本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
本文說明如何在SD-Access(SDA)交換矩陣中的第2層專用網路中排除無線終端的DHCP故障。
思科建議您瞭解以下主題:
硬體和軟體要求
限制
只有一個L2邊界可以同時切換唯一的VLAN/VNI,除非正確配置了強大的環路防止機制(如用於禁用鏈路的FlexLink+或EEM指令碼)。
在典型的SD-Access部署中,L2/L3邊界位於交換矩陣邊緣(FE),其中FE以SVI的形式承載客戶端網關,通常稱為「任播網關」。第3層VNI(路由)針對子網間流量建立,而第2層VNI(交換)管理子網內流量。跨所有FE的一致配置可實現無縫客戶端漫遊。轉發已最佳化:子網內(L2)流量直接橋接在FE之間,而子網間(L3)流量則在FE之間或FE與邊界節點之間路由。
對於SDA交換矩陣中需要交換矩陣外部的嚴格網路入口點的終端,SDA交換矩陣必須提供從邊緣到外部網關的L2通道。
此概念類似於傳統的乙太網園區部署,其中第2層接入網路連線到第3層路由器。VLAN內流量保留在L2網路中,而VLAN間流量由L3裝置路由,通常會返回到L2網路上的不同VLAN。
在LISP上下文中,站點控制平面主要跟蹤MAC地址及其相應的MAC到IP繫結,非常類似於傳統的ARP條目。僅L2 VNI/L2池專門用於促進基於這兩種EID型別的註冊、解析和轉發。因此,在僅使用L2的環境中,任何基於LISP的轉發僅依賴於MAC和MAC到IP資訊,它完全忽略IPv4或IPv6 EID。為了補充LISP EID,僅第2層池嚴重依賴泛洪和學習機制,與傳統交換機的行為類似。因此,L2泛洪成為此解決方案中處理廣播、未知單播和多播(BUM)流量的關鍵元件,需要使用底層多播。相反,通常的單點傳播流量使用標準LISP轉發流程轉發,主要通過對映快取轉發。
交換矩陣邊緣和「L2邊界」(L2B)都維護對映到本地VLAN的第2層VNI(此對映在SDA內對本地裝置有效,允許不同的VLAN跨節點對映到相同的L2 VNI)。 在此特定使用案例中,在這些節點的這些VLAN上未配置SVI,這意味著沒有對應的第3層VNI。
在任播網關池中,DHCP帶來了挑戰,因為每個交換矩陣邊緣都充當其直連端點的網關,所有FE上使用相同的網關IP。要正確識別DHCP中繼資料包的原始源,FE必須插入DHCP選項82及其子選項,包括LISP RLOC資訊。這是通過在交換矩陣邊緣的客戶端VLAN上執行DHCP監聽實現的。DHCP監聽在此環境中具有雙重作用:它方便了選項82的插入,而且關鍵的是,防止了DHCP廣播資料包通過橋接域(VLAN/VNI)泛洪。 即使為任播網關啟用第2層泛洪,DHCP監聽也會有效地抑制廣播資料包,使其作為廣播從交換矩陣邊緣轉發出去。
相比之下,僅第2層VLAN缺少網關,從而簡化了DHCP源識別。由於資料包不通過任何交換矩陣邊緣中繼,因此不需要複雜的源識別機制。如果L2 Only VLAN上沒有DHCP監聽,則有效地繞過DHCP資料包的泛洪控制機制。這允許通過L2泛洪將DHCP廣播轉發到其最終目的地,該目的地可以是直接連線到交換矩陣節點的DHCP伺服器,或提供DHCP中繼功能的第3層裝置。
警告:L2 Only池中的「多個IP到MAC」功能在網橋VM模式下自動啟用DHCP監聽,從而實施DHCP泛洪控制。因此,這會導致L2 VNI池無法支援其終端的DHCP。
由於DHCP嚴重依賴廣播流量,因此必須利用第2層泛洪來支援此協定。與任何其他啟用第2層泛洪的池一樣,底層網路必須配置為組播流量,尤其是使用PIM稀疏模式的Any-Source-Multicast。雖然底層組播配置是通過LAN自動化工作流程自動執行的,但如果省略此步驟,則需要額外的配置(手動或模板)。
支援交換矩陣的無線在AP和FE上採用本地交換和VTEP功能。但是,IOS-XE 16.10+限制會阻止通過VXLAN向AP進行出口廣播轉發。在僅第2層網路中,這阻止了DHCP提供/ACK到達無線客戶端。「泛洪接入隧道」功能通過在交換矩陣邊緣接入隧道介面上啟用廣播轉發來解決這一問題。
網路拓撲
在此拓撲中:
路徑:Catalyst中心/調配/交換矩陣站點/第2層虛擬網路/編輯第2層虛擬網路
使用支援矩陣的無線的L2VNI配置
交換矩陣邊緣節點的VLAN配置為啟用CTS、禁用IGMP和IPv6 MLD以及所需的L2 LISP配置。此L2 Only池是無線池;因此,僅第2層無線池中通常存在的功能(例如RA-Guard、DHCPGuard和Flood Access Tunnel)已配置。無線池上未啟用ARP泛洪。
交換矩陣邊緣(192.168.0.101)配置
ipv6 nd raguard policy dnac-sda-permit-nd-raguardv6
device-role router
ipv6 dhcp guard policy dnac-sda-permit-dhcpv6
device-role server
vlan configuration
1031
ipv6 nd raguard attach-policy dnac-sda-permit-nd-raguardv6
ipv6 dhcp guard attach-policy dnac-sda-permit-dhcpv6
cts role-based enforcement vlan-list 1031
vlan 1031
name L2_Only_Wireless
ip igmp snooping querier
no ip igmp snooping vlan 1031 querierno ip igmp snooping vlan 1031
no ipv6 mld snooping vlan 1031
router lisp
instance-id 8240
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 1031
broadcast-underlay 239.0.17.1
flood unknown-unicast
f
lood access-tunnel 232.255.255.1 vlan 1021database-mapping mac locator-set rloc_91947dad-3621-42bd-ab6b-379ecebb5a2b
exit-service-ethernet
flood-access tunnel命令在其組播複製變化中配置,其中所有BUM流量使用源特定組播組(232.255.255.1)封裝到AP,使用INFRA-VN接入點VLAN作為VLAN,IGMP監聽參考該VLAN以轉發BUM流量。
在WLC(無線LAN控制器)端,與光纖存取點相關聯的站點標籤必須設定為「no fabric ap-arp-caching」,才能停用代理ARP功能。此外,必須啟用「fabric ap-dhcp-broadcast」,此配置允許將DHCP廣播資料包從AP轉發到無線終端。
交換矩陣WLC(192.168.254.69)配置
wireless tag site RTP-Site-Tag-3
description "Site Tag RTP-Site-Tag-3"
no fabric ap-arp-caching
fabric ap-dhcp-broadcast
提示:無線組播組232.255.255.1是所有站點標籤使用的預設組。
WLC#
show wireless tag site detailed RTP-Site-Tag-3
Site Tag Name : RTP-Site-Tag-3
Description : Site Tag RTP-Site-Tag-3
----------------------------------------
AP Profile : default-ap-profile
Local-site : Yes
Image Download Profile: default
Fabric AP DHCP Broadcast : Enabled
Fabric Multicast Group IPv4 Address : 232.255.255.1
RTP-Site-Tag-3 Load : 0
從操作角度來看,允許DHCP伺服器(或路由器/中繼)連線到任何交換矩陣節點,包括邊界和邊緣。
使用Border節點連線DHCP伺服器是推薦的方法,但需要仔細設計考慮。這是因為必須在每個介面上為第2層傳遞配置邊框。這允許將交換矩陣池傳遞給交換矩陣內相同的VLAN或不同的VLAN。交換矩陣邊緣和邊界之間的VLAN ID具有這種靈活性,因為兩者都對映到相同的L2 LISP例項ID。不能使用同一個VLAN同時啟用L2切換物理埠,以防止SD-Access網路出現第2層環路。若要實現冗餘,需要使用StackWise Virtual、FlexLink+或EEM指令碼等方法。
相反,將DHCP伺服器或網關路由器連線到交換矩陣邊緣不需要額外的配置。
