Tuesday, March 1, 2011

Server 2003 DHCP VLANS and Cisco Aironet Problem

Background:
I was adding a Cisco Aironet 1310 to a location that had multiple VLANS all being serviced by a Cisco Router, HP Procurve Switch and Windows Server 2003 DHCP.

I configured the Aironet with two SSID's on different VLANS. The employee VLAN was the "native" VLAN in Aironet speak. The Guest VLAN was the secondary VLAN.

First Problem:  
When connecting to the Guest VLAN, we were getting IP addresses from the first VLAN. It seemed the DHCP server was not able to distinguish between requests from the different VLANS.

Because DHCP is broadcast based, the router naturally segments our broadcast domains as it should so the broadcasts don't reach the other networks. This is typically subverted by adding the "ip helper-address x.x.x.x" on sub interfaces that are not on the same network as the DHCP server. This essentially turns the router into a DHCP relay agent. I have implemented this a 100 times and was stumped as to why this wasn't working.

Looking at the packet captures, I noticed that the initial DHCPDISCOVER packet that the client sends was showing up in multiples of two, but they were slightly different. One of the packets had the source address of the router's sub interface and the destination of the DHCP server, the other packet was a true broadcast packet to the whole subnet. The Problem was that the regular broadcast packet was the one the server was responding to and thus, getting the IP from the employee VLAN every single time, regardless of the VLAN the client was on.

First Solution:
The culprit was that there was a monitor port setup on the HP Procurve switch that was monitoring all the traffic on the port that the router was plugged into and replicating it to the port the DHCP server was plugged into. That's why I was seeing both packets in the capture. As soon as I turned this off, I didn't get the wrong IP on the guest network.... I was getting NO IPS.... the plot thickens....

Second Problem:
While troubleshooting the first issue I setup a DHCP server on the router itself, trying to isolate the issue. I ended up removing the DHCP configuration but in a mistake, I typed the command "no service dhcp." This was the problem. "service dhcp" is also related to the DHCP relay agent functionality on the router. You can read about this command here http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_dhc3.html#wp1030434

Second Solution:
Typing "service dhcp" immediately fixed the issue. The reason I knew there was a problem with the router was because the DHCPDISCOVER packets were hitting the server but the server was ignoring them. The reason was because the router wasn't changing the source IP to the sub interface of the router so the DHCP server didn't know what IP to give it.

No comments: