僅第2層VLAN中的DHCP故障排除 — 無線
目錄
簡介
本文說明如何在SD-Access(SDA)交換矩陣中的第2層專用網路中排除無線終端的DHCP故障。
必要條件
需求
思科建議您瞭解以下主題:
- 網際網路通訊協定(IP)轉送
- Locator/ID Separation Protocol(LISP)
- 通訊協定無關多點傳送(PIM)稀疏模式
- 支援光纖的無線
硬體和軟體要求
- Catalyst 9000 系列交換器
- Catalyst中心版本2.3.7.9
- Catalyst 9800系列無線LAN控制器
- Catalyst 9100系列存取點
- Cisco IOS® XE 17.12及更高版本
限制
-
只有一個L2邊界可以同時切換唯一的VLAN/VNI,除非正確配置了強大的環路防止機制(如用於禁用鏈路的FlexLink+或EEM指令碼)。
僅第2層概述
概觀
在典型的SD-Access部署中,L2/L3邊界位於交換矩陣邊緣(FE),其中FE以SVI的形式承載客戶端網關,通常稱為「任播網關」。第3層VNI(路由)針對子網間流量建立,而第2層VNI(交換)管理子網內流量。跨所有FE的一致配置可實現無縫客戶端漫遊。轉發已最佳化:子網內(L2)流量直接橋接在FE之間,而子網間(L3)流量則在FE之間或FE與邊界節點之間路由。
對於SDA交換矩陣中需要交換矩陣外部的嚴格網路入口點的終端,SDA交換矩陣必須提供從邊緣到外部網關的L2通道。
此概念類似於傳統的乙太網園區部署,其中第2層接入網路連線到第3層路由器。VLAN內流量保留在L2網路中,而VLAN間流量由L3裝置路由,通常會返回到L2網路上的不同VLAN。
在LISP上下文中,站點控制平面主要跟蹤MAC地址及其相應的MAC到IP繫結,非常類似於傳統的ARP條目。僅L2 VNI/L2池專門用於促進基於這兩種EID型別的註冊、解析和轉發。因此,在僅使用L2的環境中,任何基於LISP的轉發僅依賴於MAC和MAC到IP資訊,它完全忽略IPv4或IPv6 EID。為了補充LISP EID,僅第2層池嚴重依賴泛洪和學習機制,與傳統交換機的行為類似。因此,L2泛洪成為此解決方案中處理廣播、未知單播和多播(BUM)流量的關鍵元件,需要使用底層多播。相反,通常的單點傳播流量使用標準LISP轉發流程轉發,主要通過對映快取轉發。
交換矩陣邊緣和「L2邊界」(L2B)都維護對映到本地VLAN的第2層VNI(此對映在SDA內對本地裝置有效,允許不同的VLAN跨節點對映到相同的L2 VNI)。 在此特定使用案例中,在這些節點的這些VLAN上未配置SVI,這意味著沒有對應的第3層VNI。
僅L2 VLAN中的DHCP行為更改
在任播網關池中,DHCP帶來了挑戰,因為每個交換矩陣邊緣都充當其直連端點的網關,所有FE上使用相同的網關IP。要正確識別DHCP中繼資料包的原始源,FE必須插入DHCP選項82及其子選項,包括LISP RLOC資訊。這是通過在交換矩陣邊緣的客戶端VLAN上執行DHCP監聽實現的。DHCP監聽在此環境中具有雙重作用:它方便了選項82的插入,而且關鍵的是,防止了DHCP廣播資料包通過橋接域(VLAN/VNI)泛洪。 即使為任播網關啟用第2層泛洪,DHCP監聽也會有效地抑制廣播資料包,使其作為廣播從交換矩陣邊緣轉發出去。
相比之下,僅第2層VLAN缺少網關,從而簡化了DHCP源識別。由於資料包不通過任何交換矩陣邊緣中繼,因此不需要複雜的源識別機制。如果L2 Only VLAN上沒有DHCP監聽,則有效地繞過DHCP資料包的泛洪控制機制。這允許通過L2泛洪將DHCP廣播轉發到其最終目的地,該目的地可以是直接連線到交換矩陣節點的DHCP伺服器,或提供DHCP中繼功能的第3層裝置。
警告:L2 Only池中的「多個IP到MAC」功能在網橋VM模式下自動啟用DHCP監聽,從而實施DHCP泛洪控制。因此,這會導致L2 VNI池無法支援其終端的DHCP。
底層多點傳送
由於DHCP嚴重依賴廣播流量,因此必須利用第2層泛洪來支援此協定。與任何其他啟用第2層泛洪的池一樣,底層網路必須配置為組播流量,尤其是使用PIM稀疏模式的Any-Source-Multicast。雖然底層組播配置是通過LAN自動化工作流程自動執行的,但如果省略此步驟,則需要額外的配置(手動或模板)。
- 在所有節點(邊界、邊緣、中間節點等)上啟用IP組播路由。
- 在每個Border和Edge節點的Loopback0介面上配置PIM稀疏模式。
- 在每個IGP(底層路由協定)介面上啟用PIM稀疏模式。
- 在所有節點(邊界、邊緣、中間節點)上配置PIM集結點(RP),建議將RP放置在邊界上。
- 驗證PIM鄰居、PIM RP和PIM隧道狀態。
透過存取通道介面的廣播
支援交換矩陣的無線在AP和FE上採用本地交換和VTEP功能。但是,IOS-XE 16.10+限制會阻止通過VXLAN向AP進行出口廣播轉發。在僅第2層網路中,這阻止了DHCP提供/ACK到達無線客戶端。「泛洪接入隧道」功能通過在交換矩陣邊緣接入隧道介面上啟用廣播轉發來解決這一問題。
拓撲
網路拓撲
在此拓撲中:
- 192.168.0.201和192.168.0.202是交換矩陣站點的並置邊界,BorderCP-1是啟用第2層傳遞功能的唯一邊界。
- 192.168.0.101和192.168.0.102是交換矩陣邊緣節點
- 172.16.1.7是具有VLAN 1021的INFRA-VN中的接入點
- 192.168.254.39是DHCP伺服器
- 192.168.254.69是無線區域網控制器
- 4822.54dc.6a15是啟用DHCP的端點
- Fusion裝置充當交換矩陣子網的DHCP中繼。
僅L2 VLAN配置
從Catalyst Center僅部署L2 VLAN
路徑:Catalyst中心/調配/交換矩陣站點/第2層虛擬網路/編輯第2層虛擬網路
使用支援矩陣的無線的L2VNI配置
僅L2 VLAN配置 — 交換矩陣邊緣
交換矩陣邊緣節點的VLAN配置為啟用CTS、禁用IGMP和IPv6 MLD以及所需的L2 LISP配置。此L2 Only池是無線池;因此,僅第2層無線池中通常存在的功能(例如RA-Guard、DHCPGuard和Flood Access Tunnel)已配置。無線池上未啟用ARP泛洪。
交換矩陣邊緣(192.168.0.101)配置
ipv6 nd raguard policy dnac-sda-permit-nd-raguardv6device-role routeripv6 dhcp guard policy dnac-sda-permit-dhcpv6device-role servervlan configuration1031ipv6 nd raguard attach-policy dnac-sda-permit-nd-raguardv6ipv6 dhcp guard attach-policy dnac-sda-permit-dhcpv6cts role-based enforcement vlan-list 1031vlan 1031name L2_Only_Wirelessip igmp snooping querier
no ip igmp snooping vlan 1031 querierno ip igmp snooping vlan 1031no ipv6 mld snooping vlan 1031router lispinstance-id 8240remote-rloc-probe on-route-changeservice etherneteid-table vlan 1031broadcast-underlay 239.0.17.1flood unknown-unicast
flood access-tunnel 232.255.255.1 vlan 1021database-mapping mac locator-set rloc_91947dad-3621-42bd-ab6b-379ecebb5a2bexit-service-ethernet
flood-access tunnel命令在其組播複製變化中配置,其中所有BUM流量使用源特定組播組(232.255.255.1)封裝到AP,使用INFRA-VN接入點VLAN作為VLAN,IGMP監聽參考該VLAN以轉發BUM流量。
僅L2 VLAN配置 — 無線LAN控制器
在WLC(無線LAN控制器)端,與光纖存取點相關聯的站點標籤必須設定為「no fabric ap-arp-caching」,才能停用代理ARP功能。此外,必須啟用「fabric ap-dhcp-broadcast」,此配置允許將DHCP廣播資料包從AP轉發到無線終端。
交換矩陣WLC(192.168.254.69)配置
wireless tag site RTP-Site-Tag-3description "Site Tag RTP-Site-Tag-3"no fabric ap-arp-cachingfabric ap-dhcp-broadcast
提示:無線組播組232.255.255.1是所有站點標籤使用的預設組。
WLC#show wireless tag site detailed RTP-Site-Tag-3Site Tag Name : RTP-Site-Tag-3Description : Site Tag RTP-Site-Tag-3----------------------------------------AP Profile : default-ap-profileLocal-site : YesImage Download Profile: defaultFabric AP DHCP Broadcast : EnabledFabric Multicast Group IPv4 Address : 232.255.255.1RTP-Site-Tag-3 Load : 0
L2轉接配置(交換矩陣邊界)
從操作角度來看,允許DHCP伺服器(或路由器/中繼)連線到任何交換矩陣節點,包括邊界和邊緣。