L2轉接配置
交換矩陣邊界/CP(192.168.0.201)配置
ipv6 nd raguard policy dnac-sda-permit-nd-raguardv6
device-role router
ipv6 dhcp guard policy dnac-sda-permit-dhcpv6
device-role server
vlan configuration 3
1
ipv6 nd raguard attach-policy dnac-sda-permit-nd-raguardv6
ipv6 dhcp guard attach-policy dnac-sda-permit-dhcpv6
cts role-based enforcement vlan-list 31
vlan 31
name L2_Only_Wireless
ip igmp snooping querier
no ip igmp snooping vlan 1031 querierno ip igmp snooping vlan 1031
no ipv6 mld snooping vlan 1031
router lisp
instance-id 8240
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 31
broadcast-underlay 239.0.17.1
flood unknown-unicast
f
lood access-tunnel 232.255.255.1 vlan 1021database-mapping mac locator-set rloc_91947dad-3621-42bd-ab6b-379ecebb5a2b
exit-service-ethernet
interface TenGigabitEthernet1/0/44
switchport mode trunk
<--DHCP Relay/Server interface
交換矩陣邊緣配置為通過泛洪接入隧道機制將廣播資料包轉發到接入點。這些資料包將封裝到INFRA-VN VLAN上的232.255.255.1組播組中。接入點自動加入此組播組,因為它們的站點標籤已預配置為使用它。
WLC#
show ap name AP1 config general | i Site
Site Tag Name : RTP-Site-Tag-3
WLC#
show wireless tag site detailed RTP-Site-Tag-3
Site Tag Name : RTP-Site-Tag-3
Description : Site Tag RTP-Site-Tag-3
----------------------------------------
AP Profile : default-ap-profile
Local-site : Yes
Image Download Profile: default
Fabric AP DHCP Broadcast : Enabled
Fabric Multicast Group IPv4 Address : 232.255.255.1
RTP-Site-Tag-3 Load : 0
從接入點出發,在交換矩陣無線終端關聯時,會形成VXLAN隧道(在AP端為動態,在交換矩陣邊緣端為始終開啟)。 在此通道中,CAPWAP交換矩陣組播組會使用來自AP終端的命令進行驗證。
AP1#
show ip tunnel fabric
Fabric GWs Information:
Tunnel-Id GW-IP GW-MAC Adj-Status Encap-Type Packet-I
n Bytes-In Packet-Out Bytes-out
1 192.168.0.101 00:00:0C:9F:F2:BC Forward VXLAN 111706302
6 1019814432 1116587492 980205146
AP APP Fabric Information:
GW_ADDR ENCAP_TYPE VNID SGT FEATURE_FLAG GW_SRC_MAC GW_DST_MAC
AP1#
show capwap mcast
IPv4 Multicast:
Vlan Group IP Version Query Timer Sent QRV left Port
0 232.255.255.1 2 972789.691334200 140626 2 0
從交換矩陣邊緣端,確認已為INFRA-VN AP VLAN啟用IGMP監聽,接入點已形成接入隧道介面,並且已加入組播組232.255.255.1
Edge-1#show ip igmp snooping vlan 1021 | i IGMP
Global IGMP Snooping configuration:
IGMP snooping : Enabled
IGMPv3 snooping : Enabled
IGMP snooping : Enabled
IGMPv2 immediate leave : Disabled
CGMP interoperability mode : IGMP_ONLY
Edge-1#show ip igmp snooping groups vlan 1021 232.255.255.1
Vlan Group Type Version Port List
-----------------------------------------------------------------------
1021 232.255.255.1 igmp v2 Te1/0/12 ----- Access Point Port
Edge-1#
show device-tracking database interface te1/0/12 | be Network
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
DH4 172.16.1.7 dc8c.3756.99bc Te1/0/12 1021 0024 1s REACHABLE 251 s(76444 s)
Edge-1#
show access-tunnel summary
Access Tunnels General Statistics:
Number of AccessTunnel Data Tunnels = 1
Name RLOC IP(Source) AP IP(Destination) VRF ID Source Port Destination Port
------ --------------- ------------------ ------ ----------- ----------------
Ac2 192.168.0.101 172.16.1.7 0 N/A 4789
<snip>
這些驗證確認已成功啟用跨接入點、交換矩陣邊緣和無線LAN控制器的無線組播。
通訊流 — 僅限L2中的DHCP發現和請求
確定無線端點的狀態、其連線的接入點以及關聯的交換矩陣屬性。
WLC#
show wireless client summary | i MAC|-|4822.54dc.6a15
MAC Address AP Name Type ID State Protocol Method Role
-------------------------------------------------------------------------------------------------------------------------
4822.54dc.6a15 AP1 WLAN 17 Run 11n(2.4) MAB Local
WLC#
show wireless client mac 4822.54dc.6a15 detail | se AP Name|Policy Profile|Fabric
AP Name: AP1
Policy Profile : RTP_POD1_SSID_profile
Fabric status : Enabled
RLOC : 192.168.0.101
VNID : 8232
SGT : 0
Control plane name : default-control-plane
請務必確認在策略配置檔案中禁用了中心交換和中心dhcp功能。必須在SSID的策略配置檔案中配置「no central dhcp」和「no central switching」命令。
WLC#
show wireless profile policy detailed RTP_POD1_SSID_profile | i Central
Flex Central Switching : DISABLED
