[All About Switches] A DHCP Client Cannot Obtain an IP Address Highlighted

Latest reply: Oct 26, 2016 11:34:44 11348 1 0 0
A DHCP Client Cannot Obtain an IP Address


About This Chapter
This chapter describes how to troubleshoot the faults that cause a DHCP client to be unable to obtain an IP address from a DHCP server. It also provides some typical troubleshooting cases and FAQs related to IP address obtaining.
1.1  How DHCP Works
1.2  Common Commands
1.3  Troubleshooting Procedure
1.4  Typical Troubleshooting Cases
1.5  FAQs
1.1 How DHCP Works

Before figuring out why a DHCP client cannot obtain an IP address from a DHCP server, you must know how the DHCP client uses DHCP to obtain an IP address. Figure 1-1 shows DHCP message exchanges. The DHCP snooping device and DHCP relay agent may not be present, depending on how the live network forms. If they are not present, focus only on how the DHCP client and DHCP server exchange DHCP messages. The following description assumes that both a DHCP snooping device and a DHCP relay agent are deployed.
Figure 1-1 DHCP message exchange
http://forum.huawei.com/huaweiconnect/data/attachment/forum/201610/25/20161025160351583001.png
 
DHCP Message Exchange
1.         Upon access to a network the first time, a DHCP client broadcasts a Discover message to discover available DHCP servers. The source and destination IP addresses of the Discover message is all 0s and all 1s, respectively.
2.         Upon receipt of the DHCP Discover message, the DHCP snooping device forwards or discards the message. This depends on whether there is a trusted interface. If there is a trusted interface, the DHCP snooping device forwards the message to the DHCP relay agent (assume that this is the actual situation). If there are no trusted interfaces, the DHCP snooping device discards the message.
3.         Upon receipt of the DHCP Discover message, the DHCP relay agent unicasts it to a specified DHCP server according to the configuration on the relay agent.
4.         Based on the network segment where the source IP address of the Discover message resides, the DHCP server selects an IP address to be assigned to the DHCP client, encapsulates the IP address into an Offer message, and sends the Offer message to the DHCP relay agent.
5.         The DHCP relay agent forwards the unicast DHCP Offer message to the DHCP snooping device.
6.         The DHCP snooping device forwards the DHCP Offer message to the DHCP client.
7.         Upon receipt of the DHCP Offer message, the DHCP client broadcasts a DHCP Request message to inform possible DHCP servers that it has obtained an IP address. The DHCP Request message contains the selected DHCP server information and assigned IP address.
8.         Steps 8 through 12 are similar to steps 2 through 6. For details, see Figure 1-1.
DHCP Roles
l   DHCP Client
A DHCP client uses DHCP to obtain its IP address and other parameters from a DHCP server. DHCP clients can be IP phones, PCs, mobile devices, or other networked devices.
l   (Optional) DHCP Snooping Device
A DHCP snooping device can be configured with a trusted interface to ensure that a DHCP client obtains an IP address from a specified DHCP server. To prevent DHCP attacks, a DHCP snooping device can also be configured to record the mapping between the IP and MAC addresses of DHCP clients.
l   (Optional) DHCP Relay Agent
A DHCP relay agent forwards the DHCP Discover message from a DHCP client to a DHCP server when the client and server reside on different network segments.
l   DHCP Server
A DHCP server assigns IP addresses and other network parameters to DHCP clients.
1.2 Common Commands

DHCP faults are located based on statistics about DHCP message exchanges. The following commands are commonly used for DHCP fault locating.
Table 1-1 Common commands for locating DHCP protocol stack faults
      Command
      
      Function
      
      display dhcp packet enqueue statistics
      
      A diagnostic command used to check the rate at which a device receives DHCP messages
      
      display dhcp packet process statistics
      
      A diagnostic command used to check the rate at which a device processes DHCP messages
      
      debugging dhcp stack all
      
      A debugging command used to enable the debugging on the DHCP protocol stack that sends and receives DHCP messages
      