使用Border節點連線DHCP伺服器是推薦的方法,但需要仔細設計考慮。這是因為必須在每個介面上為第2層傳遞配置邊框。這允許將交換矩陣池傳遞給交換矩陣內相同的VLAN或不同的VLAN。交換矩陣邊緣和邊界之間的VLAN ID具有這種靈活性,因為兩者都對映到相同的L2 LISP例項ID。不能使用同一個VLAN同時啟用L2切換物理埠,以防止SD-Access網路出現第2層環路。若要實現冗餘,需要使用StackWise Virtual、FlexLink+或EEM指令碼等方法。
相反,將DHCP伺服器或網關路由器連線到交換矩陣邊緣不需要額外的配置。
L2轉接配置
交換矩陣邊界/CP(192.168.0.201)配置
ipv6 nd raguard policy dnac-sda-permit-nd-raguardv6device-role routeripv6 dhcp guard policy dnac-sda-permit-dhcpv6device-role servervlan configuration 31ipv6 nd raguard attach-policy dnac-sda-permit-nd-raguardv6ipv6 dhcp guard attach-policy dnac-sda-permit-dhcpv6cts role-based enforcement vlan-list 31vlan 31name L2_Only_Wirelessip igmp snooping querier
no ip igmp snooping vlan 1031 querierno ip igmp snooping vlan 1031no ipv6 mld snooping vlan 1031router lispinstance-id 8240remote-rloc-probe on-route-changeservice etherneteid-table vlan 31broadcast-underlay 239.0.17.1flood unknown-unicast
flood access-tunnel 232.255.255.1 vlan 1021database-mapping mac locator-set rloc_91947dad-3621-42bd-ab6b-379ecebb5a2bexit-service-ethernetinterface TenGigabitEthernet1/0/44switchport mode trunk<--DHCP Relay/Server interface
無線多點傳送啟用
交換矩陣邊緣配置為通過泛洪接入隧道機制將廣播資料包轉發到接入點。這些資料包將封裝到INFRA-VN VLAN上的232.255.255.1組播組中。接入點自動加入此組播組,因為它們的站點標籤已預配置為使用它。
WLC#show ap name AP1 config general | i SiteSite Tag Name : RTP-Site-Tag-3WLC#show wireless tag site detailed RTP-Site-Tag-3Site Tag Name : RTP-Site-Tag-3Description : Site Tag RTP-Site-Tag-3----------------------------------------AP Profile : default-ap-profileLocal-site : YesImage Download Profile: defaultFabric AP DHCP Broadcast : EnabledFabric Multicast Group IPv4 Address : 232.255.255.1RTP-Site-Tag-3 Load : 0
從接入點出發,在交換矩陣無線終端關聯時,會形成VXLAN隧道(在AP端為動態,在交換矩陣邊緣端為始終開啟)。 在此通道中,CAPWAP交換矩陣組播組會使用來自AP終端的命令進行驗證。
AP1#show ip tunnel fabricFabric GWs Information:Tunnel-Id GW-IP GW-MAC Adj-Status Encap-Type Packet-In Bytes-In Packet-Out Bytes-out1 192.168.0.101 00:00:0C:9F:F2:BC Forward VXLAN 1117063026 1019814432 1116587492 980205146AP APP Fabric Information:GW_ADDR ENCAP_TYPE VNID SGT FEATURE_FLAG GW_SRC_MAC GW_DST_MACAP1#show capwap mcastIPv4 Multicast:Vlan Group IP Version Query Timer Sent QRV left Port0 232.255.255.1 2 972789.691334200 140626 2 0
從交換矩陣邊緣端,確認已為INFRA-VN AP VLAN啟用IGMP監聽,接入點已形成接入隧道介面,並且已加入組播組232.255.255.1
Edge-1#show ip igmp snooping vlan 1021 | i IGMPGlobal IGMP Snooping configuration:IGMP snooping : EnabledIGMPv3 snooping : EnabledIGMP snooping : EnabledIGMPv2 immediate leave : DisabledCGMP interoperability mode : IGMP_ONLYEdge-1#show ip igmp snooping groups vlan 1021 232.255.255.1Vlan Group Type Version Port List-----------------------------------------------------------------------1021 232.255.255.1 igmp v2 Te1/0/12 ----- Access Point PortEdge-1#show device-tracking database interface te1/0/12 | be NetworkNetwork Layer Address Link Layer Address Interface vlan prlvl age state Time leftDH4 172.16.1.7 dc8c.3756.99bc Te1/0/12 1021 0024 1s REACHABLE 251 s(76444 s)Edge-1#show access-tunnel summaryAccess Tunnels General Statistics:Number of AccessTunnel Data Tunnels = 1Name RLOC IP(Source) AP IP(Destination) VRF ID Source Port Destination Port------ --------------- ------------------ ------ ----------- ----------------Ac2 192.168.0.101 172.16.1.7 0 N/A 4789<snip>
這些驗證確認已成功啟用跨接入點、交換矩陣邊緣和無線LAN控制器的無線組播。
DHCP流量流
DHCP探索和請求 — 無線端
通訊流 — 僅限L2中的DHCP發現和請求
確定無線端點的狀態、其連線的接入點以及關聯的交換矩陣屬性。
WLC#show wireless client summary | i MAC|-|4822.54dc.6a15MAC Address AP Name Type ID State Protocol Method Role-------------------------------------------------------------------------------------------------------------------------4822.54dc.6a15 AP1 WLAN 17 Run 11n(2.4) MAB LocalWLC#show wireless client mac 4822.54dc.6a15 detail | se AP Name|Policy Profile|FabricAP Name: AP1Policy Profile : RTP_POD1_SSID_profileFabric status : EnabledRLOC : 192.168.0.101VNID : 8232SGT : 0Control plane name : default-control-plane
請務必確認在策略配置檔案中禁用了中心交換和中心dhcp功能。必須在SSID的策略配置檔案中配置「no central dhcp」和「no central switching」命令。
WLC#show wireless profile policy detailed RTP_POD1_SSID_profile | i CentralFlex Central Switching : DISABLEDFlex Central Authentication : ENABLEDFlex Central DHCP : DISABLEDVLAN based Central Switching : DISABLED
這些驗證確認終端已連線到「AP1」,後者與交換矩陣邊緣RLOC 192.168.0.101相關聯。因此,其流量通過VXLAN(VNID 8232)進行封裝,以便從接入點傳輸到交換矩陣邊緣。