Flex Central Authentication : ENABLED
Flex Central DHCP : DISABLED
VLAN based Central Switching : DISABLED
這些驗證確認終端已連線到「AP1」,後者與交換矩陣邊緣RLOC 192.168.0.101相關聯。因此,其流量通過VXLAN(VNID 8232)進行封裝,以便從接入點傳輸到交換矩陣邊緣。
在終端機自註冊過程中,WLC向交換矩陣控制平面註冊無線終端機的MAC地址。同時,控制平面會通知交換矩陣邊緣節點(接入點所連線的節點)建立一個特殊的「CP_LEARN」MAC學習條目,指向接入點的接入隧道介面。
Edge-1#
show lisp session
Sessions for VRF default, total: 2, established: 2
Peer State Up/Down In/Out Users
192.168.0.201:4342 Up 2w2d 806/553 44
192.168.0.202:4342 Up 2w2d 654/442 44
Edge-1#
show lisp instance-id 8232 ethernet database wlc 4822.54dc.6a15
WLC clients/access-points information for LISP 0 EID-table Vlan 1031 (IID 8232)
Hardware Address: 4822.54dc.6a15
Type: client
Sources: 2
Tunnel Update: Signalled
Source MS: 192.168.0.201
RLOC: 192.168.0.101
Up time: 1w6d
Metadata length: 34
Metadata (hex): 00 01 00 22 00 01 00 0C AC 10 01 07 00 00 10 01
00 02 00 06 00 00 00 03 00 0C 00 00 00 00 68 99
6A D2
Edge-1#
show mac address-table address 4822.54dc.6a15
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1031 4822.54dc.6a15 CP_LEARN Ac2
如果終端的MAC地址通過與其連線的接入點對應的接入隧道介面正確獲取,則此階段被視為完成。
禁用DHCP監聽時,不會阻止DHCP廣播;相反,它們會封裝在組播中,以便進行第2層泛洪。反之,啟用DHCP監聽可以防止這些廣播資料包泛洪。
Edge-1#
show ip dhcp snooping
Switch DHCP snooping isenabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
12-13,50,52-53,333,1021-1026
DHCP snooping isoperationalon following VLANs:
12-13,50,52-53,333,1021-1026
<--VLAN1031 should not be listed, as DHCP snooping must be disabled in L2 Only pools.
Proxy bridge is configured on following VLANs:
1024
Proxy bridge is operational on following VLANs:
1024
<snip>
由於DHCP監聽已禁用,因此DHCP發現/請求利用L2LISP0介面,通過L2泛洪橋接流量。根據Catalyst Center版本和應用的Fabric Banner,L2LISP0介面可能具有雙向配置的訪問清單;因此,請確保任何存取控制專案(ACE)都沒有明確拒絕DHCP流量(UDP連線埠67和68)。
interface L2LISP0
ip access-group SDA-FABRIC-LISP in
ip access-group SDA-FABRIC-LISP out
Edge-1#show access-list SDA-FABRIC-LISP
Extended IP access list SDA-FABRIC-LISP
10 deny ip any host 224.0.0.22
20 deny ip any host 224.0.0.13
30 deny ip any host 224.0.0.1
40 permit ip any any
利用為L2LISP例項配置的廣播底層組和交換矩陣邊緣的Loopback0 IP地址來檢驗將該資料包橋接至其他交換矩陣節點的L2泛洪(S,G)條目。請參閱mroute和mfib表以驗證引數,如傳入介面、傳出介面清單和轉發計數器。
Edge-1#show ip interface loopback 0 | i Internet
Internet address is 192.168.0.101/32
Edge-1#show running-config | se 8232
interface L2LISP0.8232
instance-id 8232
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 1031
broadcast-underlay 239.0.17.1
Edge-1#show ip mroute 239.0.17.1 192.168.0.101 | be \(
(192.168.0.101, 239.0.17.1), 00:00:19/00:03:17, flags: FT
Incoming interface: Null0, RPF nbr 0.0.0.0 <-- Local S,G IIF must be Null0
Outgoing interface list:
TenGigabitEthernet1/1/2, Forward/Sparse, 00:00:19/00:03:10, flags: <-- 1st OIF = Te1/1/2 = Border2 Uplink
TenGigabitEthernet1/1/1, Forward/Sparse, 00:00:19/00:03:13, flags: <-- 2nd OIF = Te1/1/1 = Border1 Uplink
Edge-1#show ip mfib 239.0.17.1 192.168.0.101 count
Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second
Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
Default
13 routes, 6 (*,G)s, 3 (*,G/m)s
Group: 239.0.17.1
Source: 192.168.0.101,
SW Forwarding: 1/0/392/0, Other: 1/1/0
HW Forwarding: 7/0/231/0, Other: 0/0/0 <-- HW Forwarding counters (First counter = Pkt Count) must increase
Totals - Source count: 1, Packet count: 8
提示:提示:如果找不到(S,G)條目或傳出介面清單(OIL)不包含傳出介面(OIF),則表明底層組播配置或操作有問題。
在交換機上配置同時嵌入式資料包捕獲,記錄來自AP的輸入DHCP資料包和相應的輸出資料包,以進行L2泛洪。
光纖邊緣(192.168.0.101)封包擷取
monitor capture cap interface TenGigabitEthernet1/0/12 IN <-- Access Point Port
monitor capture cap interface TenGigabitEthernet1/1/1 OUT <-- Multicast Route (L2 Flooding) OIF
monitor capture cap match any
monitor capture cap buffer size 100
monitor capture cap limit pps 1000
monitor capture cap start
monitor capture cap stop
捕獲資料包時,必須觀察三個不同的資料包:
Edge-1#show monitor capture cap buffer display-filter "bootp and dhcp.hw.mac_addr==4822.54dc.6a15"<-- 4822.54dc.6a15 is the endpoint MAC