 
Table 1-2 Common commands for locating DHCP server faults
      Command
      
      Function
      
      display ip pool
      
      A display command that shows the IP address pool information of a DHCP server
      
      display dhcp server statistics
      
      A display command that shows statistics about DHCP messages that a DHCP server sends and receives
      
      debugging dhcp server all
      
      A debugging command used to enable the debugging of DHCP server modules
      
      debugging am all
      
      A debugging command used to enable the debugging of the IP address pool management module
      
 
Table 1-3 Common commands for locating DHCP relay agent faults
      Command
      
      Function
      
      display dhcp relay statistics
      
      A display command that shows statistics about DHCP messages that a DHCP relay agent sends and receives
      
      display dhcp relay
      
      A display command that shows the DHCP server configurations on an interface of a DHCP relay agent
      
      display dhcp server group
      
      A display command that shows the DHCP server group configurations on a DHCP relay agent
      
      debugging dhcp relay all
      
      A debugging command used to enable the debugging of DHCP relay agent modules
      
 
Table 1-4 Common commands for locating DHCP snooping device faults
      Command
      
      Function
      
      display dhcp snooping
      
      A display command that shows the DHCP snooping configurations on an interface or in a VLAN
      
      display dhcp snooping user-bind
      
      A display command that shows the dynamic binding table on a DHCP snooping device
      
      reset dhcp snooping user-bind
      
      A reset command that deletes the dynamic binding table information from a DHCP snooping device
      
      display dhcp snooping statistics
      
      A display command that shows statistics about DHCP messages that a DHCP snooping device sends and receives
      
      reset dhcp snooping statistics
      
      A reset command that deletes statistics about DHCP messages that a DHCP snooping device sends and receives
      
      debugging dhcp snooping all
      
      A debugging command used to enable the debugging of DHCP snooping modules
      
 
Table 1-5 Common commands for locating DHCP client faults
      Command
      
      Function
      
      display dhcp client
      
      A display command that shows DHCP or BOOTP client information on an interface
      
      display dhcp client statistics
      
      A display command that shows DHCP message statistics on a DHCP or BOOTP client
      
      debugging dhcp client all
      
      A debugging command used to enable the debugging of DHCP client modules
      
 
1.3 Troubleshooting Procedure

A DHCP client obtains an IP address from a DHCP server by exchanging DHCP messages with the server. Any device or link failure on the route from the client to the server may prevent the client from obtaining an IP address.
You can troubleshoot this failure in the following ways:
1.3.1 Checking Whether a Reachable Route Exists Between the DHCP Client and DHCP Server

Troubleshooting Roadmap
1.         Configure a static IP address for the DHCP client and use this IP address to ping the IP address of the DHCP server.
−           If the ping succeeds, the client is reachable to the server. In this situation, check whether DHCP configurations are correct.
−           If the ping fails, the client is unreachable to the DHCP server. Go to steps 2 and 3 for further troubleshooting.
2.         Determine the location where the ping fails from network segment to segment. This confines the ping failure to a specific network segment.
3.         Determine the reason why the ping fails from the collected traffic statistics or obtained packet headers.
For details about how to troubleshoot the ping failure, see "titter.gifing and Tracert" in Maintenance Guide - Maintenance Topics.
Troubleshooting Example
In Figure 1-2, a DHCP client (PC1, MAC address: 5489-982D-78DB) resides on the same network segment as the DHCP server (SwitchA). SwitchA connects to SwitchB through VLANIF 100 that has the IP address 192.168.10.1. GE 0/0/2 on Switch B is not configured to allow VLAN 100 to pass. The DHCP client cannot obtain an IP address from the DHCP server.
Figure 1-2 DHCP client and server residing on the same network segment
http://forum.huawei.com/huaweiconnect/data/attachment/forum/201610/25/20161025160352950002.png
 
1.         Configure IP address 192.168.10.10 for the DHCP client and use this IP address to ping the IP address of the DHCP server. The ping fails, indicating that the Layer 2 network has a problem.
PC>ping 192.168.10.1
 
Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
 
--- 192.168.10.1 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

2.         Run the display arp command on the DHCP server to check its ARP table. The command output shows that the ARP table does not contain the DHCP client's ARP entry, indicating that the request of the DHCP client and ping packet do not arrive at the DHCP server.
<SwitchA> display arp
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE INTERFACE      VPN-INSTANCE      
                                          VLAN 
------------------------------------------------------------------------------
192.168.10.1    4c1f-cc60-702b            I -  Vlanif100
------------------------------------------------------------------------------
Total:1         Dynamic:0       Static:0     Interface:1

