error mac found on multiple vlans

Srinivas N · ‎12-29-2018

We have a setup (core switch 4500x, distribution and access switches), Normally we crate vlans in coreswitch and the same will be pass through access switches as per our requirement.

when we assign a particular vlan to particular access switch port, we unable to get dhcp IP (we have a dhcp server) and if we go to traceroute for particular MAC, showing below error

Switch# traceroute mac 0000.0201.0601 0000.0201.0201 Error:Mac found on multiple vlans.

Layer2 trace aborted.

Please help me any one on this.

Thanks & Regards, Srinivas. N.

paul driver · ‎12-29-2018

Hello

Where does the dhcp reside, if its off the core network then your mots probably require a dhcp relay address to be added the SVI's of the vlans pointing towards that dhcp server.

example:
int vlan xx
ip helper address (dhcpserver)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andrew Khalil · ‎12-29-2018

Hello Paul,

Greetings,

Besides your suggestions, I would like to point others to one of the most common issues that is hindering getting IP addresses from the dhcp servers whether they are the network devices itself or a separate servers, is if the network engineer have configured an access list on the SVI of the vlan where clients that can not get IP addresses exist, they think by mistake that issuing at the end of the access list #permit ip any any, will pass the dhcp messages!

In such a case, they will need to add at the end of the access list sequence that command #permit udp any host 255.255.255.255 eq bootps

Otherwise, it will never works!

Also, keep in mind, that if the network device itself is the dhcp server, NEVER issue the #ip helper-address x.x.x.x, commands, as it will create a loop! and you will get that log:

%IP-3-LOOPPAK: Looping packet detected and dropped

I hope my my post will be helpful or even adding a value for anyone's knowledge and experience!

Thanks in advance,

Andrew Khalil

paul driver · ‎12-29-2018

Hello Andrew

Thank you for your feedback - it is most welcome.
Regards your statement pertaining to dhcp server service is running on the core switch , which is correct hence if you noticed in my post why I did query this "Where does the dhcp reside, if its off the core network"

As for any access-list being applied to any L3 interface the assumption here would be there inst any asn the OP didnt mention it however it is a good call stat this to the OP

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andrew Khalil · ‎12-29-2018

Hello Paul,

Thanks for the kind reply, I have noticed that you mentioned that, I just wanted to make it as crystal clear as I can so that all can get the idea!

Please don't forget to rate my posts if you find it helpful.

Thanks in advance!

Andrew Khalil

Georg Pauwen · ‎12-29-2018

Hello,

what happens if you first bounce (shut/no shut) the port ? How are these ports configured ?

Also post the output of show mac-address-table aging-time

Andrew Khalil · ‎12-29-2018

Dear Srinivas,

Greetings,

As I understood, you have to inquires,

1- The first one, is that why clients can not get dynamic IP address from the DHCP

Solution:

A- If the DHCP server is not the network device (in your case the core switch), so you need to configure DHCP relay to the interface vlan (SVI) that you would like it to get IP addresses

for example:

#int vlan 10

#ip helper-address x.x.x.x

where x.x.x.x is the DHCP server IP address.

B- If the DHCP server is the Core switch itself, DON'T configure the DHCP relay, as I will cause a loop.

C- In both case (A or B), you have applied an access-list to the interface vlan (SVI), you should allow the DHCP traffic by issuing the following command at the end of your access-list:

#permit udp any host 255.255.255.255 eq bootps

2- You are wondering why you got an error when you issued the traceroute command, simply, this error occurs when source and destination switches belong to multiple VLANs!

Solution:

You need to check that the mac add that you are traceroute is belong to the same vlan!

I hope my reply is enough helpful, please let me know the updates! I will be happy to help.

Also, don't forget to rate my post if you find it helpful!

Thanks in advance,

Andrew Khalil

Srinivas N · ‎12-31-2018

Hi Andrew,

Thanks a lot for support. please find the below details and do the needful.

1- we have a DHCP server and we already configured the DHCP scope and server and IP helper-address in that VLAN

2- Permit IP any any already is there in end of the ACL

3- #permit udp any host 255.255.255.255 eq bootps (we never give this command for any vlans, but all are working fine. for testing enabled this command in last but no luck)

and I want to let you know, we have a multiple vlans and all are working fine only a couple of VLANs having this issue, if I assign another vlan to the same port then it is fine (getting ip)

Below are the configured acl for that particular VLAN

10 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    11 permit ip x.x.x.x 0.0.0.127 x.x.x.x 0.0.0.127
    20 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    30 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    40 permit ip x.x.x.x 0.0.0.127 host x.x.x.x.
    50 permit ip x.x.x.x 0.0.0.127 host x.x.x.x.
    60 permit ip x.x.x.x 0.0.0.127 x.x.x.x 0.0.0.127
    80 permit ip x.x.x.x 0.0.0.127 x.x.x.x 0.0.0.63
    90 permit ip x.x.x.x 0.0.0.127 x.x.x.x 0.0.0.63
    100 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    110 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    120 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    130 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    140 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    150 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    160 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    170 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    180 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    190 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    200 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    210 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    220 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    230 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    231 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    240 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    250 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    260 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    270 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    280 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    290 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    300 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    310 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    320 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    330 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    340 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    350 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    360 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    370 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    380 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    381 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    390 permit ip hostx.x.x.x host x.x.x.x
    400 permit ip hostx.x.x.x host x.x.x.x
    410 permit ip hostx.x.x.x host x.x.x.x
    411 permit ip host x.x.x.x host x.x.x.x
    420 permit ip hostx.x.x.x host x.x.x.x
    430 permit ip hostx.x.x.x host x.x.x.x
    431 permit ip hostx.x.x.x host x.x.x.x
    440 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    450 deny ip x.x.x.x 0.0.0.127 x.x.x.x.0.0 0.0.127.255
    460 permit ip any any

Thanks & Regards, Srinivas. N.