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
129 4.865410 0.0.0.0 -> 255.255.255.255 DHCP 394 DHCP Discover - Transaction ID 0x824bdf45 <-- From AP to Edge
130 4.865439 0.0.0.0 -> 255.255.255.255 DHCP 420 DHCP Discover - Transaction ID 0x824bdf45 <-- From AP to WLC
131 4.865459 0.0.0.0 -> 255.255.255.255 DHCP 394 DHCP Discover - Transaction ID 0x824bdf45 <-- From Edge to L2 Flooding Group
Edge-1#show monitor capture cap buffer display-filter "bootp and dhcp.hw.mac_addr==4822.54dc.6a15 and vxlan"
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
129 4.865410 0.0.0.0 -> 255.255.255.255 DHCP 394 DHCP Discover - Transaction ID 0x824bdf45
131 4.865459 0.0.0.0 -> 255.255.255.255 DHCP 394 DHCP Discover - Transaction ID 0x824bdf45
Edge-1#show monitor capture cap buffer display-filter "bootp and dhcp.hw.mac_addr==4822.54dc.6a15 and udp.port==5247"
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
130 4.865439 0.0.0.0 -> 255.255.255.255 DHCP 420 DHCP Discover - Transaction ID 0x824bdf45
Edge-1#show monitor capture cap buffer display-filter "bootp and dhcp.hw.mac_addr==4822.54dc.6a15 and vxlan"
detail| i Internet
Internet Protocol Version 4, Src: 172.16.1.7, Dst: 192.168.0.101 <-- From AP to Edge
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
Internet Protocol Version 4, Src: 192.168.0.101, Dst: 239.0.17.1 <-- From Edge to Upstream (Layer 2 Flooding)
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
提示:在啟用交換矩陣無線上,VXLAN封裝的資料包將DHCP流量傳送到客戶端或伺服器。然而,CAPWAP資料(UDP 5247)封裝的封包僅出於追蹤目的(例如IP學習狀態或無線裝置追蹤)傳送到WLC。
邊緣通過第2層泛洪傳送DHCP發現和請求資料包後(封裝了Broadcast-Underlay組239.0.17.1),這些資料包將由L2傳遞邊界接收,在本場景中具體是Border/CP-1。
為此,Border/CP-1必須擁有與邊緣(S,G)的組播路由,其傳出介面清單必須包括L2切換VLAN的L2LISP例項。必須注意的是,L2轉接邊界共用相同的L2LISP例項ID,即使它們為轉接使用不同的VLAN。
BorderCP-1#
show vlan id 31
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
31 L2_Only_Wireless active L2LI0:8232, Te1/0/44
BorderCP-1#
show ip mroute 239.0.17.1 192.168.0.101 | be \(
(192.168.0.101, 239.0.17.1), 00:03:20/00:00:48, flags: MTA
Incoming interface: TenGigabitEthernet1/0/42, RPF nbr 192.168.98.3 <-- IIF Te1/0/42 is the RPF interface for 192.168.0.101 (Edge RLOC)
Outgoing interface list:
TenGigabitEthernet1/0/26, Forward/Sparse, 00:03:20/00:03:24, flags:
L2LISP0.8232, Forward/Sparse-Dense, 00:03:20/00:02:39, flags:
BorderCP-1#
show ip mfib 239.0.17.1 192.168.0.101 count
Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second
Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
Default
13 routes, 6 (*,G)s, 3 (*,G/m)s
Group: 239.0.17.1
Source: 192.168.0.101,
SW Forwarding: 1/0/392/0, Other: 0/0/0
HW Forwarding: 3/0/317/0, Other: 0/0/0 <-- HW Forwarding counters (First counter = Pkt Count) must increase
Totals - Source count: 1, Packet count: 4
提示:如果未找到(S,G)條目,則表示底層組播配置或操作有問題。如果所需例項的L2LISP未作為OIF存在,則表明L2LISP子介面的操作UP/DOWN狀態或L2LISP介面的IGMP啟用狀態存在問題。
與交換矩陣邊緣節點類似,請確保沒有訪問控制項會拒絕L2LISP0介面上的輸入DHCP資料包。
BorderCP-1#
show ip access-lists SDA-FABRIC-LISP
Extended IP access list SDA-FABRIC-LISP
10 deny ip any host 224.0.0.22
20 deny ip any host 224.0.0.13
30 deny ip any host 224.0.0.1
40 permit ip any any
將封包解除封裝並放置在與VNI 8240相符的VLAN上後,其廣播性質表示封包已泛洪到轉送的VLAN 141的所有跨距樹狀目錄通訊協定轉送連線埠。
BorderCP-1#
show spanning-tree vlan 31 | be Interface
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Te1/0/44 Desg FWD 2000 128.56 P2p
Device-Tracking表確認連線到網關/DHCP中繼的介面Te1/0/44必須是STP轉發埠。
BorderCP-1#
show device-tracking database address 172.16.141.254 | be Network
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 172.16.131.254 f87b.2003.7fd5 Te1/0/44 31 0005 34s REACHABLE 112 s try 0
在交換機上配置同時嵌入式資料包捕獲,以記錄來自L2泛洪(S,G傳入介面)的傳入DHCP資料包和到DHCP中繼的相應輸出資料包。捕獲資料包時,應觀察兩個不同的資料包:來自Edge-1的VXLAN封裝資料包,以及到達DHCP中繼的解封裝資料包。
光纖邊界/CP(192.168.0.201)封包擷取器
monitor capture cap interface TenGigabitEthernet1/0/42 IN
<--
Ingress interface for Edge's S,G Mroute (192.168.0.101, 239.0.17.1)