3.         Run the display mac-address command on SwitchB to check SwitchB's MAC address table. The command output shows that SwitchB learns the DHCP client's MAC address but does not learn the DHCP server's MAC address. This indicates that the ping failure occurs on the route between SwitchB and the DHCP server.
<SwitchB> display mac-address
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  
               VSI/SI                                              MAC-Tunnel  
-------------------------------------------------------------------------------
5489-982d-78db 100         -      -      Eth0/0/1        dynamic   0/-         
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 1

4.         Check SwitchA's and SwitchB's interface information. The command output shows that SwitchB's uplink interface GE 0/0/2 is not configured to allow VLAN 100 to pass.
[SwitchA-GigabitEthernet0/0/1]display this 
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 100
#
return
[SwitchA-GigabitEthernet0/0/1]

[SwitchB-GigabitEthernet0/0/2]display this 
#
interface GigabitEthernet0/0/2
#
return
[SwitchB-GigabitEthernet0/0/2]

5.         Configure GE 0/0/2 to allow VLAN 100 to pass. The DHCP client then successfully pings the DHCP server.
[SwitchB-GigabitEthernet0/0/1]display this 
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
return
[SwitchB-GigabitEthernet0/0/1]

1.3.2 Checking Whether DHCP Configurations Are Correct

Checking the DHCP Server Configurations
Possible Faults
1.         Incomplete DHCP configurations
2.         No available IP addresses in the address pool
Troubleshooting Procedure
1.         For incomplete DHCP configurations:
Run the display current-configuration command to check whether the DHCP server functions are completely configured.
a.         Check whether the dhcp enable command is run to enable DHCP globally.
<HUAWEI> display current-configuration
#
dhcp enable
#

b.         Check whether a global address pool is configured in global address pool mode. If a DHCP relay agent is deployed, configure on the DHCP server an address pool same as the network segment where the DHCP client resides.
<HUAWEI> display current-configuration
#
ip pool 1 
 gateway-list 192.168.10.1 
 network 192.168.10.0 mask 255.255.255.0 
#

c.         Check whether the dhcp select global or dhcp select interface command is run to enable the DHCP server function on the DHCP server interface that connects to the DHCP client. Note that the dhcp select global command applies to the global address pool mode, while the dhcp select interface command applies to the interface address pool mode.
<HUAWEI> display current-configuration
#
interface Vlanif10
 ip address 192.168.10.1 255.255.255.0
 dhcp select global
#


2.         For no available IP addresses in the address pool:
Run the display ip pool command to check whether there are available IP addresses (indicated by the Idle field) in the DHCP server's address pool.
<HUAWEI> display ip pool interface Vlanif100                                
  Pool-name        : Vlanif100                                                   
  Pool-No          : 0                                                          
...
 -------------------------------------------------------------------------------
  Network section                                                                
         Start           End       Total    Used Idle(Expired) Conflict Disabled
 -------------------------------------------------------------------------------
     192.168.4.1   192.168.4.254     254       0        254(0)       0     0    
 -------------------------------------------------------------------------------

Check whether the value of Idle in the command output is 0:
−           If the value is not 0, the DHCP server has available IP addresses.
In this situation, check the DHCP relay agent configurations or check the DHCP snooping device configurations.
−           If the value is 0, the DHCP server does not have available IP addresses.
Use either of the solutions described in Table 1-6 to resolve this problem.
http://forum.huawei.com/huaweiconnect/data/attachment/forum/201610/25/20161025160353608003.jpg
Ensure that the following solutions do not affect network planning.
Table 1-6 Solutions to unavailable DHCP server IP address
      Solution
      
      Interface Address Pool
      
      Global Address Pool
      
      Add IP addresses.
      
      Reduce the IP address mask.
      Assign DHCP clients to more VLANs to add interface address pools.
      Add DHCP servers.
      
      Reduce IP address leases.
      
      Run the dhcp server lease lease command in the interface view.
      
      Run the lease lease command in the global address pool view.
      
