Case Study: STAs Fail to Access the Internet Because There Are Other DHCP Servers on the Network and the STAs Obtain IP Addresses on Other Network Segments

Symptom

As shown in the following figure, the S12700 functions as the service VLAN gateway, and the direct forwarding mode is used for wireless services. When a STA connects to an AP, there is a possibility that the STA obtains an IP address on another network segment and therefore fails to access the Internet.

Relevant Alarms and Logs

None

Cause Analysis

The wireless service VLAN of a STA is connected to the same broadcast domain as another VLAN. As a result, the STA may obtain an IP address on another network segment.

Procedure

1. Use the station-trace function on the AC to check the DHCP packet exchange process of the STA.

   [AC-diagnose] station-trace sta-mac sta-mac

   The command output shows that the DHCP packet exchange process is normal. According to the ARP Request packet sent from the STA to the gateway, the gateway sends the ARP Reply packet, based on which the MAC address y-y-y of the gateway is obtained.

2. Enable the trace function on the S12700 to check how the STA obtains an IP address.

   [S12700] trace enable
   [S12700] station-trace sta-mac sta-mac

   The command output shows that after receiving DHCP Discover messages from the STA, the S12700 sends back a DHCP Offer message but no subsequent Request message is sent.

3. Check the MAC address of the STA gateway on the S12700.

   [S12700] display arp all | include sta-gateway-mac
   [S12700] display mac-address | include sta-gateway-mac

   The command output does not contain the ARP information corresponding to the MAC address. This means that the MAC address is learned from the downlink physical port of the S12700.

   Therefore, it can be confirmed that the bogus DHCP server causes the STA to obtain an IP address on another network segment.

4. On the Layer 2 switching network, search for MAC address entries and confirm that y-y-y is from a downlink interface on Switch2.

   Check whether there are other downstream network devices through the LLDP neighbor table on Switch2. If the LLDP neighbor table of Switch2 does not contain the downstream devices of the interface, perform the following operations:

   1. If Switch2 supports DHCP snooping, you can use this function to block DHCP Offer and ACK messages from untrusted interfaces.

      The configuration is as follows:

      [Switch2] dhcp enable
      [Switch2] dhcp snooping enable
      [Switch2] vlan x
      [Switch2-vlanx] dhcp snooping enable
      [Switch2-vlanx] dhcp snooping trusted interface gigabitethernet 0/0/x   //Configure the interface for connecting Switch2 to the S12700 as a trusted interface.

      or:

      [Switch2] interface gigabitethernet 0/0/y            // sta-gateway-mac of the source interface
      [Switch2-GigabitEthernet0/0/y] dhcp snooping enable
      [Switch2-GigabitEthernet0/0/y] dhcp snooping undo trusted   //After DHCP snooping is enabled on an interface, the interface is in the untrusted state.

   2. Shut down the source interface y-y-y on Switch2.

      [Switch2] interface gigabitethernet 0/0/1
      [Switch2-GigabitEthernet0/0/1] shutdown

      After the fault is rectified, run the undo shutdown command to enable the interface.