monitor capture cap interface TenGigabitEthernet1/0/44 OUT <-- Interface that connects to the DHCP Relay
monitor capture cap match any
monitor capture cap buffer size 100monitor capture cap start
monitor capture cap stop
BorderCP-1#
show monitor capture cap buffer display-filter "bootp and dhcp.hw.mac_addr==4822.54dc.6a15"
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
324 16.695022 0.0.0.0 -> 255.255.255.255 DHCP 394 DHCP Discover - Transaction ID 0x824bdf45 <-- 394 is the Lenght of the VXLAN encapsulated packet
325 10.834141 0.0.0.0 -> 255.255.255.255 DHCP 420 DHCP Discover - Transaction ID 0x168bd882 <-- 420 is the Lenght of the CAPWAP encapsulated packet
326 16.695053 0.0.0.0 -> 255.255.255.255 DHCP 352 DHCP Discover - Transaction ID 0x824bdf45 <-- 352 is the Lenght of the VXLAN encapsulated packet
Packet 324: VXLAN Encapsulated
BorderCP-1#
show monitor capture cap buffer display-filter "frame.number==324" detail | i Internet
Internet Protocol Version 4, Src: 192.168.0.101, Dst: 239.0.17.1
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
Packet 326: Plain (dot1Q cannot be captured at egress due to EPC limitations)
BorderCP-1#
show monitor capture cap buffer display-filter "frame.number==326" detailed | i Internet
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
此時,發現/請求資料包已退出SD-Access交換矩陣,結束本節內容。但是,在繼續操作之前,一個關鍵引數(由終端本身確定的DHCP廣播標誌)將規定後續的Offer或ACK資料包的轉發方案。我們可以檢查其中一個Discover資料包來檢查此標誌。
BorderCP-1#show monitor capture cap buffer display-filter "bootp.type==1 and dhcp.hw.mac_addr==4822.54dc.6a15" detailed | sect Dynamic
Dynamic Host Configuration Protocol (Discover)
Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x00002030
Seconds elapsed: 3
Bootp flags: 0x8000, Broadcast flag (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast <-- Broadcast Flag set by the Endpoint
.000 0000 0000 0000 = Reserved flags: 0x0000
提示:bootp.type.==只能用於過濾發現和請求資料包。
通訊流 — 僅在第2層廣播DHCP提供和ACK
現在DHCP發現已退出SD-Access交換矩陣,DHCP中繼將插入傳統的DHCP中繼選項(例如GiAddr/GatewayIPAddress),並將資料包作為單播傳輸轉發到DHCP伺服器。在此流程中,SD-Access交換矩陣不附加任何特殊的DHCP選項。
在伺服器收到DHCP發現/請求後,伺服器會執行嵌入的廣播或單播標誌。此標籤指示DHCP中繼代理是否將DHCP提供作為廣播幀或單播幀轉發到下游裝置(我們的邊界)。在本演示中,假設存在廣播場景。
當DHCP中繼傳送DHCP提供或ACK時,L2BN節點必須獲取網關的MAC地址,將其新增到其MAC地址表中,然後到L2/MAC SISF表,最後到VLAN 141的L2LISP資料庫,對映到L2LISP例項8232。
BorderCP-1#
show mac address-table interface te1/0/44
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
31 f87b.2003.7fd5 DYNAMIC Te1/0/44
BorderCP-1#
show vlan id 31
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
31 L2_Only_Wireless active L2LI0:8232, Te1/0/44
BorderCP-1#
show device-tracking database mac | i 7fd5|vlan
MAC Interface vlan prlvl state Time left Policy Input_index
f87b.2003.7fd5 Te1/0/44 31 NO TRUST MAC-REACHABLE 61 s LISP-DT-GLEAN-VLAN 64
BorderCP-1#
show lisp ins 8232 dynamic-eid summary | i Name|f87b.2003.7fd5
Dyn-EID Name Dynamic-EID Interface Uptime Last Pending
Auto-L2-group-8232 f87b.2003.7fd5 N/A 6d06h never 0
BorderCP-1#
show lisp instance-id 8232 ethernet database
f87b.2003.7fd5
LISP ETR MAC Mapping Database for LISP 0 EID-table Vlan 31 (IID 8232), LSBs: 0x1
Entries total 1, no-route 0, inactive 0, do-not-register 0
f87b.2003.7fd5/48, dynamic-eid Auto-L2-group-8240, inherited from default locator-set rloc_0f43c5d8-f48d-48a5-a5a8-094b87f3a5f7, auto-discover-rlocs
Uptime: 6d06h, Last-change: 6d06h
Domain-ID: local
Service-Insertion: N/A
Locator Pri/Wgt Source State
192.168.0.201 10/10 cfg-intf site-self, reachable
Map-server Uptime ACK Domain-ID
192.168.0.201 6d06h Yes 0
192.168.0.202 6d06h Yes 0
如果網關的MAC地址已正確獲知,並且交換矩陣控制平面的ACK標誌已標籤為「Yes」,則此階段視為已完成。
如果沒有啟用DHCP監聽,DHCP廣播不會受到阻止,而是封裝在組播中,以實現第2層泛洪。反之,如果啟用DHCP監聽,則會阻止DHCP廣播資料包泛洪。
BorderCP-1#
show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
1001
DHCP snooping is operational on following VLANs:
1001 <-- VLAN31 should not be listed, as DHCP snooping must be disabled in L2 Only pools.