 
Checking the DHCP Relay Agent Configurations
Possible Faults
1.         DHCP disabled
2.         DHCP relay function disabled
3.         DHCP server IP address not specified or incorrect
Troubleshooting Procedure
Run the display current-configuration command in any view of the DHCP relay agent to check its configurations.
1.         Check whether the dhcp enable command is run to enable DHCP globally.
<HUAWEI> display current-configuration
#
dhcp enable
#

2.         Check whether the dhcp select relay command is run to enable the DHCP relay agent function.
<HUAWEI> display current-configuration
#
interface Vlanif100
 ip address 192.168.10.1 255.255.255.0
 dhcp select relay   
 dhcp relay server-ip 192.168.20.2
#

3.         Check whether the dhcp relay server-ip command is run to specify the DHCP server IP address on the DHCP relay agent.
Checking the DHCP Snooping Device Configurations
Possible Faults
l   The DHCP snooping function is enabled, but no trusted interface is configured.
l   The number of access users on an interface or in a VLAN reaches the maximum.
Troubleshooting Procedure
1.         Run the display dhcp snooping configuration command on the DHCP snooping device to check whether an interface is configured as a trusted interface using the dhcp snooping trusted command.
<HUAWEI> display dhcp snooping configuration
#
dhcp snooping enable   //Enable DHCP Snooping globally.
#
vlan 100
 dhcp snooping enable   //Enable DHCP Snooping for a VLAN.
#
interface GigabitEthernet0/0/3
 dhcp snooping trusted   //Configure the interface as a trusted interface.
#

By default, all interfaces are untrusted interfaces. A DHCP snooping device forwards DHCP requests and receives DHCP responses only through trusted interfaces. If no trusted interfaces are configured, the DHCP snooping device discards all received DHCP messages.
2.         Run the display dhcp snooping command on the DHCP snooping device to check whether the maximum number of access users is configured on an interface or in a VLAN. If the maximum number does not meet the requirement, run the dhcp snooping max-user-number command to adjust it.
<HUAWEI> display dhcp snooping
 DHCP snooping running information for VLAN 100 :
 DHCP snooping                            : Enable   
 Dhcp user max number                     : 1024     (default)  //Maximum number of DHCP users allowed in this VLAN
 Current dhcp user number                 : 3                   //Maximum number of access DHCP users in this VLAN
 Check dhcp-giaddr                        : Disable  (default)
 Check dhcp-chaddr                        : Disable  (default)
 Check dhcp-request                       : Disable  (default)
 Check dhcp-rate                          : Disable  (default)


1.3.3 Checking Where DHCP Message Exchanges Are Interrupted

Troubleshooting Procedure
Even if the DHCP client is reachable to the DHCP server in the ping test and the DHCP configurations are correct, DHCP message exchanges may also be interrupted. This is because DHCP messages are very special and different from ICMP packets used in ping tests.
Figure 1-3 DHCP message exchange
http://forum.huawei.com/huaweiconnect/data/attachment/forum/201610/25/20161025160351583001.png
 
In Figure 1-3, the failure of the DHCP client to obtain an IP address may occur on the four DHCP devices or three network segments. To determine the specific location, use any of the following methods:
1.         Run the following commands to check the number of DHCP messages sent and received by a specific DHCP device:
−           Run the display dhcp server statistics command on a DHCP server.
−           Run the display dhcp relay statistics command on a DHCP relay agent.
−           Run the display dhcp snooping statistics command on a DHCP snooping device.
2.         Mirroring
For detailed mirroring configuration, see "Mirroring Configuration" in Configuration Guide - Network Management and Monitoring in the S series switch product documentation.
3.         Packet header obtaining
Use a packet header obtaining software to obtain packet headers on the DHCP devices to see where DHCP messages are interrupted.
Solution
Table 1-7 Device Failure
      Device Type
      
      Solution
      
      Client
      
      Restart the DHCP client.
      Disable and then re-activate the NIC.
      
      DHCP service devices
      
      If the problem is caused by high CPU usage, see maintenance topics about high CPU usage.
      Run the debugging dhcp { snooping | relay | server | stack } error command in the user view to enable error debugging of the DHCP modules. Then, determine the reasons for errors based on the command output.
      Contact technical support personnel.
      