DHCP探索和請求 — 光纖邊緣
使用WLC通知的MAC學習
在終端機自註冊過程中,WLC向交換矩陣控制平面註冊無線終端機的MAC地址。同時,控制平面會通知交換矩陣邊緣節點(接入點所連線的節點)建立一個特殊的「CP_LEARN」MAC學習條目,指向接入點的接入隧道介面。
Edge-1#show lisp sessionSessions for VRF default, total: 2, established: 2Peer State Up/Down In/Out Users192.168.0.201:4342 Up 2w2d 806/553 44192.168.0.202:4342 Up 2w2d 654/442 44Edge-1#show lisp instance-id 8232 ethernet database wlc 4822.54dc.6a15WLC clients/access-points information for LISP 0 EID-table Vlan 1031 (IID 8232)Hardware Address: 4822.54dc.6a15Type: clientSources: 2Tunnel Update: SignalledSource MS: 192.168.0.201RLOC: 192.168.0.101Up time: 1w6dMetadata length: 34Metadata (hex): 00 01 00 22 00 01 00 0C AC 10 01 07 00 00 10 0100 02 00 06 00 00 00 03 00 0C 00 00 00 00 68 996A D2Edge-1#show mac address-table address 4822.54dc.6a15Mac Address Table-------------------------------------------Vlan Mac Address Type Ports---- ----------- -------- -----1031 4822.54dc.6a15 CP_LEARN Ac2
如果終端的MAC地址通過與其連線的接入點對應的接入隧道介面正確獲取,則此階段被視為完成。
L2泛洪中的DHCP廣播橋接
禁用DHCP監聽時,不會阻止DHCP廣播;相反,它們會封裝在組播中,以便進行第2層泛洪。反之,啟用DHCP監聽可以防止這些廣播資料包泛洪。
Edge-1#show ip dhcp snoopingSwitch DHCP snooping isenabledSwitch DHCP gleaning is disabledDHCP snooping is configured on following VLANs:12-13,50,52-53,333,1021-1026DHCP snooping isoperationalon following VLANs:12-13,50,52-53,333,1021-1026<--VLAN1031 should not be listed, as DHCP snooping must be disabled in L2 Only pools.Proxy bridge is configured on following VLANs:1024Proxy bridge is operational on following VLANs:1024<snip>
由於DHCP監聽已禁用,因此DHCP發現/請求利用L2LISP0介面,通過L2泛洪橋接流量。根據Catalyst Center版本和應用的Fabric Banner,L2LISP0介面可能具有雙向配置的訪問清單;因此,請確保任何存取控制專案(ACE)都沒有明確拒絕DHCP流量(UDP連線埠67和68)。
interface L2LISP0
ip access-group SDA-FABRIC-LISP in
ip access-group SDA-FABRIC-LISP out
Edge-1#show access-list SDA-FABRIC-LISP
Extended IP access list SDA-FABRIC-LISP
10 deny ip any host 224.0.0.22
20 deny ip any host 224.0.0.13
30 deny ip any host 224.0.0.1
40 permit ip any any
利用為L2LISP例項配置的廣播底層組和交換矩陣邊緣的Loopback0 IP地址來檢驗將該資料包橋接至其他交換矩陣節點的L2泛洪(S,G)條目。請參閱mroute和mfib表以驗證引數,如傳入介面、傳出介面清單和轉發計數器。
Edge-1#show ip interface loopback 0 | i Internet
Internet address is 192.168.0.101/32
Edge-1#show running-config | se 8232
interface L2LISP0.8232
instance-id 8232
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 1031
broadcast-underlay 239.0.17.1
Edge-1#show ip mroute 239.0.17.1 192.168.0.101 | be \(
(192.168.0.101, 239.0.17.1), 00:00:19/00:03:17, flags: FT
Incoming interface: Null0, RPF nbr 0.0.0.0 <-- Local S,G IIF must be Null0
Outgoing interface list:
TenGigabitEthernet1/1/2, Forward/Sparse, 00:00:19/00:03:10, flags: <-- 1st OIF = Te1/1/2 = Border2 Uplink
TenGigabitEthernet1/1/1, Forward/Sparse, 00:00:19/00:03:13, flags: <-- 2nd OIF = Te1/1/1 = Border1 Uplink
Edge-1#show ip mfib 239.0.17.1 192.168.0.101 count
Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second
Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
Default
13 routes, 6 (*,G)s, 3 (*,G/m)s
Group: 239.0.17.1
Source: 192.168.0.101,
SW Forwarding: 1/0/392/0, Other: 1/1/0
HW Forwarding: 7/0/231/0, Other: 0/0/0 <-- HW Forwarding counters (First counter = Pkt Count) must increase
Totals - Source count: 1, Packet count: 8
提示:提示:如果找不到(S,G)條目或傳出介面清單(OIL)不包含傳出介面(OIF),則表明底層組播配置或操作有問題。
封包擷取
在交換機上配置同時嵌入式資料包捕獲,記錄來自AP的輸入DHCP資料包和相應的輸出資料包,以進行L2泛洪。
光纖邊緣(192.168.0.101)封包擷取
monitor capture cap interface TenGigabitEthernet1/0/12 IN <-- Access Point Portmonitor capture cap interface TenGigabitEthernet1/1/1 OUT <-- Multicast Route (L2 Flooding) OIFmonitor capture cap match anymonitor capture cap buffer size 100monitor capture cap limit pps 1000monitor capture cap startmonitor capture cap stop
捕獲資料包時,必須觀察三個不同的資料包:
- DHCP發現 — VXLAN - AP到邊緣
- DHCP探索 — CAPWAP - AP到WLC
- DHCP探索 — VXLAN — 邊緣到多點傳送群組