Proxy bridge is configured on following VLANs:
none
Proxy bridge is operational on following VLANs:
none
由於L2Border中未啟用DHCP監聽,因此不需要DHCP監聽信任配置。
在這個階段,兩台裝置都已完成L2LISP ACL驗證。
利用為L2LISP例項配置的廣播底層組和L2Border Loopback0 IP地址來檢驗將該資料包橋接到其他交換矩陣節點的L2泛洪(S,G)條目。請參閱mroute和mfib表以驗證引數,如傳入介面、傳出介面清單和轉發計數器。
BorderCP-1#
show ip int loopback 0 | i Internet
Internet address is 192.168.0.201/32
BorderCP-1#
show run | se 8232
interface L2LISP0.8232
instance-id 8232
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 1031
broadcast-underlay 239.0.17.1
BorderCP-1#show ip mroute 239.0.17.1 192.168.0.201 | be \(
(192.168.0.201, 239.0.17.1), 1w5d/00:02:52, flags: FTA
Incoming interface: Null0, RPF nbr 0.0.0.0 <-- Local S,G IIF must be Null0
Outgoing interface list:
TenGigabitEthernet1/0/42, Forward/Sparse, 1w3d/00:02:52, flags: <-- Edge1 Downlink
TenGigabitEthernet1/0/43, Forward/Sparse, 1w3d/00:02:52, flags: <-- Edge2 DownlinkBorderCP-1#show ip mfib 239.0.17.1 192.168.0.201 count
Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second
Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
Default
13 routes, 6 (*,G)s, 3 (*,G/m)s
Group: 239.0.17.1
Source: 192.168.0.201,
SW Forwarding: 1/0/392/0, Other: 1/1/0
HW Forwarding: 92071/0/102/0, Other: 0/0/0 <-- HW Forwarding counters (First counter = Pkt Count) must increase
Totals - Source count: 1, Packet count: 92071
提示:如果找不到(S,G)條目或傳出介面清單(OIL)不包含傳出介面(OIF),則表明底層組播配置或操作有問題。
通過這些驗證,在資料包捕獲方面(與前面步驟相似),我們總結本節內容,因為DHCP提供將以廣播形式轉發到所有交換矩陣邊緣(使用傳出介面清單內容),在本例中是傳出介面TenGig1/0/42和TenGig1/0/43。
與上一流完全相同,我們現在檢查交換矩陣邊緣中的L2Border S,G,其中傳入介面指向L2BN,而OIL包含對映到VLAN 1031的L2LISP例項。
Edge-1#show vlan id 1031
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1031 L2_Only_Wireless active L2LI0:8232, Te1/0/2, Te1/0/17, Te1/0/18, Te1/0/19, Te1/0/20, Ac2, Po1
Edge-1#
show ip mroute 239.0.17.1 192.168.0.201 | be \(
(192.168.0.201, 239.0.17.1), 1w3d/00:01:52, flags: JT
Incoming interface: TenGigabitEthernet1/1/2, RPF nbr 192.168.98.2 <-- IIF Te1/1/2 is the RPF interface for 192.168.0.201 (L2BN RLOC)a
Outgoing interface list:
L2LISP0.8232, Forward/Sparse-Dense, 1w3d/00:02:23, flags:
Edge-1#
show ip mfib 239.0.17.1 192.168.0.201 count
Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second
Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
Default
13 routes, 6 (*,G)s, 3 (*,G/m)s
Group: 239.0.17.1
Source: 192.168.0.201,
SW Forwarding: 1/0/96/0, Other: 0/0/0
HW Forwarding: 76236/0/114/0, Other: 0/0/0
<-- HW Forwarding counters (First counter = Pkt Count) must increase
Totals - Source count: 1, Packet count: 4
提示:如果未找到(S,G)條目,則表示底層組播配置或操作有問題。如果所需例項的L2LISP未作為OIF存在,則表明L2LISP子介面的操作UP/DOWN狀態或L2LISP介面的IGMP啟用狀態存在問題。
兩台裝置中都已完成L2LISP ACL驗證。
將封包解除封裝並放在與VNI 8232相符的VLAN上後,其廣播性質表示其已泛洪出VLAN1031的所有有線跨距樹狀目錄通訊協定轉送連線埠。
Edge-1#
show spanning-tree vlan 1041 | be Interface
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Te1/0/2 Desg FWD 20000 128.2 P2p Edge
Te1/0/17 Desg FWD 2000 128.17 P2p
Te1/0/18 Back BLK 2000 128.18 P2p
Te1/0/19 Desg FWD 2000 128.19 P2p
Te1/0/20 Back BLK 2000 128.20 P2p
但是,我們希望廣播DHCP提供的介面是與接入點關聯的接入隧道介面。僅因為L2LISP IID 8232上啟用了「泛洪接入隧道」,才可能實現此功能,否則將阻止此資料包轉發到AccessTunnel介面。
Edge-1#
show lisp instance-id 8232 ethernet | se Multicast Flood
Multicast Flood Access-Tunnel: enabled
Multicast Address: 232.255.255.1
Vlan ID: 1021
Edge-1#
show ip igmp snooping groups vlan
1021 232.255.255.1
Vlan Group Type Version Port List
-----------------------------------------------------------------------
1021 232.255.255.1 igmp v2 Te1/0/12 <-- AP1 Port
使用組播泛洪組的IGMP監聽條目,DHCP提供和ACK將轉發到AP的物理埠。
DHCP提供和ACK過程始終保持一致。如果未啟用DHCP監聽,則不會在DHCP監聽表中建立任何條目。因此,啟用DHCP的終端的裝置跟蹤條目由收集的ARP資料包生成。由於DHCP監聽已禁用,因此「show platform dhcpsnooping client stats」等命令預計不會顯示任何資料。
Edge-1#
show device-tracking database interface Ac2 | be Network
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 172.16.131.4 4822.54dc.6a15 Ac2 1031 0005 45s REACHABLE 207 s try 0
Edge-1#show ip dhcp snooping binding vlan 1041
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0
通訊流 — 單播DHCP提供和ACK(僅限第2層)
在此場景略有不同,終端將DHCP廣播標誌設定為unset或「0」。
DHCP中繼不會將DHCP提供/ACK作為廣播傳送,而是作為單播資料包傳送,其目的MAC地址從DHCP負載內的客戶端硬體地址派生。這顯著地修改了SD-Access交換矩陣處理資料包的方式,它使用L2LISP對映快取來轉發流量,而不是第2層泛洪組播封裝方法。
交換矩陣邊界/CP(192.168.0.201)資料包catpure:輸入DHCP提供
BorderCP-1#show monitor capture cap buffer display-filter "bootp.type==1 and dhcp.hw.mac_addr==4822.54dc.6a15" detailed | sect Dynamic
Dynamic Host Configuration Protocol (Discover)
Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x00002030
Seconds elapsed: 0
Bootp flags: 0x0000, Broadcast flag (Unicast)
0... .... .... .... = Broadcast flag: Unicast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0
Your (client) IP address: 0.0.0.0
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: 48:22:54:dc:6a:15 (48:22:54:dc:6a:15)