 
1.4 Typical Troubleshooting Cases

1.4.1 A DHCP Server Cannot Receive a DHCP Request Message from a DHCP Client

Network Topology
In Figure 1-4, the PC (DHCP client) and DHCP server reside in different network segments. A DHCP snooping device is deployed between the DHCP relay agent and DHCP server.
Figure 1-4 Networking diagram
http://forum.huawei.com/huaweiconnect/data/attachment/forum/201610/25/20161025160354415004.png
 
Root Cause
The DHCP snooping device unexpectedly discards the DHCP Request message. This happens specifically:
1.         Because the DHCP client and server reside in different network segments, the DHCP relay agent fills its IP address in the GIADDR field of the Request message from the DHCP client.
2.         The dhcp snooping check dhcp-giaddr enable command is run on the DHCP snooping device to enable it to check whether the GIADDR field is 0 in the DHCP Request message.
3.         The DHCP snooping device finds that the GIADDR field is not 0 and therefore discards the DHCP Request message.
Solution
l   If you do not want to change the network topology, run the undo dhcp snooping check dhcp-giaddr enable command on the DHCP snooping device to disable it from checking the GIADDR field in the DHCP Request message.
l   If you want to change the network topology, remove the DHCP snooping device between the DHCP relay agent and DHCP server. Then, deploy the DHCP snooping function on a Layer 2 access device or the first DHCP relay agent.
Conclusion and Suggestion
To ensure that a DHCP snooping device can obtain parameters such as user MAC address information for generating a DHCP snooping binding table, deploy the DHCP snooping function on a Layer 2 access device or on the first DHCP relay agent between the DHCP client and server.
1.4.2 A Traffic Policy Discards DHCP Client Messages, Preventing the DHCP Client from Obtaining an IP Address

Network Topology
In Figure 1-5, SwitchA functions as a DHCP server and resides in the same network segment as the PC. The PC cannot obtain an IP address from the DHCP server.
Figure 1-5 Networking diagram
http://forum.huawei.com/huaweiconnect/data/attachment/forum/201610/25/20161025160355319005.png
 
Troubleshooting Procedure
1.         Run the display mac-address command on SwitchA. The command output shows that the SwitchA learned the PC's MAC address, indicating that the Layer 2 network is functioning properly.
2.         Run the display ip pool command on SwitchA. The command output shows that the SwitchA's address pool contains idle IP addresses, indicating that the DHCP server configurations are correct.
3.         Run the display current-configuration command on SwitchA to check its configurations. The command output shows that a traffic policy is configured on SwitchA. This policy permits only messages that contain specified IP addresses and denies messages from the PC.
[SwitchA] display current-configuration
...
#
acl number 3002
 rule 5 permit ip destination 192.168.30.1 0
 rule 10 permit ip destination 192.168.30.2 0
 rule 15 permit ip destination 192.168.30.3 0
 rule 20 permit ip destination 192.168.30.4 0
 rule 50 deny ip
#
 traffic classifier c2 operator and
 if-match acl 3002
#
 traffic behavior b2
 permit
#
 traffic policy p2 match-order config
 classifier c2 behavior b2
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
 traffic-policy p2 inbound   //The traffic policy is applied to the interface. This traffic policy discards all DHCP messages except those with specified IP addresses.
#
...

Root Cause
The DHCP Discover message from the PC is broadcast and hits rule 50 of ACL 3002 when arriving at the DHCP server. As a result, the message is discarded, and the PC cannot obtain an IP address.
Solution
Add a rule in ACL 3002 to allow the DHCP server to permit the DHCP messages from the PC.
rule 25 permit ip source 0.0.0.0 0
1.4.3 Some Users Cannot Obtain IP Addresses When Many DHCP Messages Are Sent to the CPU

Network Topology
In Figure 1-6, many DHCP clients connect to a DHCP server over an access device that has DHCP enabled.
Figure 1-6 Networking diagram
http://forum.huawei.com/huaweiconnect/data/attachment/forum/201610/25/20161025160356290006.png
 
