Aerohive APs renewing DHCP leases on multiple VLANs

  • 1
  • Question
  • Updated 2 years ago
I have several AP121 and AP141 units that get a DHCP lease for the MGT0 interface from various Windows servers.

At our branch sites where there's only 2 VLANs (1 for phones, 1 for everything else) the APs will request an IP for their MGT0 interface on the MGT/native VLAN which works fine, but they also request a lease on the phone VLAN, which they are not configured to be aware of (though the ports are tagged for it).

I can't find mention of these leases on the APs anywhere, but they continue to be renewed on the servers.

The DHCP scope for the native VLAN has a few DHCP options configured to redirect VoIP devices over to the phone VLAN (e.g. option 191), but I wouldn't think that would come into play here.

Any suggestions would be appreciated. Thanks!
Photo of Wayne Arnold

Wayne Arnold

  • 5 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Interesting...

On your DHCP server, find one of those leases and note down the client's MAC address. It should be very similar to the Eth0 MAC address of one of your APs - Locate that AP, connect to its CLI, and run the command "show interface". This way you should be able to identify the AP's interface name, corresponding to that MAC address.

Then run the following command:

     show interface <iface> dhcp client

And do the same for the Mgt0 interface and compare, especially the options...

Hopefully this will give you a better idea of what is going on.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
If you are running older code and have bonjour gateway enabled, what you describe was a normal function of the Bonjour Gateway implementation. It would get an IP address on all MGT sub-interfaces. However, we changed the behavior sometime in the last couple years, so newer code revisions should not do this.

What HiveOS version are you using? 


Update: OK, my understanding of the how the updated Bonjour Gateway works was a little off. First off, we changed the behavior in HiveOS6.2r1, making the service stateless. However, Bonjour Gateway still obtains an IP address on VLANs enumerated in a Bonjour Gateway policy. You can see the results on an AP running 6.2r1 or higher by running the CLI: 
   
show interface mgt0 dhcp keepalive available

Older versions of HiveOS would show you IP addresses for BGD sub-interfaces with the command show l3 interface.

So the relevant question is: are you running Bonjour Gateway?

Sorry about the mistake.
(Edited)
Photo of Wayne Arnold

Wayne Arnold

  • 5 Posts
  • 0 Reply Likes
Carsten: the MAC address matches that of the MGT0 interface, but doesn't have any reference of this VLAN's lease when running that command.

Andrew: Yes, we are running bonjour gateway. 

The bonjour gateway is only configured between the default VLAN 1, and VLAN 6 which is used at our head end site. Each rule has the "Realm" defined to that site as well. However: in initially setting it up, I did mistakenly leave it as "any-any" for the From and To VLAN groups.

After removing a lease and performing a complete configuration update, an AP1130 running 6.6r1 (at another site which does not have VLAN 6) still requested a lease on the other phone VLAN, even with the updated configuration.

This appears to be the behavior on every AP, unless it is configured with a static IP on the MGT0 interface.

Thanks,
Wayne
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Hmm... does this only happen with Access Points? Or other devices as well?

Sounds to me like your DHCP server is causing this... especially as the same MAC address is registered for both VLANs.

So when you run      show interface Mgt0 dhcp client, do you see only the correct IP address assigned? What about the options, do you see the content of Option 191?

Next I would try is to run a Wireshark and catch all DHCP traffic between the AP and the Server, to see what is requested / broadcasted and assigned when and from where...
Photo of Wayne Arnold

Wayne Arnold

  • 5 Posts
  • 0 Reply Likes
Hi Carsten,

The only devices that I've seen do this are the APs.

When I run the dhcp client command, yes it only shows the correct IP address. No, the option 191 is not enumerated in the list.

I did the packet capture. I filtered it by the AP's MAC address (in this case an AP121 on the latest code) and after doing the following:

-A full configuration update and reboot 
-Clearing the DHCP server's lease on the phone VLAN

...Here is what i saw:

-Full 4-step DHCP process completed for the correct IP on VLAN 1.
-541 seconds later, the AP sends out another DHCP Discover message.
-The default gateway for the phone VLAN saw this and responds with an offer of the phone VLAN IP for the AP.
(The DG of the phone VLAN has an ip-helper to redirect DHCP requests to the DHCP server which is the same server connected locally on VLAN 1)
-There is no request from the AP for the DG's offer.
-The AP then sends out 4,092 other DHCP discover messages which never get returned

Based off of the number, looks like it's scanning and sending out DHCP discover messages on all of the VLANs?

Thanks,
Wayne
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Will you please run the following CLI on an affected CLI and share the results?

show bonjour-gateway status 

show bonjour-gateway vlan 

Also, please post a screen cap of the top of your bonjour policy, like this:



Photo of Wayne Arnold

Wayne Arnold

  • 5 Posts
  • 0 Reply Likes
Andrew, 

For the CLI commands it only shows 1 locally attached VLAN.

It's set to scan 1-4094 as per the screenshot above. I'll adjust this to only scan the necessary VLANs.

I suspect fixing the list of scanned VLANs will fix my issue with leases on the VoIP VLANs. However, regarding getting leases on scanned VLANs, is this expected behavior in general? I do not see the AP getting a lease if its MGT0 interface is assigned via static IP, only if it is set for DHCP.

Thanks!
Wayne
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Yes, it is expected behavior on the APs acting as BDDs (bonjour designated devices). When you tell the AP to scan all VLANs for services, the AP learns the available VLANs through DHCP. Tighten up the range of scanned VLANs, and this will minimize the amount of discovery the BDDs needs to do.

I can't say I have played with bonjour gateway on APs with statically assigned IP (I typically use DHCP reservations instead), so I can not speak to expected behavior in that scenario.
(Edited)
Photo of Wayne Arnold

Wayne Arnold

  • 5 Posts
  • 0 Reply Likes
Andrew,

That's fine with me. Thanks so much for your help.

Wayne