DHCP between 2 vlans on the same switch

[milo456]

HELP PLEASE !
I have 2 vlans (data and voice) configured in the same switch.
All the ports belong to the Data Vlan untagged (DATA_100)
I am trying to connect an IP phone to get into the Voice Vlan (tagged 110) (VIPT_110)

When I connect the IP phone into the switch, (the laptop is connected into the IP phone port), the laptop gets an IP address from the DHCP server 10.1.1.54 from the Data VLAN but the phone gets the tag only from the voice vlan.

I installed wireshark to see if the phone was requesting an IP address in the voice vlan and it is not.

When you plug the phone for the 1st time to the switch, it requests an IP address from the DHCP server, who gives an ip address along with the tag (option 43). The phone gets and IP address from the DATA vlan (DHCP is configured with Option 43 for the Tag 110 which will lead the phone to look for the voice vlan (tagged). The phone releases the IP and keeps the tag (which is suppose to lead him to the Voice VLAN that has the same tag (110). The problem is the phone keeps the tag but it can't reach DHCP server on the voice vlan (10.10.12.2).

Wireshark showed that the phone is not getting an IP address from the voice scope (same DHCP server 10.1.1.54)

I tested routing between both vlans and it is OK, but something is not allowing the phone to get to the voice vlan. Here is my configuration:

create vlan "DATA_100"
create vlan "VIPT_110"

configure vlan "DATA_100" ipaddress 10.1.1.2 255.255.0.0
configure vlan "VIPT_110" ipaddress 10.10.12.2 255.255.254.0

enable ipforwarding vlan "DATA_100"
enable ipforwarding vlan "VIPT_110"

enable bootprelay
configure bootprelay add 10.1.1.54 (-->DHCP server)
configure bootprelay add 10.1.1.58 (-->DHCP server)
configure bootprelay dhcp-agent information option

create udp-profile D100
configure udp-profile D100 add 67 ipaddress 10.1.1.54
configure udp-profile D100 add 67 ipaddress 10.1.1.58

create udp-profile V110
configure udp-profile V110 add 67 ipaddress 10.1.1.54
configure udp-profile V110 add 67 ipaddress 10.1.1.58

configure vlan "DATA_100" udp-profile D100
configure vlan "VIPT_110" udp-profile V110
******************************************************
The switch is able to ping the DHCP server from both VLANS.


Thank you very much for any help !
Mayerlin

 

[tanderson3733]

I have this working on several Extreme installs, never having built UDP profiles and never used the command "configure bootprelay dhcp-agent information option".

Other than that, make sure your ports/vlans are set up correctly, ports where phones will be used are in the default VLAN untagged and the Voice VLAN tagged, and that your DHCP server is only in the default VLAN.

You also have 2 bootprelay server IP Addresses entered, try removing one so you can monitor what's getting IP Addresses correctly much easier.

 

[milo456]

Hello tanderson3733,

I removed the command "configure bootprelay dhcp-agent information option", the udp profiles (all) and left one bootprelay server (10.1.1.54) and still the phone does not get an IP address from DHCP.
This is my config: Do you see anything missing?..Thank you for your help !

I am using port 5 to connect the laptop and ip phone.The Voice vlan is VIPT_110 and the data Vlan is Data_100.


sh conf

#
# Summit200-24 Configuration generated Tue Jan 20 15:36:19 2009
# Software Version 7.7e.3.5 [non-ssh] by Release_Master on 01/11/08 02:53:46