Edge-1#show monitor capture cap buffer display-filter "bootp and dhcp.hw.mac_addr==4822.54dc.6a15"<-- 4822.54dc.6a15 is the endpoint MACStarting the packet display ........ Press Ctrl + Shift + 6 to exit129 4.865410 0.0.0.0 -> 255.255.255.255 DHCP 394 DHCP Discover - Transaction ID 0x824bdf45 <-- From AP to Edge130 4.865439 0.0.0.0 -> 255.255.255.255 DHCP 420 DHCP Discover - Transaction ID 0x824bdf45 <-- From AP to WLC131 4.865459 0.0.0.0 -> 255.255.255.255 DHCP 394 DHCP Discover - Transaction ID 0x824bdf45 <-- From Edge to L2 Flooding GroupEdge-1#show monitor capture cap buffer display-filter "bootp and dhcp.hw.mac_addr==4822.54dc.6a15 and vxlan"Starting the packet display ........ Press Ctrl + Shift + 6 to exit129 4.865410 0.0.0.0 -> 255.255.255.255 DHCP 394 DHCP Discover - Transaction ID 0x824bdf45131 4.865459 0.0.0.0 -> 255.255.255.255 DHCP 394 DHCP Discover - Transaction ID 0x824bdf45Edge-1#show monitor capture cap buffer display-filter "bootp and dhcp.hw.mac_addr==4822.54dc.6a15 and udp.port==5247"Starting the packet display ........ Press Ctrl + Shift + 6 to exit130 4.865439 0.0.0.0 -> 255.255.255.255 DHCP 420 DHCP Discover - Transaction ID 0x824bdf45Edge-1#show monitor capture cap buffer display-filter "bootp and dhcp.hw.mac_addr==4822.54dc.6a15 and vxlan"detail| i InternetInternet Protocol Version 4, Src: 172.16.1.7, Dst: 192.168.0.101 <-- From AP to EdgeInternet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255Internet Protocol Version 4, Src: 192.168.0.101, Dst: 239.0.17.1 <-- From Edge to Upstream (Layer 2 Flooding)Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
提示:在啟用交換矩陣無線上,VXLAN封裝的資料包將DHCP流量傳送到客戶端或伺服器。然而,CAPWAP資料(UDP 5247)封裝的封包僅出於追蹤目的(例如IP學習狀態或無線裝置追蹤)傳送到WLC。
DHCP發現和請求 — L2邊框
邊緣通過第2層泛洪傳送DHCP發現和請求資料包後(封裝了Broadcast-Underlay組239.0.17.1),這些資料包將由L2傳遞邊界接收,在本場景中具體是Border/CP-1。
為此,Border/CP-1必須擁有與邊緣(S,G)的組播路由,其傳出介面清單必須包括L2切換VLAN的L2LISP例項。必須注意的是,L2轉接邊界共用相同的L2LISP例項ID,即使它們為轉接使用不同的VLAN。
BorderCP-1#show vlan id 31VLAN Name Status Ports---- -------------------------------- --------- -------------------------------31 L2_Only_Wireless active L2LI0:8232, Te1/0/44BorderCP-1#show ip mroute 239.0.17.1 192.168.0.101 | be \((192.168.0.101, 239.0.17.1), 00:03:20/00:00:48, flags: MTAIncoming interface: TenGigabitEthernet1/0/42, RPF nbr 192.168.98.3 <-- IIF Te1/0/42 is the RPF interface for 192.168.0.101 (Edge RLOC)Outgoing interface list:TenGigabitEthernet1/0/26, Forward/Sparse, 00:03:20/00:03:24, flags:L2LISP0.8232, Forward/Sparse-Dense, 00:03:20/00:02:39, flags:BorderCP-1#show ip mfib 239.0.17.1 192.168.0.101 countForwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per secondOther counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)Default13 routes, 6 (*,G)s, 3 (*,G/m)sGroup: 239.0.17.1Source: 192.168.0.101,SW Forwarding: 1/0/392/0, Other: 0/0/0HW Forwarding: 3/0/317/0, Other: 0/0/0 <-- HW Forwarding counters (First counter = Pkt Count) must increaseTotals - Source count: 1, Packet count: 4
提示:如果未找到(S,G)條目,則表示底層組播配置或操作有問題。如果所需例項的L2LISP未作為OIF存在,則表明L2LISP子介面的操作UP/DOWN狀態或L2LISP介面的IGMP啟用狀態存在問題。
與交換矩陣邊緣節點類似,請確保沒有訪問控制項會拒絕L2LISP0介面上的輸入DHCP資料包。
BorderCP-1#show ip access-lists SDA-FABRIC-LISPExtended IP access list SDA-FABRIC-LISP10 deny ip any host 224.0.0.2220 deny ip any host 224.0.0.1330 deny ip any host 224.0.0.140 permit ip any any
將封包解除封裝並放置在與VNI 8240相符的VLAN上後,其廣播性質表示封包已泛洪到轉送的VLAN 141的所有跨距樹狀目錄通訊協定轉送連線埠。
BorderCP-1#show spanning-tree vlan 31 | be InterfaceInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Te1/0/44 Desg FWD 2000 128.56 P2p
Device-Tracking表確認連線到網關/DHCP中繼的介面Te1/0/44必須是STP轉發埠。
BorderCP-1#show device-tracking database address 172.16.141.254 | be NetworkNetwork Layer Address Link Layer Address Interface vlan prlvl age state Time leftARP 172.16.131.254 f87b.2003.7fd5 Te1/0/44 31 0005 34s REACHABLE 112 s try 0
封包擷取
在交換機上配置同時嵌入式資料包捕獲,以記錄來自L2泛洪(S,G傳入介面)的傳入DHCP資料包和到DHCP中繼的相應輸出資料包。捕獲資料包時,應觀察兩個不同的資料包:來自Edge-1的VXLAN封裝資料包,以及到達DHCP中繼的解封裝資料包。
光纖邊界/CP(192.168.0.201)封包擷取器
monitor capture cap interface TenGigabitEthernet1/0/42 IN<--Ingress interface for Edge's S,G Mroute (192.168.0.101, 239.0.17.1)monitor capture cap interface TenGigabitEthernet1/0/44 OUT <-- Interface that connects to the DHCP Relaymonitor capture cap match any
monitor capture cap buffer size 100monitor capture cap startmonitor capture cap stopBorderCP-1#show monitor capture cap buffer display-filter "bootp and dhcp.hw.mac_addr==4822.54dc.6a15"Starting the packet display ........ Press Ctrl + Shift + 6 to exit324 16.695022 0.0.0.0 -> 255.255.255.255 DHCP 394 DHCP Discover - Transaction ID 0x824bdf45 <-- 394 is the Lenght of the VXLAN encapsulated packet325 10.834141 0.0.0.0 -> 255.255.255.255 DHCP 420 DHCP Discover - Transaction ID 0x168bd882 <-- 420 is the Lenght of the CAPWAP encapsulated packet326 16.695053 0.0.0.0 -> 255.255.255.255 DHCP 352 DHCP Discover - Transaction ID 0x824bdf45 <-- 352 is the Lenght of the VXLAN encapsulated packetPacket 324: VXLAN EncapsulatedBorderCP-1#show monitor capture cap buffer display-filter "frame.number==324" detail | i InternetInternet Protocol Version 4, Src: 192.168.0.101, Dst: 239.0.17.1Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255Packet 326: Plain (dot1Q cannot be captured at egress due to EPC limitations)BorderCP-1#show monitor capture cap buffer display-filter "frame.number==326" detailed | i InternetInternet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