Andrew Khalil · ‎01-01-2019

Hello Srinivas N,

It's a pleasure to support you,

As I was expecting that you have an ACL applied, that's why your switch is not passing the DHCP messages to the clients, so they can not get IP address, to fix this you need to modify your ACL by adding the last line with sequence number 470, as the following

10 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    11 permit ip x.x.x.x 0.0.0.127 x.x.x.x 0.0.0.127
    20 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    30 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    40 permit ip x.x.x.x 0.0.0.127 host x.x.x.x.
    50 permit ip x.x.x.x 0.0.0.127 host x.x.x.x.
    60 permit ip x.x.x.x 0.0.0.127 x.x.x.x 0.0.0.127
    80 permit ip x.x.x.x 0.0.0.127 x.x.x.x 0.0.0.63
    90 permit ip x.x.x.x 0.0.0.127 x.x.x.x 0.0.0.63
    100 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    110 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    120 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    130 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    140 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    150 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    160 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    170 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    180 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    190 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    200 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    210 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    220 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    230 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    231 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    240 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    250 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    260 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    270 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    280 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    290 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    300 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    310 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    320 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    330 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    340 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    350 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    360 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    370 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    380 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    381 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    390 permit ip hostx.x.x.x host x.x.x.x
    400 permit ip hostx.x.x.x host x.x.x.x
    410 permit ip hostx.x.x.x host x.x.x.x
    411 permit ip host x.x.x.x host x.x.x.x
    420 permit ip hostx.x.x.x host x.x.x.x
    430 permit ip hostx.x.x.x host x.x.x.x
    431 permit ip hostx.x.x.x host x.x.x.x
    440 permit ip x.x.x.x 0.0.0.127 host x.x.x.x
    450 deny ip x.x.x.x 0.0.0.127 x.x.x.x.0.0 0.0.127.255
    460 permit ip any any

470 permit udp any host 255.255.255.255 eq bootps

Such a command will allow the messages of the dhcp to pass through your SVI!

Please, don't forget to rate it as helpful, and if it solved the issue you can mark it as a solution! It would be very nice from you!

Bst Rgds,

Andrew Khalil

Andrew Khalil · ‎01-01-2019

Hello again Srinivas N,

Sorry, I didn't concentrate during reading your reply, so I missed that part that you have said that you already tried to add the #permit udp any host 255.255.255.255 eq bootps, but wasn't helpful,

I have also noticed that dhcp is working for different vlans, but for couple of vlans it's not workings,

So, I recommend to disable the applied ACL on one of the NOT working vlans, just that we can be sure that the problem it's not caused by means of the ACL!

You don't need to delete that ACL list, you can just negate that command: #no ip access-group xx [in|out].

Then go to any host connected to that vlan and through the cmd, we need to send DHCP discover,

so you can type: ipconfig /release, then ipconfig /renew.

If you get an ip address, it means that the problem was due to the access-list, if not, so we have to search in another direction, but at least by such a troubleshooting way we will be sure that it's not ACL!

I will wait your reply, so that we can go forward!

Bst Rgds,

Andrew Khalil

Srinivas N · ‎01-01-2019

Hi Adnrew

Thanks for quick reply, I tried with below acl, but no luck.

470 permit udp any host 255.255.255.255 eq bootps

will try by removing the ACL group and get back to you.

Thanks & Regards, Srinivas. N.

Andrew Khalil · ‎01-01-2019

Dear Srinivas N,

Greetings,

I wish it will work after disabling the ACL,

but if not, we should check your entire configuration, as a lot of scenarios can be causing such a problem.

Waiting to hear from you!

Bst Rgds,

Andrew Khalil

Srinivas N · ‎01-02-2019

Hi Andrew and all,

Today i assigned the same VLAN (issued) to a couple of access switch ports, It seems DHCP is working fine without any changes. I don't know what was the issue how got resolved with out any modifications.

I am suspecting that since keep changing the vlans to that range of ports, it might stored in cam table or in HDCP server, but I cleared the mac address table to that particular vlan by that time itself.

Any thanks all.

Thanks & Regards, Srinivas. N.

Georg Pauwen · ‎01-01-2019

Hello,

just to be sure, check if you have 'spanning-tree portfast' configured on the access ports in question.

I don't know if anyone has asked this, but does the Vlan that the access port is assigned to exist on the access switch, and is it properly trunked all the way to the DHCP server ?