# Configuration Mode
create vlan "DATA_100"
create vlan "VIPT_110"
# Config information for VLAN Default.
configure vlan "Default" tag 1 # VLAN-ID=0x1 Global Tag 1
configure stpd s0 add vlan "Default"
# Config information for VLAN MacVlanDiscover.
# Config information for VLAN DATA_100.
configure vlan "DATA_100" ipaddress 10.1.1.2 255.255.0.0
configure vlan "DATA_100" add port 1 untagged
configure vlan "DATA_100" add port 2 untagged
configure vlan "DATA_100" add port 3 untagged
configure vlan "DATA_100" add port 4 untagged
configure vlan "DATA_100" add port 5 untagged
configure vlan "DATA_100" add port 6 untagged
configure vlan "DATA_100" add port 7 untagged
configure vlan "DATA_100" add port 8 untagged
configure vlan "DATA_100" add port 9 untagged
configure vlan "DATA_100" add port 10 untagged
configure vlan "DATA_100" add port 11 untagged
configure vlan "DATA_100" add port 12 untagged
configure vlan "DATA_100" add port 13 untagged
configure vlan "DATA_100" add port 14 untagged
configure vlan "DATA_100" add port 15 untagged
configure vlan "DATA_100" add port 16 untagged
configure vlan "DATA_100" add port 17 untagged
configure vlan "DATA_100" add port 18 untagged
configure vlan "DATA_100" add port 19 untagged
configure vlan "DATA_100" add port 20 untagged
configure vlan "DATA_100" add port 21 untagged
configure vlan "DATA_100" add port 22 untagged
configure vlan "DATA_100" add port 23 untagged
configure vlan "DATA_100" add port 25 untagged
configure vlan "DATA_100" add port 26 untagged
# Config information for VLAN VIPT_110.
configure vlan "VIPT_110" tag 110 # VLAN-ID=0x6e Global Tag 7
configure vlan "VIPT_110" ipaddress 10.10.12.2 255.255.254.0
configure vlan "VIPT_110" add port 24 tagged
enable web
# SNMP Configuration

enable cli-prompt-number

# Ports AutoNeg Configuration

# Load Sharing Configuration

# Ports Configuration
configure port 25 preferred-medium fiber
configure port 26 preferred-medium fiber
# Spanning tree information
# MAC FDB configuration and static entries

configure ipfdb agingtime 0
# -- IP Interface[0] = "Default"

# -- IP Interface[1] = "DATA_100"
enable ipforwarding vlan "DATA_100"
disable icmp timestamp vlan "DATA_100"
disable icmp address-mask vlan "DATA_100"

# -- IP Interface[2] = "VIPT_110"
enable ipforwarding vlan "VIPT_110"
disable icmp timestamp vlan "VIPT_110"
disable icmp address-mask vlan "VIPT_110"

# Global IP settings.
disable icmp access-list
enable bootprelay
configure bootprelay add 10.1.1.54
#
# IP ARP Configuration
configure iparp max-entries 8192
# IP Route Configuration
enable igmp snooping
enable igmp snooping vlan "Default"
enable igmp snooping vlan "MacVlanDiscover"
enable igmp snooping vlan "DATA_100"
enable igmp snooping vlan "VIPT_110"
disable mvr

# RIP global parameter configuration








#
# PIM Router Configuration
#


# Static MRoute Configuration
#ELRP Configuration
# EAPS configuration
# EAPS shared port configuration
# NAT configuration
configure nat timeout 300


# SNTP client configuration
#
# Radius configuration
#

# TACACS configuration
disable tacacs
disable tacacs-authorization
disable tacacs-accounting
# Mac Vlan Configurations

# Access-mask Configuration
#
# Access-list Configuration
#
# Rate-limit Configuration

#
# System Dump Configuration
#
## SNMPV3 EngineID Configuration
#
config snmpv3 engine-id 03:00:04:96:05:35:f1
config snmpv3 engine-boots 56
## SNMPV3 USM Users Configuration
#
config snmpv3 add user "admin" authentication md5 hex 9b:d:e2:ee:56:81:f7:94:f8:d:50:f7:41:b6:2d:a1 privacy hex 9b:d:e2:ee:56:81:f7:94:f8:d:50:f7:41:b6:2d:a1
config snmpv3 add user "initial"
config snmpv3 add user "initialmd5" authentication md5 hex 50:91:7c:34:13:20:e:d9:7:fc:3:38:e1:ba:f5:b5
config snmpv3 add user "initialsha" authentication sha hex e8:82:2e:be:5c:f:5f:17:56:db:e7:b8:66:aa:bc:ee:fa:8e:75:8e
config snmpv3 add user "initialmd5Priv" authentication md5 hex 3c:58:72:f6:66:a3:8d:2d:fa:b7:7c:6e:1:10:52:86 privacy hex

