DHCP for PPP Link (revisited)

October 21, 2008 at 11:08 pm | In IP Services | 1 Comment

Another caveat found today, in relation to the topic posted previously. http://enotepad.wordpress.com/2008/09/25/dhcp-for-ppp-link/

It is found when I do the WB Vol1 IP Services, Task 13.7 DHCP Proxy.

The Caveat:

When we specify DHCP server address, make sure that the IP address should be the source of the return “IP address offer” packet from the DHCP server. It is very relevant when the DHCP server has more than 1 path to the client.

If we specify one IP address, e.g. 155.1.67.6, while the return path from DHCP server exit another interface with IP address of 155.1.146.6, then the client will reject the offer, due to the “server not in approved list”.

 

R3#
 ip dhcp-server 155.1.67.6
 
*Mar  1 22:37:10.151: DHCP Offer Message   Offered Address: 155.1.23.2
*Mar  1 22:37:10.151: DHCP: Lease Seconds: 86400    Renewal secs:  43200    Rebind secs:   75600
*Mar  1 22:37:10.151: DHCP: Server ID Option: 155.1.146.6
*Mar  1 22:37:10.151: DHCP: offer received from 155.1.146.6
*Mar  1 22:37:10.151: DHCP: offer: server 155.1.146.6 not in approved list
R3#
ip dhcp-server 155.1.67.6
ip dhcp-server 155.1.146.6
*Mar  1 22:40:48.675: DHCP Offer Message   Offered Address: 155.1.23.2
*Mar  1 22:40:48.675: DHCP: Lease Seconds: 86400    Renewal secs:  43200    Rebind secs:   75600
*Mar  1 22:40:48.675: DHCP: Server ID Option: 155.1.146.6
*Mar  1 22:40:48.675: DHCP: offer received from 155.1.146.6
*Mar  1 22:40:48.675: DHCP: offer received in bad state: Requesting  punt
*Mar  1 22:40:48.863: DHCP: XID MATCH in dhcpc_for_us()
*Mar  1 22:40:48.863: DHCP: Received a BOOTREP pkt
*Mar  1 22:40:48.863: DHCP: Scan: Message type: DHCP Ack
*Mar  1 22:40:48.863: DHCP: Scan: Server ID Option: 155.1.146.6 = 9B019206
*Mar  1 22:40:48.863: DHCP: Scan: Lease Time: 86400
*Mar  1 22:40:48.863: DHCP: Scan: Renewal time: 43200
*Mar  1 22:40:48.867: DHCP: Scan: Rebind time: 75600
*Mar  1 22:40:48.867: DHCP: Scan: Subnet Address Option: 255.255.255.0
*Mar  1 22:40:48.867: DHCP: rcvd pkt source: 155.1.146.6,  destination:  155.1.23.3
*Mar  1 22:40:48.867:    UDP  sport: 43,  dport: 43,  length: 308
*Mar  1 22:40:48.867:    DHCP op: 2, htype: 1, hlen: 6, hops: 0
*Mar  1 22:40:48.867:    DHCP server identifier: 155.1.146.6
*Mar  1 22:40:48.867:         xid: 1DC0, secs: 0, flags: 0
*Mar  1 22:40:48.867:         client: 0.0.0.0, your: 155.1.23.2
*Mar  1 22:40:48.867:         srvr:   0.0.0.0, gw: 155.1.23.3
*Mar  1 22:40:48.867:         options block length: 60

Why can’t I ping btw different IP subnets on same VLAN!

October 21, 2008 at 6:19 pm | In IP Services, Routing | Leave a Comment

I came accross an interesting question, where we have a two routers, on the same VLAN, but are configured with IP belonging to different subnets(e.g 101.1.1.1/24 on one router and 102.1.1.1/24 on another router). No matter we configure static routes and proxy-arp, local proxy-arp, the two routers still cannot ping each other!

Here is the reason behind it.

By default, when routing is enabled, routers will not respond to arp requests from stations whose source IP addresses are not on the IP subnet that receives the request, regardless of whether proxy arp or local proxy arp is enabled or not.

When R1 try to ARP for R2 IP address, R2 will see the ARP comes from 101.1.1.1 on the interface that has IP of 102.1.1.1/24, and will ignore it.

R2#

*Mar  1 06:39:11.166: IP ARP req filtered src 101.1.1.1 0000.1111.1111, dst 101.1.1.2 0000.0000.0000 wrong cable, interface FastEthernet0/0
To disable this sanity check, you will have to use any of the following solutions:

1. Static ARP

R2#
arp 101.1.1.1 0000.1111.1111 arpa

2. Local Area Mobility (LAM)

R2#
interface FastEthernet0/0
mac-address 0000.2222.2222
ip address 102.1.1.1 255.255.255.0
ip mobile arp

See the debug message that R2 now does not complain any more about ARP from wrong subnet!
R2#
*Mar  1 06:43:15.334: IP ARP: rcvd req src 101.1.1.1 0000.1111.1111, dst 102.1.1.1 FastEthernet0/0 *Mar  1 06:43:15.334: IP ARP: sent rep src 102.1.1.1 0000.2222.2222,
dst 101.1.1.1 0000.1111.1111 FastEthernet0/0

3. Disable routing on both routers.

4. Configure secondary IP address.

The Local Proxy Arp or Proxy Arp are not required here.

- Local proxy arp is used, so that a router can work as proxy for two hosts on the same subnet, which normally can not communicate directly (e.g. Private VLAN or on protected port).

- Proxy arp (on by default) is used so that router responds on any ARP for subnets outside LAN subnet (e.g. when you have a default static route on R1 pointing to e0/0, instead of R2 LAN IP, you will need to enable R2 proxy arp (on by default).

As said above, both these options does not work in this case, because we have different IP subnets on the two routers, and by default, routers just ignore ARP request from each other.

Blog at WordPress.com. | Theme: Pool by Borja Fernandez.
Entries and comments feeds.