Fault Symptom
These clients attempt to go online concurrently, but some of them cannot obtain an IP address.
Root Cause
DHCP devices send received DHCP messages to their CPUs for processing. If a large number of DHCP users go online concurrently or the Layer 2 network has a loop or is under DHCP attacks, these devices will receive a large number of DHCP messages within a short time. If the receiving rate exceeds the configured CPCAR value, the excess DHCP messages are discarded. As a result, some users cannot obtain IP addresses.
Solution
l   Prevent many users from going online concurrently, or disable DHCP on the Layer 2 access device (not DHCP snooping device).
l   Eliminate the possible loops from the Layer 2 network.
l   Enable attack source tracing on the access device and configure a blacklist. If a user sends many suspicious DHCP messages, the attack source tracing function will detect the user's MAC address. Then, the blacklist filters out this MAC address.
Conclusion and Suggestion
l   Do not run the dhcp enable command on a device that is not running any DHCP services.
l   If an aggregation or core switch functions as a DHCP snooping device or relay agent, enable attack source tracing on the switch. If the switch detects DHCP attacks, it can quickly locate the attack source and take proper actions.
1.4.4 Port Security Configured on an Access Switch Prevents New Users from Obtaining IP Addresses

Problem Description
To prevent unauthorized MAC addresses from attacking a network, port security is configured on the Layer 2 access switch of the network, and the port-security max-mac-num max-number command is run to allow the access interface to learn a maximum of 30 MAC addresses. After the access switch is running for a while, new access users cannot obtain IP addresses or visit the gateway. Their services are interrupted.
Troubleshooting Procedure
1.         Run the display mac-address command to check the MAC address entries learned by the access switch. The command output shows that the switch has learned 30 sticky MAC addresses but does not learn the MAC address of its attached PC.
<HUAWEI> display mac-address
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI                    Learned-From          Type
 ------------------------------------------------------------------------------- 
0000-0000-0001          100/-                    GE0/0/1             sticky
...
0000-0000-0030          100/-                    GE0/0/1             sticky
------------------------------------------------------------------------------- 
 Total items displayed = 30

2.         Run the display this command on GE0/0/1. The command output shows that the interface has port security configured and can learn a maximum of 30 MAC addresses. This is the same as the number of the MAC addresses that the switch has learned in Step 1.
<HUAWEI-GigabitEthernet0/0/1> display this
#
interface GigabitEthernet0/0/1
 port-security enable
 port-security max-mac-num 30
#

3.         Delete port security from the interface. The PC can then obtain an IP address.
Root Cause
New access users cannot obtain IP addresses because of sticky MAC addresses. This happens specifically because:
1.         The interface converts its learned MAC addresses into sticky MAC addresses.
2.         Sticky MAC addresses cannot be aged or lost after the switch saves its configurations and restarts.
3.         The number of sticky MAC addresses reaches the threshold configured using the port-security max-mac-num max-number command. As a result, the switch stops learning new MAC addresses, and the new access users cannot obtain IP addresses.
Solution
Run the port-security max-mac-num command to set the threshold to the maximum value that the interface supports.
Conclusion and Suggestion
Port security filters DHCP messages. Configure port security according to the specific requirements, for example:
l   If an interface is required to permit the MAC address of the first login user and deny the MAC addresses of the subsequent login users, run the port-security mac-address sticky command to configure the interface to learn only one sticky MAC address.
l   If an interface is required to permit only 10 users, run the port-security enable command to enable port security and run the port-security max-mac-num command to configure the maximum number of MAC addresses that the interface can learn to 10.
l   If an interface is required to permit a specific MAC address and 10 other dynamic MAC addresses, manually configure the specific MAC address, enable port security, and allow the interface to learn a maximum of 10 dynamic MAC addresses. This static MAC address does not occupy the specification resource of the dynamic MAC addresses.
1.4.5 A DHCP Client Cannot Obtain an IP Address from a DHCP Server That Has Idle IP Addresses

Problem Description
In Figure 1-7, there are six PCs on the network. The former five can obtain an IP address, but PC6 cannot. There are idle IP addresses in the DHCP server's global IP address pool.
Network Topology
Figure 1-7 Networking diagram
http://forum.huawei.com/huaweiconnect/data/attachment/forum/201610/25/20161025160357579007.png
 