此時,發現/請求資料包已退出SD-Access交換矩陣,結束本節內容。但是,在繼續操作之前,一個關鍵引數(由終端本身確定的DHCP廣播標誌)將規定後續的Offer或ACK資料包的轉發方案。我們可以檢查其中一個Discover資料包來檢查此標誌。
BorderCP-1#show monitor capture cap buffer display-filter "bootp.type==1 and dhcp.hw.mac_addr==4822.54dc.6a15" detailed | sect DynamicDynamic Host Configuration Protocol (Discover)Message type: Boot Request (1)Hardware type: Ethernet (0x01)Hardware address length: 6Hops: 0Transaction ID: 0x00002030Seconds elapsed: 3Bootp flags: 0x8000, Broadcast flag (Broadcast)1... .... .... .... = Broadcast flag: Broadcast <-- Broadcast Flag set by the Endpoint.000 0000 0000 0000 = Reserved flags: 0x0000
提示:bootp.type.==只能用於過濾發現和請求資料包。
DHCP提供和ACK — 廣播 — L2邊框
通訊流 — 僅在第2層廣播DHCP提供和ACK
現在DHCP發現已退出SD-Access交換矩陣,DHCP中繼將插入傳統的DHCP中繼選項(例如GiAddr/GatewayIPAddress),並將資料包作為單播傳輸轉發到DHCP伺服器。在此流程中,SD-Access交換矩陣不附加任何特殊的DHCP選項。
在伺服器收到DHCP發現/請求後,伺服器會執行嵌入的廣播或單播標誌。此標籤指示DHCP中繼代理是否將DHCP提供作為廣播幀或單播幀轉發到下游裝置(我們的邊界)。在本演示中,假設存在廣播場景。
MAC學習和網關註冊
當DHCP中繼傳送DHCP提供或ACK時,L2BN節點必須獲取網關的MAC地址,將其新增到其MAC地址表中,然後到L2/MAC SISF表,最後到VLAN 141的L2LISP資料庫,對映到L2LISP例項8232。
BorderCP-1#show mac address-table interface te1/0/44Mac Address Table-------------------------------------------Vlan Mac Address Type Ports---- ----------- -------- -----31 f87b.2003.7fd5 DYNAMIC Te1/0/44BorderCP-1#show vlan id 31VLAN Name Status Ports---- -------------------------------- --------- -------------------------------31 L2_Only_Wireless active L2LI0:8232, Te1/0/44BorderCP-1#show device-tracking database mac | i 7fd5|vlanMAC Interface vlan prlvl state Time left Policy Input_indexf87b.2003.7fd5 Te1/0/44 31 NO TRUST MAC-REACHABLE 61 s LISP-DT-GLEAN-VLAN 64BorderCP-1#show lisp ins 8232 dynamic-eid summary | i Name|f87b.2003.7fd5Dyn-EID Name Dynamic-EID Interface Uptime Last PendingAuto-L2-group-8232 f87b.2003.7fd5 N/A 6d06h never 0BorderCP-1#show lisp instance-id 8232 ethernet databasef87b.2003.7fd5LISP ETR MAC Mapping Database for LISP 0 EID-table Vlan 31 (IID 8232), LSBs: 0x1Entries total 1, no-route 0, inactive 0, do-not-register 0f87b.2003.7fd5/48, dynamic-eid Auto-L2-group-8240, inherited from default locator-set rloc_0f43c5d8-f48d-48a5-a5a8-094b87f3a5f7, auto-discover-rlocsUptime: 6d06h, Last-change: 6d06hDomain-ID: localService-Insertion: N/ALocator Pri/Wgt Source State192.168.0.201 10/10 cfg-intf site-self, reachableMap-server Uptime ACK Domain-ID192.168.0.201 6d06h Yes 0192.168.0.202 6d06h Yes 0
如果網關的MAC地址已正確獲知,並且交換矩陣控制平面的ACK標誌已標籤為「Yes」,則此階段視為已完成。
L2泛洪中的DHCP廣播橋接
如果沒有啟用DHCP監聽,DHCP廣播不會受到阻止,而是封裝在組播中,以實現第2層泛洪。反之,如果啟用DHCP監聽,則會阻止DHCP廣播資料包泛洪。
BorderCP-1#show ip dhcp snoopingSwitch DHCP snooping is enabledSwitch DHCP gleaning is disabledDHCP snooping is configured on following VLANs:1001DHCP snooping is operational on following VLANs:1001 <-- VLAN31 should not be listed, as DHCP snooping must be disabled in L2 Only pools.Proxy bridge is configured on following VLANs:noneProxy bridge is operational on following VLANs:none
由於L2Border中未啟用DHCP監聽,因此不需要DHCP監聽信任配置。
在這個階段,兩台裝置都已完成L2LISP ACL驗證。
利用為L2LISP例項配置的廣播底層組和L2Border Loopback0 IP地址來檢驗將該資料包橋接到其他交換矩陣節點的L2泛洪(S,G)條目。請參閱mroute和mfib表以驗證引數,如傳入介面、傳出介面清單和轉發計數器。
BorderCP-1#show ip int loopback 0 | i InternetInternet address is 192.168.0.201/32BorderCP-1#show run | se 8232interface L2LISP0.8232instance-id 8232remote-rloc-probe on-route-changeservice etherneteid-table vlan 1031broadcast-underlay 239.0.17.1BorderCP-1#show ip mroute 239.0.17.1 192.168.0.201 | be \((192.168.0.201, 239.0.17.1), 1w5d/00:02:52, flags: FTAIncoming interface: Null0, RPF nbr 0.0.0.0 <-- Local S,G IIF must be Null0Outgoing interface list:TenGigabitEthernet1/0/42, Forward/Sparse, 1w3d/00:02:52, flags: <-- Edge1 Downlink