3c:58:72:f6:66:a3:8d:2d:fa:b7:7c:6e:1:10:52:86
config snmpv3 add user "initialshaPriv" authentication sha hex c0:33:9:be:bb:27:bc:c2:b9:7d:91:d4:b4:f2:8:1f:af:b4:8f:bb privacy hex

c0:33:9:be:bb:27:bc:c2:b9:7d:91:d4:b4:f2:8:1f
#
# SNMPV3 MIB Views Configuration
#
config snmpv3 add mib-view "defaultUserView" subtree 1 type Included
config snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.16 type Excluded
config snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.18 type Excluded
config snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.4 type Excluded
config snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.6 type Excluded
config snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.9 type Excluded
config snmpv3 add mib-view "defaultAdminView" subtree 1 type Included
config snmpv3 add mib-view "defaultNotifyView" subtree 1 type Included
#
# SNMPV3 VACM Access Configuration
#
config snmpv3 add access "admin" sec-model USM sec-level priv read-view "defaultAdminView" write-view "defaultAdminView" notify-view "defaultNotifyView"
config snmpv3 add access "initial" sec-model USM sec-level noauth read-view "defaultUserView" notify-view "defaultNotifyView"
config snmpv3 add access "initial" sec-model USM sec-level authnopriv read-view "defaultUserView" write-view "defaultUserView" notify-view

"defaultNotifyView"
config snmpv3 add access "v1v2c_ro" sec-model snmpv1 sec-level noauth read-view "defaultUserView" notify-view "defaultNotifyView"
config snmpv3 add access "v1v2c_ro" sec-model snmpv2c sec-level noauth read-view "defaultUserView" notify-view "defaultNotifyView"
config snmpv3 add access "v1v2c_rw" sec-model snmpv1 sec-level noauth read-view "defaultUserView" write-view "defaultUserView" notify-view

"defaultNotifyView"
config snmpv3 add access "v1v2c_rw" sec-model snmpv2c sec-level noauth read-view "defaultUserView" write-view "defaultUserView" notify-view

"defaultNotifyView"
config snmpv3 add access "v1v2cNotifyGroup" sec-model snmpv1 sec-level noauth notify-view "defaultNotifyView"
config snmpv3 add access "v1v2cNotifyGroup" sec-model snmpv2c sec-level noauth notify-view "defaultNotifyView"
#
# SNMPV3 USM Groups Configuration
#
config snmpv3 add group "v1v2c_ro" user "v1v2c_ro" sec-model snmpv1
config snmpv3 add group "v1v2c_rw" user "v1v2c_rw" sec-model snmpv1
config snmpv3 add group "v1v2c_ro" user "v1v2c_ro" sec-model snmpv2c
config snmpv3 add group "v1v2c_rw" user "v1v2c_rw" sec-model snmpv2c
config snmpv3 add group "admin" user "admin" sec-model USM
config snmpv3 add group "initial" user "initial" sec-model USM
config snmpv3 add group "initial" user "initialmd5" sec-model USM
config snmpv3 add group "initial" user "initialsha" sec-model USM
config snmpv3 add group "initial" user "initialmd5Priv" sec-model USM
config snmpv3 add group "initial" user "initialshaPriv" sec-model USM
#
# SNMPV3 Community Table Configuration
#
config snmpv3 add community encrypted "r~`|kug" name encrypted "r~`|kug" user "v1v2c_rw"
config snmpv3 add community encrypted "rykfcb" name encrypted "rykfcb" user "v1v2c_ro"
#
# SNMPV3 Target Addr Configuration
#
#
# SNMPV3 Target Params Configuration
#
#
# SNMPV3 Notify Configuration
#
config snmpv3 add notify hex 64:65:66:61:75:6c:74:4e:6f:74:69:66:79 tag hex 64:65:66:61:75:6c:74:4e:6f:74:69:66:79

#
# SNMPV3 Notify Filter Profile Configuration
#
#
# SNMPV3 Notify Filter Configuration
#


# System-wide Debug Configuration
#No System-wide debug tracing configured

#Vlan Based Debug Configuration
#
#No Vlan-based debug-tracing configured

#Port Based Debug Configuration
#
#No Port based debug-tracing configured

# IP subnet lookup configuration

# Network Login Configuration
configure netlogin mac auth-retry-count 3
configure netlogin mac reauth-period 1800

# Network Login Dot1x Guest Vlan Configuration

# Event Management System Configuration

# Event Management System Log Filter Configuration

# Event Management System Log Target Configuration
# Enhanced-dos-protect configuration
disable enhanced-dos-protect ipfdb
disable enhanced-dos-protect rate-limit
# Source IP Guard Configuration
# LLDP
configure lldp transmit-interval 30
configure lldp transmit-hold 4
configure lldp transmit-delay 2
configure lldp reinitialize-delay 2
configure lldp snmp-notification-interval 5
disable lldp ports 1
disable lldp ports 2
disable lldp ports 3
disable lldp ports 4
disable lldp ports 5
disable lldp ports 6
disable lldp ports 7
disable lldp ports 8
disable lldp ports 9
disable lldp ports 10
disable lldp ports 11
disable lldp ports 12
disable lldp ports 13
disable lldp ports 14
disable lldp ports 15
disable lldp ports 16
disable lldp ports 17
disable lldp ports 18
disable lldp ports 19
disable lldp ports 20
disable lldp ports 21
disable lldp ports 22
disable lldp ports 23
disable lldp ports 24
disable lldp ports 25
disable lldp ports 26
# MAC Lockdown with timeout Configuration
# Gratuitous ARP Configuration