Troubleshooting Procedure
1.         Check the network segment where PC6 resides. PC6 connects to the DHCP server through GE 0/0/1 that corresponding to VLANIF100.
[SwitchB] interface GigabitEthernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] interface GigabitEthernet 0/0/1
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
[SwitchB-GigabitEthernet0/0/1] quit

[SwitchB] interface Vlanif 100
[SwitchB-Vlanif100] display this
#
interface Vlanif100
 ip address 192.168.10.241 255.255.255.248   //The gateway IP address is 192.168.10.241/29.
dhcp select global
#

2.         The command output in Step 1 shows that PC6 is in the network segment of 192.168.10.240/29. Since the subnet mask is 29, the number of available IP addresses in this network segment is 5 (23 - 3 = 5. The reason for subtracting 3 is that the network address, broadcast address, and network gateway address are unavailable). Therefore, the former five PCs can obtain an IP address but PC6 cannot.
3.         Run the display ip pool command on the DHCP server to check its IP address pool information. The command output shows that the server has idle IP addresses. However, because the gateway IP address (GE 0/0/1's IP address) of PC6 has a small subnet mask, PC6 cannot obtain an IP address.
[SwitchB] display ip pool
  -----------------------------------------------------------------------
  Pool-name      : shuai
  Pool-No        : 0
  Position       : Local           Status           : Unlocked
  Gateway-0      : 192.168.10.241
  Mask           : 255.255.255.240   //The network segment of the DHCP server's address pool is 192.168.10.240/28.
  VPN instance   : --
 
 
  IP address Statistic
    Total       :13    
    Used        :5          Idle        :8     
    Expired     :0          Conflict    :0          Disable   :0

4.         Configure the IP address of GE 0/0/1 as 192.168.10.241/28. PC6 can then obtain an IP address from the DHCP server.
Root Cause
PC6 resides in the network segment of 192.168.10.240/29, which provides only five available IP addresses according to the subnet mask. As a result, PC6 cannot obtain an IP address.
Solution
Configure the subnet mask of VLANIF 100's IP address as 28. This is the same as the subnet mask of the global address pool of the DHCP server.
1.5 FAQs

1.5.1 Why DHCP Clients Cannot Obtain IP Addresses After DHCP Snooping Is Configured?

Not Configure Any Trusted Interface
After DHCP snooping is enabled, all interfaces on the DHCP snooping device are untrusted by default. To enable a DHCP server to accept DHCP Discover messages from DHCP clients, run the dhcp snooping trusted command on the DHCP snooping device to configure the interface that connects to the DHCP server as a trusted interface. These clients can then obtain IP addresses from the DHCP server.
Incorrect Trusted Interface Configuration
The configured trusted interface is not the one that connects to the DHCP server.
1.5.2 Can the VLANIF Interface for a Super VLAN Have the DHCP Server Function Enabled?

Yes. The VLANIF interface for a super VLAN can have the DHCP server function enabled in V100R006 and later versions.
1.5.3 Can Non-DHCP Service Devices Have DHCP Enabled?

No. The reason is as follows:
1.         Non-DHCP service devices that have DHCP enabled send their received DHCP messages to their CPUs for processing.
2.         If many users go online concurrently or because of other reasons, such as a network loop, the network will be overwhelmed with DHCP messages. Those DHCP messages exceeding the CPCAR capability of the device are discarded. As a result, some or many DHCP clients cannot obtain IP addresses.
1.5.4 Can NAT Be Configured on a DHCP Relay Agent and a DHCP Server?

No.
1.5.5 Can a DHCP Snooping Device Be Deployed in the Uplink of a DHCP Relay Agent?

Yes, but you must run the undo dhcp snooping check dhcp-giaddr enable to disable the DHCP snooping device from checking whether the GIADDR field in DHCP messages is 0. If the DHCP snooping device is enabled to check the GIADDR field, it discards any received DHCP messages whose GIADDR field is not 0. This is what happens when the DHCP snooping device is deployed in the uplink of the DHCP relay agent, because the relay agent fills the GIADDR field with the user gateway address. Configuring DHCP snooping on a Layer 2 access device is recommended. This post was last edited by dota at 2016-10-29 15:11.
  • x
  • convention:

Created Oct 26, 2016 11:34:44 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top