TenGigabitEthernet1/0/43, Forward/Sparse, 1w3d/00:02:52, flags: <-- Edge2 DownlinkBorderCP-1#show ip mfib 239.0.17.1 192.168.0.201 countForwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per secondOther counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)Default13 routes, 6 (*,G)s, 3 (*,G/m)sGroup: 239.0.17.1Source: 192.168.0.201,SW Forwarding: 1/0/392/0, Other: 1/1/0HW Forwarding: 92071/0/102/0, Other: 0/0/0 <-- HW Forwarding counters (First counter = Pkt Count) must increaseTotals - Source count: 1, Packet count: 92071
提示:如果找不到(S,G)條目或傳出介面清單(OIL)不包含傳出介面(OIF),則表明底層組播配置或操作有問題。
通過這些驗證,在資料包捕獲方面(與前面步驟相似),我們總結本節內容,因為DHCP提供將以廣播形式轉發到所有交換矩陣邊緣(使用傳出介面清單內容),在本例中是傳出介面TenGig1/0/42和TenGig1/0/43。
DHCP提供和ACK — 廣播 — 邊緣
與上一流完全相同,我們現在檢查交換矩陣邊緣中的L2Border S,G,其中傳入介面指向L2BN,而OIL包含對映到VLAN 1031的L2LISP例項。
Edge-1#show vlan id 1031VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1031 L2_Only_Wireless active L2LI0:8232, Te1/0/2, Te1/0/17, Te1/0/18, Te1/0/19, Te1/0/20, Ac2, Po1Edge-1#show ip mroute 239.0.17.1 192.168.0.201 | be \((192.168.0.201, 239.0.17.1), 1w3d/00:01:52, flags: JTIncoming interface: TenGigabitEthernet1/1/2, RPF nbr 192.168.98.2 <-- IIF Te1/1/2 is the RPF interface for 192.168.0.201 (L2BN RLOC)aOutgoing interface list:L2LISP0.8232, Forward/Sparse-Dense, 1w3d/00:02:23, flags:Edge-1#show ip mfib 239.0.17.1 192.168.0.201 countForwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per secondOther counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)Default13 routes, 6 (*,G)s, 3 (*,G/m)sGroup: 239.0.17.1Source: 192.168.0.201,SW Forwarding: 1/0/96/0, Other: 0/0/0HW Forwarding: 76236/0/114/0, Other: 0/0/0<-- HW Forwarding counters (First counter = Pkt Count) must increaseTotals - Source count: 1, Packet count: 4
提示:如果未找到(S,G)條目,則表示底層組播配置或操作有問題。如果所需例項的L2LISP未作為OIF存在,則表明L2LISP子介面的操作UP/DOWN狀態或L2LISP介面的IGMP啟用狀態存在問題。
兩台裝置中都已完成L2LISP ACL驗證。
將封包解除封裝並放在與VNI 8232相符的VLAN上後,其廣播性質表示其已泛洪出VLAN1031的所有有線跨距樹狀目錄通訊協定轉送連線埠。
Edge-1#show spanning-tree vlan 1041 | be InterfaceInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Te1/0/2 Desg FWD 20000 128.2 P2p EdgeTe1/0/17 Desg FWD 2000 128.17 P2pTe1/0/18 Back BLK 2000 128.18 P2pTe1/0/19 Desg FWD 2000 128.19 P2pTe1/0/20 Back BLK 2000 128.20 P2p
但是,我們希望廣播DHCP提供的介面是與接入點關聯的接入隧道介面。僅因為L2LISP IID 8232上啟用了「泛洪接入隧道」,才可能實現此功能,否則將阻止此資料包轉發到AccessTunnel介面。
Edge-1#show lisp instance-id 8232 ethernet | se Multicast FloodMulticast Flood Access-Tunnel: enabledMulticast Address: 232.255.255.1Vlan ID: 1021Edge-1#show ip igmp snooping groups vlan1021 232.255.255.1Vlan Group Type Version Port List-----------------------------------------------------------------------1021 232.255.255.1 igmp v2 Te1/0/12 <-- AP1 Port
使用組播泛洪組的IGMP監聽條目,DHCP提供和ACK將轉發到AP的物理埠。
DHCP提供和ACK過程始終保持一致。如果未啟用DHCP監聽,則不會在DHCP監聽表中建立任何條目。因此,啟用DHCP的終端的裝置跟蹤條目由收集的ARP資料包生成。由於DHCP監聽已禁用,因此「show platform dhcpsnooping client stats」等命令預計不會顯示任何資料。
Edge-1#show device-tracking database interface Ac2 | be NetworkNetwork Layer Address Link Layer Address Interface vlan prlvl age state Time leftARP 172.16.131.4 4822.54dc.6a15 Ac2 1031 0005 45s REACHABLE 207 s try 0Edge-1#show ip dhcp snooping binding vlan 1041MacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------Total number of bindings: 0
DHCP提供和ACK — 單播 — L2邊界
通訊流 — 單播DHCP提供和ACK(僅限第2層)
在此場景略有不同,終端將DHCP廣播標誌設定為unset或「0」。
DHCP中繼不會將DHCP提供/ACK作為廣播傳送,而是作為單播資料包傳送,其目的MAC地址從DHCP負載內的客戶端硬體地址派生。這顯著地修改了SD-Access交換矩陣處理資料包的方式,它使用L2LISP對映快取來轉發流量,而不是第2層泛洪組播封裝方法。
交換矩陣邊界/CP(192.168.0.201)資料包catpure:輸入DHCP提供
BorderCP-1#show monitor capture cap buffer display-filter "bootp.type==1 and dhcp.hw.mac_addr==4822.54dc.6a15" detailed | sect DynamicDynamic Host Configuration Protocol (Discover)Message type: Boot Request (1)Hardware type: Ethernet (0x01)Hardware address length: 6Hops: 0Transaction ID: 0x00002030Seconds elapsed: 0Bootp flags: 0x0000, Broadcast flag (Unicast)0... .... .... .... = Broadcast flag: Unicast.000 0000 0000 0000 = Reserved flags: 0x0000Client IP address: 0.0.0.0Your (client) IP address: 0.0.0.0Next server IP address: 0.0.0.0Relay agent IP address: 0.0.0.0Client MAC address: 48:22:54:dc:6a:15 (48:22:54:dc:6a:15)
在此場景中,L2泛洪專門用於發現/請求,而提供/ACK則通過L2LISP對映快取轉發,從而簡化了整體操作。根據單播轉發原則,L2邊界向控制平面查詢目的MAC地址。假設在交換矩陣邊緣上成功「MAC學習和WLC通知」,則控制平面已註冊此終端ID(EID)。
