follows

interface Vlan501

  ip access-group acl-int-vlan501-in-1 in

  no ip redirects

  ip address 10.12.56.4/21

  ip ospf network broadcast

  ip router ospf 100 area 10.23.0.0

  hsrp 51

    preempt delay minimum 15

    priority 80

    ip 10.12.56.1

  ip dhcp relay address 10.21.16.2

  ip dhcp relay address 10.21.16.3

  no shutdown

  description - VLAN euh-wlan-bg-guest -

The "partial" ACL is as follows :

ip access-list acl-int-vlan501-in-1

  10 remark -- hsrp ----

  20 permit udp 10.12.56.0/29 224.0.0.2/32 eq 1985 log

  40 remark -- dhcp ----

  50 permit udp any eq bootpc any eq bootps log

  60 ------

The issue is :

Clients can not obtain an IP address intermittently

If I deactivates the ACL when the problem appears(when the client can not obtain an IP@) the probleme is resolved

Note: Before the WLC was connected to Catalyst 6500 and worked properly for 2 years (with same configuration)

I saw this note about differences between DHCP relay on the NEXUS7000/NXOS an Ip helper one the 6500/IOS

https://supportforums.cisco.com/docs/DOC-14753

Do you think the problem may come from the DHCP relay or ACL on the NEXUS

If someone has an idea, do not hesitate

Best regards

René

Labels:
0 Helpful
3 Replies 3

mgalazka
Level 1
Level 1

‎01-23-2013 08:06 AM

What version of code are you running on the N7K? 

At least in some 5.x versions of NX-OS, DHCP relay will not be treated specially in control-plane.  This means that if you have drops in your class-default class in your control-plane policy, some of those drops could be DHCP that should have been relayed.  You can check this with the command:

show policy-map interface control-plane class class-default

If this is the case you can workaround it by creating a class-map in control-plane policy to match this traffic separately.

The following is a trimmed down version from this config guide on 6.x which supports DHCP in control-plane.  In 6.x they also set COS value -- you can reference the guide and include if you choose to.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x_chapter_011001.html

ip access-list copp-system-p-acl-dhcp
  permit udp any neq bootps any eq bootps
  permit udp any eq bootpc any
  
ip access-list copp-system-p-acl-dhcp-relay-response
  permit udp any eq bootps any
  permit udp any any eq bootpc

  
class-map type control-plane match-any copp-system-p-class-normal-dhcp
  match redirect dhcp-snoop
  match access-group name copp-system-p-acl-dhcp
class-map type control-plane match-any copp-system-p-class-normal-dhcp-relay-response
  match access-group name copp-system-p-acl-dhcp-relay-response
policy-map type control-plane copp-system-policy 
  class copp-system-p-class-normal-dhcp
    police cir 680 kbps bc 250 ms conform transmit violate drop
  class copp-system-p-class-normal-dhcp-relay-response
    police cir 900 kbps bc 500 ms conform transmit violate drop

Hope this helps,

Matt

Rene Paul Huet
Level 1
Level 1
In response to mgalazka

‎01-23-2013 11:40 PM

Hi,

Thank you for the quick response,

Version In N7K is  5.2(3a)

No DROP in control-plane

Best regards

0 Helpful

alexlembesis
Level 1
Level 1
In response to mgalazka

‎07-31-2015 09:04 AM

Matt,

 

We recently had a similar issue with our Nexus 7000 running 5.2(3a), the same version as the OP.  Our issue was that PXE clients would intermittently get an IP address via. DHCP.  I implemented a similar control-plane policy on our Nexus 7000 and that fixed the issue.  Thank you for your post and helping us fix our issue!

 

! Create ACLs to match DHCP traffic

ip access-list system-p-acl-dhcp

   permit udp any neq bootps any eq bootps

   permit udp any eq bootpc any

ip access-list system-p-acl-dhcp-relay-response

   permit udp any eq bootps any

   permit udp any any eq bootpc

 

! Modify existing class-map

class-map type control-plane match-any copp-system-class-redirect

   no match redirect dhcp-snoop

 

! Create new class-maps

class-map type control-plane match-any system-p-class-normal-dhcp

  match access-group name system-p-acl-dhcp

  match redirect dhcp-snoop

class-map type control-plane match-any system-p-class-normal-dhcp-relay-response

  match access-group name system-p-acl-dhcp-relay-response

 

! Add new class maps into system control plane policy

policy-map type control-plane copp-system-policy

class system-p-class-normal-dhcp

  police cir 1 mbps bc 500 ms conform transmit violate drop

class system-p-class-normal-dhcp-relay-response

  police cir 1 mbps kbps bc 500 ms conform transmit violate drop

 

 

! Verify DHCP traffic is now handled by the new classes with the higher CIR

show policy-map interface control-plane class system-p-class-normal-dhcp

Control Plane

 

  service-policy  input: copp-system-policy

 

    class-map system-p-class-normal-dhcp (match-any)

      match access-group name system-p-acl-dhcp

      match redirect dhcp-snoop

      police cir 1 mbps , bc 500 ms

      module 1 :

        conformed 556491 bytes; action: transmit

        violated 0 bytes; action: drop

 

      module 2 :

        conformed 0 bytes; action: transmit

        violated 0 bytes; action: drop

 

      module 10 :

        conformed 0 bytes; action: transmit

        violated 0 bytes; action: drop

 

 show policy-map interface control-plane class system-p-class-normal-dhcp-relay-response

Control Plane

 

  service-policy  input: copp-system-policy

 

    class-map system-p-class-normal-dhcp-relay-response (match-any)

      match access-group name system-p-acl-dhcp-relay-response

      police cir 1 mbps , bc 500 ms

      module 1 :

        conformed 450674 bytes; action: transmit

        violated 0 bytes; action: drop

 

      module 2 :

        conformed 0 bytes; action: transmit

        violated 0 bytes; action: drop

 

      module 10 :

        conformed 0 bytes; action: transmit

        violated 0 bytes; action: drop

 

 

Here’s what the default class looks like.  As you can see, there are many drops…  Should we raise the CIR on this class to prevent other issues?

 

show policy-map interface control-plane class class-default

Control Plane

 

  service-policy  input: copp-system-policy

 

    class-map class-default (match-any)

      police cir 100 kbps , bc 250 ms

      module 1 :

        conformed 17379304 bytes; action: transmit

        violated 36271565 bytes; action: drop

 

      module 2 :

        conformed 106658 bytes; action: transmit

        violated 963 bytes; action: drop

 

      module 10 :

        conformed 0 bytes; action: transmit

        violated 0 bytes; action: drop

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card