Keywords: ATN, ATN 950
Summary: An ATN device function as a DHCP relay agent, and base stations of two vendors
are connected to different DHCP servers. A server or firewall discards packets sent by a base
station of a specific vendor. As a result, users attached to the base station fail to get online.
[Problem Description]
Usage scenario:
l The login failure occurs only on a Layer 3 HVPN, not on a Layer 2+ Layer 3 L3VPN.
l Base stations of two or more vendors connected to the ATN device attempt to get online
through different DHCP servers.
l Firewall rules are specified for private IP addresses on a wireless network management
system (NMS) to drop packets with IP addresses that are not in the specified wireless
network segment.
Trigger conditions:
The problem occurs if the following conditions are met:
1. An HVPN is configured on an ATN device.
2. Base stations of two or more vendors are connected to the ATN device.
3. The base stations obtain IP addresses assigned by different DHCP servers.
4. Firewall rules are specified for private IP addresses on at least one wireless NMS to
drop packets with IP addresses that are not in the specified wireless network segment.
Symptom:
Users attached to a base station of a specific vendor can get online, and users attached
to a base station of another vendor fail to get online.
Identification method:
1. Query the device version.
Run the display version command in the user view.
|
<ATN950B-02>display version Huawei Versatile Routing Platform Software VRP (R) software, Version 5.120 (ATN950B V200R002C00SPC300) //The version matches that involved in this warning file. Copyright (C) 2011-2013 Huawei Technologies Co., Ltd. HUAWEI ATN950B uptime is 0 day, 14 hours, 18 minutes ATN950B version information:
|
2. Check that DHCP relay is configured on an L3VPN interface.
Run the display interface GigabitEthernet 0/3/1.200 command in the user view.
In the preceding command, 0 indicates the slot number, 3 indicates the subcard number,
1 indicates the interface number, and 200 indicates the sub-interface number. Specify
these figures based on real-world situations.
|
<ATN950B-02> display interface GigabitEthernet 0/3/1.200 interface GigabitEthernet0/3/1.200 vlan-type dot1q 200 ip binding vpn-instance LTE-OAM-VPN ip address 10.109.2.194 255.255.255.252 ip relay address 10.100.64.65 //Specify a DHCP server IP address. dhcp select relay //Enable DHCP relay. |
3. Check that multiple L3VPN interfaces are configured on the ATN device. In addition,
DHCP relay is enabled and different DHCP server IP addresses are specified on the interfaces.
Run the display interface GigabitEthernet 0/3/2.200 command in the user view.
In the preceding command, 0 indicates the slot number, 3 indicates the subcard number,
2 indicates the interface number. and 200 indicates the sub-interface number. Specify these
figures based on real-world situations.
|
<ATN950B-02> display interface GigabitEthernet 0/3/2.200 interface GigabitEthernet0/3/2.200 vlan-type dot1q 300 ip binding vpn-instance LTE-OAM-VPN ip address 10.109.2.184 255.255.255.252 ip relay address 10.100.65.65 //Specify a DHCP server IP address, which is different from that displayed in the command output in step 1. dhcp select relay //Enable DHCP relay. |
4. A DHCP login failure occurs
Note that when users attached to a base station fail to get online using DHCP through an
ATN device, the ATN device needs to be notified of the event from the wireless side.
[Root Cause]
No RFC defines which source IP address is added to a DHCP Request message to be
forwarded by a DHCP relay agent. The ATN device automatically users the IP address of
an outbound interface as the source IP address and adds it to a DHCP Request message in
a VRF or native IP scenario.
In an L3VPN scenario, an ATN device functioning as a DHCP relay agent sets the source
IP address to the first valid private IP address in a VRF for all DHCP Request messages.
The base station of each vendor is connected to a specific NMS that functions a DHCP
server for the ATN device. NMS server hardware or firewall rules are specified for private
IP addresses to drop packets with IP addresses that are not in the specified network
segment. As a result, the DHCP Request message in which the source IP address
should have been set to the second valid private IP address in a VRF carries the
first valid private IP address in a VRF and therefore is dropped.
[Impact and Risk]
Users on a base station attached to the ATN device fail to get online using DHCP.
[Measures and Solutions]
Recovery measures:
Run the ip relay source-ip-address 24.1.1.2 command on the faulty DHCP
relay-enabled interface of the ATN device. 24.1.1.2 is the source IP address to be
carried in DHCP Request messages.
Note that 24.1.1.2 is the IP address of an interface connected to a base station.
|
<ATN950B-02> display interface GigabitEthernet 0/3/2.200 vlan-type dot1q 300 ip binding vpn-instance LTE-OAM-VPN ip address 24.1.1.1 255.255.255.252 statistic enable ip relay address 10.100.65.65 dhcp select relay ip relay source-ip-address 24.1.1.2 //Add this command. |
Workarounds:
Run the ip relay source-ip-address 24.1.1.2 command on the faulty DHCP relay-enabled
interface of the ATN device. 24.1.1.2 is the source IP address to be carried in DHCP Request messages.
|
<ATN950B-02> display interface GigabitEthernet 0/3/2.200 vlan-type dot1q 300 ip binding vpn-instance LTE-OAM-VPN ip address 24.1.1.1 255.255.255.252 statistic enable ip relay address 10.100.65.65 dhcp select relay ip relay source-ip-address 24.1.1.2 //Add this command. |
Solutions:
Install one of the following patches to a specific type of ATN device running a specific version.
After the patch is installed, the ip relay source-ip-address command is automatically added.
l On ATN 910 and ATN 950 devices running versions earlier than V200R001C02SPC200,
upgrade them to V200R001C02SPC200 and install the patch V200R001SPH009 or later.
l On ATN 910 and ATN 910I devices running V200R002C00, install the patch
V200R002SPH005 or later.
l On ATN 950B devices running versions earlier than V200R001C02, upgrade them to
V200R001C02 and install the patch V200R001SPH008 or later.
l On ATN 950B devices running V200R002C00, install the patch V200R002SPH002 or later.
Comments are closed