BorderCP-1#show lisp instance-id 8232 ethernet server 4822.54dc.6a15LISP Site Registration InformationSite name: site_uciDescription: map-server configured from Catalyst CenterAllowed configured locators: anyRequested EID-prefix:EID-prefix: 4822.54dc.6a15/48 instance-id 8232First registered: 00:53:30Last registered: 00:53:30Routing table tag: 0Origin: Dynamic, more specific of any-macMerge active: NoProxy reply: YesSkip Publication: NoForce Withdraw: NoTTL: 1d00hState: completeExtranet IID: UnspecifiedRegistration errors:Authentication failures: 0Allowed locators mismatch: 0ETR 192.168.0.101:51328, last registered 00:53:30, proxy-reply, map-notifyTTL 1d00h, no merge, hash-function sha1state complete, no security-capabilitynonce 0xBB7A4AC0-0x46676094xTR-ID 0xDEF44F0B-0xA801409E-0x29F87978-0xB865BF0Dsite-ID unspecifiedDomain-ID 1712573701Multihoming-ID unspecifiedsourced by reliable transportLocator Local State Pri/Wgt Scope192.168.0.101 yes up 10/10 IPv4 noneETR 192.168.254.69:58507, last registered 00:53:30, no proxy-reply, no map-notify <-- Registered by the Wireless LAN ControllerTTL 1d00h, no merge, hash-function sha2state complete, no security-capabilitynonce 0x00000000-0x00000000xTR-ID N/Asite-ID N/Asourced by reliable transportAffinity-id: 0 , 0WLC AP bit: ClearLocator Local State Pri/Wgt Scope192.168.0.101 yes up 0/0 IPv4 none <-- RLOC of Fabric Edge with the Access Point where the endpoint is connected
在邊界向控制平面(本地或遠端)查詢後,LISP解析為終端的MAC地址建立對映快取條目。
BorderCP-1#show lisp instance-id 8232 ethernet map-cache 4822.54dc.6a15LISP MAC Mapping Cache for LISP 0 EID-table Vlan 31 (IID 8232), 1 entries4822.54dc.6a15/48, uptime: 4d07h, expires: 16:33:09, via map-reply, complete, local-to-siteSources: map-replyState: complete, last modified: 4d07h, map-source: 192.168.0.206Idle, Packets out: 46(0 bytes), counters are not accurate (~ 00:13:12 ago)Encapsulating dynamic-EID trafficLocator Uptime State Pri/Wgt Encap-IID192.168.0.101 4d07h up 10/10 -
解決RLOC後,DHCP提供以單播方式封裝,並使用VNI 8240直接傳送到Edge-1(192.168.0.101)。
BorderCP-1#show mac address-table address aaaa.dddd.bbbbMac Address Table-------------------------------------------Vlan Mac Address Type Ports---- ----------- -------- -----31 4822.54dc.6a15 CP_LEARN L2LI0BorderCP-1#show platform software fed switch active matm macTable vlan 141 mac aaaa.dddd.bbbbVLAN MAC Type Seq# EC_Bi Flags machandle siHandle riHandle diHandle *a_time *e_time ports Con
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------31 4822.54dc.6a15 0x1000001 0 0 64 0x718eb52c48e8 0x718eb52c8b68 0x718eb44c6c18 0x0 0 1064 RLOC 192.168.0.101 adj_id 1044 NoBorderCP-1#show ip route 192.168.0.101Routing entry for 192.168.0.101/32Known via "isis", distance 115, metric 20, type level-2Redistributing via isis, bgp 65001TAdvertised by bgp 65001 level-2 route-map FABRIC_RLOCLast update from 192.168.98.3 on TenGigabitEthernet1/0/42, 1w3d agoRouting Descriptor Blocks:* 192.168.98.3, from 192.168.0.101, 1w3d ago, via TenGigabitEthernet1/0/42Route metric is 20, traffic share count is 1
使用與前面部分相同的方法,捕獲從DHCP中繼和RLOC輸出介面的輸入流量,以觀察單播到邊緣RLOC的VXLAN封裝。
DHCP提供和ACK — 單播 — 邊緣
邊緣從邊界接收單播DHCP提供/ACK,解封裝流量並查詢其MAC地址表以確定正確的出口埠。與廣播Offer/ACK不同,邊緣節點隨後將僅將資料包轉發到終端所連線的特定接入隧道,而不是將其泛洪到所有埠。
MAC地址表將埠AccessTunnel2標識為與AP1關聯的虛擬埠。
Edge-1#show mac address-table address 4822.54dc.6a15Mac Address Table-------------------------------------------Vlan Mac Address Type Ports---- ----------- -------- -----1031 4822.54dc.6a15 CP_LEARN Ac2Edge-1#show interfaces accessTunnel 2 descriptionInterface Status Protocol DescriptionAc2 up up Radio MAC: dc8c.37ce.58a0, IP: 172.16.1.7Edge-1#show device-tracking database address 172.16.1.7 | be NetworkNetwork Layer Address Link Layer Address Interface vlan prlvl age state Time leftDH4 172.16.1.7 dc8c.3756.99bc Te1/0/12 1021 0024 6s REACHABLE 241 s try 0(86353 s)Edge-1#show cdp neighbors tenGigabitEthernet 1/0/12 | be DeviceDevice ID Local Intrfce Holdtme Capability Platform Port IDAP1 Ten 1/0/12 119 R T AIR-AP480 Gig 0
DHCP提供和ACK過程始終保持一致。如果未啟用DHCP監聽,則不會在DHCP監聽表中建立任何條目。因此,啟用DHCP的終端的裝置跟蹤條目由收集的ARP資料包生成,而不是DHCP。由於DHCP監聽已禁用,因此「show platform dhcpsnooping client stats」等命令也會不顯示任何資料。
Edge-1#show device-tracking database interface te1/0/2 | be NetworkNetwork Layer Address Link Layer Address Interface vlan prlvl age state Time leftARP 172.16.141.1 aaaa.dddd.bbbb Te1/0/2 1041 0005 45s REACHABLE 207 s try 0Edge-1#show ip dhcp snooping binding vlan 1041MacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------Total number of bindings: 0