在此場景中,L2泛洪專門用於發現/請求,而提供/ACK則通過L2LISP對映快取轉發,從而簡化了整體操作。根據單播轉發原則,L2邊界向控制平面查詢目的MAC地址。假設在交換矩陣邊緣上成功「MAC學習和WLC通知」,則控制平面已註冊此終端ID(EID)。
BorderCP-1#
show lisp instance-id 8232 ethernet server 4822.54dc.6a15
LISP Site Registration Information
Site name: site_uci
Description: map-server configured from Catalyst Center
Allowed configured locators: any
Requested EID-prefix:
EID-prefix: 4822.54dc.6a15/48 instance-id 8232
First registered: 00:53:30
Last registered: 00:53:30
Routing table tag: 0
Origin: Dynamic, more specific of any-mac
Merge active: No
Proxy reply: Yes
Skip Publication: No
Force Withdraw: No
TTL: 1d00h
State: complete
Extranet IID: Unspecified
Registration errors:
Authentication failures: 0
Allowed locators mismatch: 0
ETR 192.168.0.101:51328, last registered 00:53:30, proxy-reply, map-notify
TTL 1d00h, no merge, hash-function sha1
state complete, no security-capability
nonce 0xBB7A4AC0-0x46676094
xTR-ID 0xDEF44F0B-0xA801409E-0x29F87978-0xB865BF0D
site-ID unspecified
Domain-ID 1712573701
Multihoming-ID unspecified
sourced by reliable transport
Locator Local State Pri/Wgt Scope
192.168.0.101 yes up 10/10 IPv4 none
ETR 192.168.254.69:58507, last registered 00:53:30, no proxy-reply, no map-notify <-- Registered by the Wireless LAN Controller
TTL 1d00h, no merge, hash-function sha2
state complete, no security-capability
nonce 0x00000000-0x00000000
xTR-ID N/A
site-ID N/A
sourced by reliable transport
Affinity-id: 0 , 0
WLC AP bit: Clear
Locator Local State Pri/Wgt Scope
192.168.0.101 yes up 0/0 IPv4 none <-- RLOC of Fabric Edge with the Access Point where the endpoint is connected
在邊界向控制平面(本地或遠端)查詢後,LISP解析為終端的MAC地址建立對映快取條目。
BorderCP-1#
show lisp instance-id 8232 ethernet map-cache 4822.54dc.6a15
LISP MAC Mapping Cache for LISP 0 EID-table Vlan 31 (IID 8232), 1 entries
4822.54dc.6a15/48, uptime: 4d07h, expires: 16:33:09, via map-reply, complete, local-to-site
Sources: map-reply
State: complete, last modified: 4d07h, map-source: 192.168.0.206
Idle, Packets out: 46(0 bytes), counters are not accurate (~ 00:13:12 ago)
Encapsulating dynamic-EID traffic
Locator Uptime State Pri/Wgt Encap-IID
192.168.0.101 4d07h up 10/10 -
解決RLOC後,DHCP提供以單播方式封裝,並使用VNI 8240直接傳送到Edge-1(192.168.0.101)。
BorderCP-1#
show mac address-table address aaaa.dddd.bbbb
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
31 4822.54dc.6a15 CP_LEARN L2LI0
BorderCP-1#
show platform software fed switch active matm macTable vlan 141 mac aaaa.dddd.bbbb
VLAN MAC Type Seq# EC_Bi Flags machandle siHandle riHandle diHandle *a_time *e_time ports Con
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------31 4822.54dc.6a15 0x1000001 0 0 64 0x718eb52c48e8 0x718eb52c8b68 0x718eb44c6c18 0x0 0 1064 RLOC 192.168.0.101 adj_id 1044 No
BorderCP-1#
show ip route 192.168.0.101
Routing entry for 192.168.0.101/32
Known via "isis", distance 115, metric 20, type level-2
Redistributing via isis, bgp 65001T
Advertised by bgp 65001 level-2 route-map FABRIC_RLOC
Last update from 192.168.98.3 on TenGigabitEthernet1/0/42, 1w3d ago
Routing Descriptor Blocks:
* 192.168.98.3, from 192.168.0.101, 1w3d ago, via TenGigabitEthernet1/0/42
Route metric is 20, traffic share count is 1
使用與前面部分相同的方法,捕獲從DHCP中繼和RLOC輸出介面的輸入流量,以觀察單播到邊緣RLOC的VXLAN封裝。
邊緣從邊界接收單播DHCP提供/ACK,解封裝流量並查詢其MAC地址表以確定正確的出口埠。與廣播Offer/ACK不同,邊緣節點隨後將僅將資料包轉發到終端所連線的特定接入隧道,而不是將其泛洪到所有埠。
MAC地址表將埠AccessTunnel2標識為與AP1關聯的虛擬埠。
Edge-1#show mac address-table address 4822.54dc.6a15
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1031 4822.54dc.6a15 CP_LEARN Ac2
Edge-1#show interfaces accessTunnel 2 description
Interface Status Protocol Description
Ac2 up up Radio MAC: dc8c.37ce.58a0, IP: 172.16.1.7
Edge-1#show device-tracking database address 172.16.1.7 | be Network
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
DH4 172.16.1.7 dc8c.3756.99bc Te1/0/12 1021 0024 6s REACHABLE 241 s try 0(86353 s)
Edge-1#show cdp neighbors tenGigabitEthernet 1/0/12 | be Device
Device ID Local Intrfce Holdtme Capability Platform Port ID
AP1 Ten 1/0/12 119 R T AIR-AP480 Gig 0
DHCP提供和ACK過程始終保持一致。如果未啟用DHCP監聽,則不會在DHCP監聽表中建立任何條目。因此,啟用DHCP的終端的裝置跟蹤條目由收集的ARP資料包生成,而不是DHCP。由於DHCP監聽已禁用,因此「show platform dhcpsnooping client stats」等命令也會不顯示任何資料。
Edge-1#show device-tracking database interface te1/0/2 | be Network
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 172.16.141.1 aaaa.dddd.bbbb Te1/0/2 1041 0005 45s REACHABLE 207 s try 0
Edge-1#show ip dhcp snooping binding vlan 1041
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0
必須注意的是,SD-Access交換矩陣不影響單播或廣播標誌的使用,因為這只是端點行為。雖然此功能可能被DHCP中繼或DHCP伺服器本身所覆蓋,但兩種機制對於在L2 Only環境中無縫DHCP操作都至關重要:使用廣播提供/ACK的底層組播進行第2層泛洪,並在控制平面中為單播提供/ACK進行正確的端點註冊。
在WLC上,DHCP交易是透過RA-Trace進行監控。
WLC#debug wireless mac 48:22:54:DC:6A:15 to-file bootflash:client6a15
RA tracing start event,
conditioned on MAC address: 48:22:54:dc:6a:15
Trace condition will be automatically stopped in 1800 seconds.