#
# End of configuration file for "Summit200-24".
#
* Summit200-24:18 #

 

[tanderson3733]

Only time for a quick glance, but Port 5 is not a member of the voice vlan. Only port 24 is as a 802.1q tagged port. Do this:

configure vlan "VIPT_110" add port 5 tagged

That should allow the phone to boot up into the Data vlan, get the option info to change to the voice vlan, and then start sending tagged packets in the voice VLAN. Your bootprelay and ipforwarding will route traffic and forward your DHCP request to the server.

Post back if that works or not.

 

[milo456]

Hello tanderson3733,
Neither the laptop or the phone got an ip address when changing port 5 into VIPT_110 vlan

The switch does not have a router. Extreme TAC told me to get it out of the picture because the switch was doing routing (ipforwarding). They got me more confused !

I am able to ping the voice vlan from the DHCP server (in the data vlan) without a router and don't have loopback enable anywahere. I don't understand why?

Summit200-24:1 # ping 10.1.1.54 from 10.10.12.2
Ping(ICMP) 10.10.12.2->10.1.1.54: 4 packets, 8 data bytes, interval= 1.
16 bytes from 10.1.1.54: icmp_seq=0 ttl=128 time=10 ms
16 bytes from 10.1.1.54: icmp_seq=1 ttl=128 time=0 ms
16 bytes from 10.1.1.54: icmp_seq=2 ttl=128 time=0 ms
16 bytes from 10.1.1.54: icmp_seq=3 ttl=128 time=0 ms

--- 10.1.1.54 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0/2.5/10 ms
Summit200-24:2 # sh ipc
IP Routing : Enabled
Press <SPACE> to continue or <Q> to quit:
IPmc Routing : Disabled
Use Redirects : Disabled
RIP : Disabled
DVMRP : Disabled
PIM : Disabled
OSPF : Disabled
IRDP : Disabled
BootpRelay : Enabled
Route Sharing : Disabled
Multinetting : Disabled
Std Multinetting: Disabled
NAT : Disabled
VRRP : Disabled
IP-SUBNET-Lookup : Disabled
IpOption LSRR : Enabled
IpOption SSRR : Enabled
IpOption RR : Enabled
IpOption TS : Enabled
IpOption RTRALT : Disabled
Route Add Action: Clear-All
IP Down Vlan Action: Forward
LPM-routing : Disabled [Inactive]
Press <SPACE> to continue or <Q> to quit:

ARP:
ARP Timeout : Enabled [20 minutes]
Maximum Entries : 8192 Max Pending Entries : 256
IPARP AddrChecking : Enabled
IPARP Refresh : Enabled
IRDP:
Advertisement Address: 255.255.255.255 Maximum Interval: 600
Minimum Interval: 450 Lifetime: 1800 Preference: 0
IGMP:
Query Interval: 125 sec
Max Response Time: 10 sec
Last Member Query: 1 sec
IGMP Snooping:
Router Timeout: 260 sec
Host Timeout: 260 sec
Igmp Snooping Flag: forward-all-router
Igmp Snooping Fast Leave Time: 1000 ms
Igmp Snooping Proxy : Enable
Igmp Snooping Flood-list : none
Bootp Relay :
Destination:10.1.1.54

VLAN IP Address Flags nSIA nLRMA nLeMA

Default 0.0.0.0 / 0 E-f-----sB-uRPXM------i----------- 0 0 0

DATA_100 10.1.1.2 /16 EUf-----s--uRPXM------i----------- 0 2 1

VIPT_110 10.10.12.2 /23 EUf-----s--uRPXM------i----------- 0 2 0

 

[tanderson3733]

I don't see anything in the config for VLAN tags. Post the results of these:

show iproute
show vlan DATA_100
show vlan VIPT_110

 