必須注意的是,SD-Access交換矩陣不影響單播或廣播標誌的使用,因為這只是端點行為。雖然此功能可能被DHCP中繼或DHCP伺服器本身所覆蓋,但兩種機制對於在L2 Only環境中無縫DHCP操作都至關重要:使用廣播提供/ACK的底層組播進行第2層泛洪,並在控制平面中為單播提供/ACK進行正確的端點註冊。
DHCP交易 — 無線驗證
在WLC上,DHCP交易是透過RA-Trace進行監控。
WLC#debug wireless mac 48:22:54:DC:6A:15 to-file bootflash:client6a15RA tracing start event,conditioned on MAC address: 48:22:54:dc:6a:15Trace condition will be automatically stopped in 1800 seconds.Execute 'no debug wireless mac 48:22:54:dc:6a:15' to manually stop RA tracing on this condition.WLC#no debug wireless mac 48:22:54:dc:6a:15
RA tracing stop event,
conditioned on MAC address: 48:22:54:dc:6a:15WLC#more flash:client6a15 | i DHCP2025/08/11 06:13:48.600929726 {wncd_x_R0-0}{1}: [sisf-packet] [15981]: (info): RX: DHCPv4 from interface capwap_90000006 on vlan 1 Src MAC: 4822.54dc.6a15 Dst MAC: ffff.ffff.ffff src_ip: 0.0.0.0, dst_ip: 255.255.255.255, BOOTPREQUEST, SISF_DHCPDISCOVER, giaddr: 0.0.0.0, yiaddr: 0.0.0.0, CMAC: 4822.54dc.6a152025/08/11 06:13:50.606037404 {wncd_x_R0-0}{1}: [sisf-packet] [15981]: (info): RX: DHCPv4 from interface capwap_90000006 on vlan 1 Src MAC: f87b.2003.7fd5 Dst MAC: 4822.54dc.6a15 src_ip: 172.16.131.254, dst_ip: 172.16.131.4, BOOTPREPLY, SISF_DHCPOFFER, giaddr: 172.16.131.254, yiaddr: 172.16.131.4, CMAC: 4822.54dc.6a152025/08/11 06:13:50.609855406 {wncd_x_R0-0}{1}: [sisf-packet] [15981]: (info): RX: DHCPv4 from interface capwap_90000006 on vlan 1 Src MAC: 4822.54dc.6a15 Dst MAC: ffff.ffff.ffff src_ip: 0.0.0.0, dst_ip: 255.255.255.255, BOOTPREQUEST, SISF_DHCPREQUEST, giaddr: 0.0.0.0, yiaddr: 0.0.0.0, CMAC: 4822.54dc.6a152025/08/11 06:13:50.613054692 {wncd_x_R0-0}{1}: [sisf-packet] [15981]: (info): RX: DHCPv4 from interface capwap_90000006 on vlan 1 Src MAC: f87b.2003.7fd5 Dst MAC: 4822.54dc.6a15 src_ip: 172.16.131.254, dst_ip: 172.16.131.4, BOOTPREPLY, SISF_DHCPACK, giaddr: 172.16.131.254, yiaddr: 172.16.131.4, CMAC: 4822.54dc.6a15
在事務結束時,終端會新增到無線LAN控制器上的裝置跟蹤資料庫。
WLC#show wireless device-tracking database mac 4822.54dc.6a15MAC VLAN IF-HDL IP ZONE-ID/VRF-NAME--------------------------------------------------------------------------------------------------4822.54dc.6a15 1 0x90000006 172.16.131.4 0x00000000fe80::b070:b7e1:cc52:69ed 0x80000001
整個DHCP事務在接入點上調試。
AP1#debug client 48:22:54:DC:6A:15AP1#term monAP1#
Aug 11 05:37:47 AP1 kernel: [*08/11/2025 05:37:47.3530] [1754890667:353058] [AP1] [48:22:54:dc:6a:15] < wifi0> [U:W] DHCP_DISCOVER : TransId 0x76281006Aug 11 05:37:47 AP1 kernel: [*08/11/2025 05:37:47.3531] chatter: dhcp_req_local_sw_nonat: 1754890667.353086: 0.0.0.0.68 > 255.255.255.255.67: udp 310Aug 11 05:37:47 AP1 kernel: [*08/11/2025 05:37:47.3533] chatter: dhcp_from_inet: 1754890667.353287600: 0.0.0.0.68 > 255.255.255.255.67: udp 310Aug 11 05:37:47 AP1 kernel: [*08/11/2025 05:37:47.3533] chatter: dhcp_reply_nonat: 1754890667.353287600: 0.0.0.0.68 > 255.255.255.255.67: udp 310Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3587] chatter: dhcp_from_inet: 1754890669.358709760: 172.16.131.254.67 > 172.16.131.4.68: udp 309Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3588] chatter: dhcp_reply_nonat: 1754890669.358709760: 172.16.131.254.67 > 172.16.131.4.68: udp 309Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3589] [1754890669:358910] [AP1] [48:22:54:dc:6a:15][D:W] DHCP_OFFER : TransId 0x76281006 tag:534 Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3671] [1754890669:367110] [AP1] [48:22:54:dc:6a:15] < wifi0> [U:W] DHCP_REQUEST : TransId 0x76281006Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3671] chatter: dhcp_req_local_sw_nonat: 1754890669.367134760: 0.0.0.0.68 > 255.255.255.255.67: udp 336Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3709] [1754890669:370945] [AP1] [48:22:54:dc:6a:15][D:W] DHCP_ACK : TransId 0x76281006 tag:536 Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3733] [1754890669:373312] [AP1] [48:22:54:dc:6a:15] < wifi0> [D:A] DHCP_OFFER : TransId 0x76281006 [Tx Success] tag:534Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3983] [1754890669:398318] [AP1] [48:22:54:dc:6a:15] < wifi0> [D:A] DHCP_ACK : TransId 0x76281006 [Tx Success] tag:53* U:W = Uplink Packet from Client to Wireless Driver
* D:W = Downlink Packet from Client to Click Module
* D:A = Downlink Packet from Client sent over the air
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
19-Aug-2025
|
初始版本 |
意見