Execute 'no debug wireless mac 48:22:54:dc:6a:15' to manually stop RA tracing on this condition.
WLC#no debug wireless mac 48:22:54:dc:6a:15
RA tracing stop event,
conditioned on MAC address: 48:22:54:dc:6a:15WLC#more flash:client6a15 | i DHCP
2025/08/11 06:13:48.600929726 {wncd_x_R0-0}{1}: [sisf-packet] [15981]: (info): RX: DHCPv4 from interface capwap_90000006 on vlan 1 Src MAC: 4822.54dc.6a15 Dst MAC: ffff.ffff.ffff src_ip: 0.0.0.0, dst_ip: 255.255.255.255, BOOTPREQUEST, SISF_DHCPDISCOVER, giaddr: 0.0.0.0, yiaddr: 0.0.0.0, CMAC: 4822.54dc.6a15
2025/08/11 06:13:50.606037404 {wncd_x_R0-0}{1}: [sisf-packet] [15981]: (info): RX: DHCPv4 from interface capwap_90000006 on vlan 1 Src MAC: f87b.2003.7fd5 Dst MAC: 4822.54dc.6a15 src_ip: 172.16.131.254, dst_ip: 172.16.131.4, BOOTPREPLY, SISF_DHCPOFFER, giaddr: 172.16.131.254, yiaddr: 172.16.131.4, CMAC: 4822.54dc.6a15
2025/08/11 06:13:50.609855406 {wncd_x_R0-0}{1}: [sisf-packet] [15981]: (info): RX: DHCPv4 from interface capwap_90000006 on vlan 1 Src MAC: 4822.54dc.6a15 Dst MAC: ffff.ffff.ffff src_ip: 0.0.0.0, dst_ip: 255.255.255.255, BOOTPREQUEST, SISF_DHCPREQUEST, giaddr: 0.0.0.0, yiaddr: 0.0.0.0, CMAC: 4822.54dc.6a15
2025/08/11 06:13:50.613054692 {wncd_x_R0-0}{1}: [sisf-packet] [15981]: (info): RX: DHCPv4 from interface capwap_90000006 on vlan 1 Src MAC: f87b.2003.7fd5 Dst MAC: 4822.54dc.6a15 src_ip: 172.16.131.254, dst_ip: 172.16.131.4, BOOTPREPLY, SISF_DHCPACK, giaddr: 172.16.131.254, yiaddr: 172.16.131.4, CMAC: 4822.54dc.6a15
在事務結束時,終端會新增到無線LAN控制器上的裝置跟蹤資料庫。
WLC#show wireless device-tracking database mac 4822.54dc.6a15
MAC VLAN IF-HDL IP ZONE-ID/VRF-NAME
--------------------------------------------------------------------------------------------------
4822.54dc.6a15 1 0x90000006 172.16.131.4 0x00000000
fe80::b070:b7e1:cc52:69ed 0x80000001
整個DHCP事務在接入點上調試。
AP1#debug client 48:22:54:DC:6A:15
AP1#term mon
AP1#
Aug 11 05:37:47 AP1 kernel: [*08/11/2025 05:37:47.3530] [1754890667:353058] [AP1] [48:22:54:dc:6a:15] < wifi0> [U:W] DHCP_DISCOVER : TransId 0x76281006Aug 11 05:37:47 AP1 kernel: [*08/11/2025 05:37:47.3531] chatter: dhcp_req_local_sw_nonat: 1754890667.353086: 0.0.0.0.68 > 255.255.255.255.67: udp 310
Aug 11 05:37:47 AP1 kernel: [*08/11/2025 05:37:47.3533] chatter: dhcp_from_inet: 1754890667.353287600: 0.0.0.0.68 > 255.255.255.255.67: udp 310
Aug 11 05:37:47 AP1 kernel: [*08/11/2025 05:37:47.3533] chatter: dhcp_reply_nonat: 1754890667.353287600: 0.0.0.0.68 > 255.255.255.255.67: udp 310
Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3587] chatter: dhcp_from_inet: 1754890669.358709760: 172.16.131.254.67 > 172.16.131.4.68: udp 309
Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3588] chatter: dhcp_reply_nonat: 1754890669.358709760: 172.16.131.254.67 > 172.16.131.4.68: udp 309
Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3589] [1754890669:358910] [AP1] [48:22:54:dc:6a:15]
[D:W] DHCP_OFFER : TransId 0x76281006 tag:534 Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3671] [1754890669:367110] [AP1] [48:22:54:dc:6a:15] < wifi0> [U:W] DHCP_REQUEST : TransId 0x76281006
Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3671] chatter: dhcp_req_local_sw_nonat: 1754890669.367134760: 0.0.0.0.68 > 255.255.255.255.67: udp 336
Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3709] [1754890669:370945] [AP1] [48:22:54:dc:6a:15]
[D:W] DHCP_ACK : TransId 0x76281006 tag:536 Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3733] [1754890669:373312] [AP1] [48:22:54:dc:6a:15] < wifi0> [D:A] DHCP_OFFER : TransId 0x76281006 [Tx Success] tag:534
Aug 11 05:37:49 AP1 kernel: [*08/11/2025 05:37:49.3983] [1754890669:398318] [AP1] [48:22:54:dc:6a:15] < wifi0> [D:A] DHCP_ACK : TransId 0x76281006 [Tx Success] tag:53
* U:W = Uplink Packet from Client to Wireless Driver
* D:W = Downlink Packet from Client to Click Module
* D:A = Downlink Packet from Client sent over the air
修訂 | 發佈日期 | 意見 |
---|---|---|
1.0 |
19-Aug-2025
|
初始版本 |