[milo456]

Summit200-24:4 # sh ipr

Ori Destination Gateway Mtr Flags VLAN Duration
*d 10.10.12.0/23 10.10.12.2 1 U------u--- VIPT_110 0d:23h:57m:29
s
*d 10.1.0.0/16 10.1.1.2 1 U------u--- DATA_100 0d:23h:57m:29
s
*d 127.0.0.1/8 127.0.0.1 0 U-H----um-- Default 0d:23h:57m:29
s

Origin(OR): (b) BlackHole, (bo) BOOTP, (ct) CBT, (d) Direct, (df) DownIF
(dv) DVMRP, (h) Hardcoded, (i) ICMP, (mo) MOSPF, (o) OSPF
(o1) OSPFExt1, (o2) OSPFExt2, (oa) OSPFIntra, (oe) OSPFAsExt
(or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM, (r) RIP, (ra) RtAdvrt
(s) Static, (*) Preferred route

Flags: (B) BlackHole, (D) Dynamic, (G) Gateway, (H) Host Route
(L) Direct LDP LSP, (l) Indirect LDP LSP, (m) Multicast
(P) LPM-routing, (R) Modified, (S) Static, (T) Direct RSVP-TE LSP
(t) Indirect RSVP-TE LSP, (u) Unicast, (U) Up

Mask distribution:
1 routes at length 8 1 routes at length 16
1 routes at length 23

Route origin distribution:
Summit200-24:6 #
3 routes from Direct

Total number of routes = 3.

Summit200-24:5 # sh vlan DATA_100
VLAN Interface[5-202] with name "DATA_100" created by user
Tagging: Untagged (Internal tag 4090)
Priority: 802.1P Priority 7
IP: 10.1.1.2/255.255.0.0
STPD: None
Protocol: Match all unfiltered protocols.
Loopback: Disable
RateShape: Disable
QosProfile:QP1
Ports: 24. (Number of active ports=1)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Untag: 1 2 *3 4 6 7 8 9 10 11
12 13 14 15 16 17 18 19 20 21
22 23 25 26


Summit200-24:6 # sh vlan VIPT_110
VLAN Interface[6-203] with name "VIPT_110" created by user
Tagging: 802.1Q Tag 110
Priority: 802.1P Priority 7
IP: 10.10.12.2/255.255.254.0
STPD: None
Protocol: Match all unfiltered protocols.
Loopback: Disable
RateShape: Disable
QosProfile:QP1
Ports: 2. (Number of active ports=1)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Tagged: *5 24

The dhcp server is connected to DATA_100 and the phone to port 5 on VIPT_110 vlan

I'm copying the output of sh ipfdb in case you need to see it:
Summit200-24:3 # sh IPfdb
Dest IP Addr TblIdx MacIdx Flag Flow MAC Address VLAN Port
--------------- ------ ------ ---- ---- ----------------- ---- ----
10.1.1.2 19F2.0 02E0.0 0000 00:04:96:05:35:F1 4090 CPU
10.10.12.2 1BC7.0 0D74.0 0000 00:04:96:05:35:F1 0110 CPU
10.1.1.54 1EF3.0 06A6.0 0000 00:1A:A0:62:F7:4D 4090 3

 

[tanderson3733]

Summit200-24:5 # sh vlan DATA_100

Untag: 1 2 *3 4 6 7 ......

port 5 still needs to be a member of this vlan untagged.

Summit200-24:6 # sh vlan VIPT_110

Tagging: 802.1Q Tag 110

This should be the VLAN ID your phone is given in DHCP options. You also want to make sure that the phone knows to auto-select between 802.1Q VLAN tagging or not.

 

[milo456]

How do I make port 5 belong to two vlans (tagged and untagged)?


Are you saying that DHCP server should give "802.1Q Tag 110" as tag rather than 110 in the option 43?

 

[tanderson3733]

How do I make port 5 belong to two vlans (tagged and untagged)?

config vlan DATA_100 add port 5
config vlan VIPT_110 add port 5 tagged

Are you saying that DHCP server should give "802.1Q Tag 110" as tag rather than 110 in the option 43?

I don't know what type of information your phones receive from DHCP...for Avaya phones we use a string in option 176 or 242 "L2QVLAN=110". What's important is that your phones know that the vlan ID is 110.

 

[milo456]

Thank you very much TANDERSON3733. I always thought that I could not make a untagged port tagged.
Thank you very much again.