Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need to reboot laptop twice on port security clear for new DHCP

Status
Not open for further replies.

Pipeops

MIS
Apr 28, 2008
77
US
We have a Cisco2611XM router connected to HP Procurve2524 switch.
We have port security enabled on the switch and we use the following commands to clear the mac address on any port:

Procurve2524# conf t
Procurve2524(config)# no port-security X
Procurve2524(config)# port-security X learn-mode static action send-disable
Procurve2524(config)# interface X
Procurve2524(eth-X)# enable

When a new user's mac address is registered on the network, the PC is given a "local" microsoft IP address of "169.XX.XX.XX" with "limited or no connection" icon in the system tray. The user has to reboot the laptop/PC two times in order to receive the proper DHCP lease. Reconnecting the cord does not work and neither is just rebooting the machine once or "repairing" the connection.

This looks like a Cisco2611XM router DHCP issue. How do I bypass the users needing to restart two times without an actual windows DHCP server and just use the router to give out DHCP leases?

Thanks in advance

 
I know you are setting port security on the switch but are you using "static" DHCP on the router? (not sure if that is possible on a Cisco router or not)

If you plug a computer into a port that doesn't have port security enabled does the system have the same issue or behave normal? If no issue then it points to the port security configuration.

I've faced a similar problem using DHCP on the Cisco router but the problem was the spanning tree portfast wasn't enabled on the switch. The problem was the 30 seconds or so the switch uses to negotiate the connection prevents the workstation from finding the DHCP server.
Although it would get an address after the connection establishes and after you do a repair. Enabling portfast fixed it.

I understand it is not the same problem but I would look at the swtich before looking at the router as the source of the problem. Reading your problem leads me to believe, in your case, the switch is preventing the DHCP lease to occur. As you probably know the 169.x.x.x address you are getting is the default address DHCP clients "assign themselves" if they can't find a DHCP server.

If a workstation has it's MAC address updated on the switch and it got it's address and is sending/rcv ing traffic, what happens when you unplug it and plug it back in to the switch? Does it get its address correctly or does it require a couple of reboots? if it does get the address correctly then that points back to the port security configuration.

Sorry I didn't have the answer but i hope that helps.
 
I have to agree..first thing that popped in my head was spanning-tree portfast on the ports.
 
is there a way to clear mac-address int fa0/x? instead of removing port security and then re-adding? i do that daily but then again im using a cisco switch
 
Well unfortunately this is not a Cisco switch but an HP Switch plugged into a Cisco router. w4nn4b1337 - to answer your question, it still requires exactly two reboots to acquire the IP address even though the mac is on the switch
 
I was hoping the HP switch has a similiar port fast feature since HP seems to have used a bit of IOS type features in their switch OS.

Your problem "feels" like it is at the switch. As if the switch is taking to long to register the MAC address of the connected system. That would cause the DHCP request from the client to time-out before the DHCP server is available.

A trouble-shooting idea is maybe unplug the LAN cable, configure a static IP stack on the client and ping the gateway with the -t option. Then while watching the pings go out, plug the LAN cable back in and see how long it takes for ping replies to come back.

If you get respones immediatly then I would look more at the switch configuration. As the client would be immediatly sending the request for an address as soon as it is plugged in. If pings come back immediatly then the problem isn't with traffic being blocked. Is there a "hold-down" timer feature on port security for the HP switch which forces the switch to hold traffic for an amount of time before traffic passes?

If the ping responses are delayed then that could indicate a hold down timer or something along those lines not allowing traffic while the port security feature figures things out. That would of course stop the clients DHCP request from reaching the server but eventually allowing it.

 
STP on a Cisco takes 50 seconds to forward packets from a new up status. By then, DHCP would time out...
Not sure if it the same on the ProCurves or not...

Burt
 
The procurves support MST as the spanning-tree protocol. They have a similar feature to portfast that puts the ports almost directly into forwarding state. Enter the command spanning-tree admin-edge-port under all of your interfaces that end stations are attached to. You should have this enabled on all access ports due to how TCN BPDU's are generated when a port moves from forwarding to blocking or from blocking to forwarding. Simply shutting down a workstation can have adverse effects on your switches if the port is not an edge port.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Thanks for all your help, but unfortunately this problem is with the router. I have tested all different scenarios and found that the problem here is when a laptop is sitting on one subnet and then plugged into a different subnet(the one that the Cisco router is on), the user has to reboot the machine to acquire a dhcp lease. I bypasses the HP switch with a crossover cable and the same issue is happening with a laptop just plugged into the router. Note: this does not happen with a Linux operating system laptop. Does anyone know what may be the issue now?

Thanks,
-I
 
Right up until the linux operating system, I was starting to think helper-addresses, but not so sure after that little curve.
 

!
no ip dhcp use vrf connected
ip dhcp excluded-address XXXXXXXXXX
ip dhcp excluded-address XXXXXXXXXX
!
ip dhcp pool locallan
network XXXXXXXXXX
default-router XXXXXXXXXX
domain-name XXXXXXXXXX
dns-server XXXXXXXXXX
lease 7
!
ip domain lookup source-interface Loopback0
ip domain name XXXXXXXXXX
ip name-server XXXXXXXXXX
ip name-server XXXXXXXXXX
ip name-server XXXXXXXXXX
ip inspect name inspect_outbound ftp
ip inspect name inspect_outbound tcp
ip inspect name inspect_outbound udp
ip inspect name inspect_outbound dns
ip inspect name inspect_outbound ntp
ip inspect name inspect_outbound echo
ip inspect name inspect_outbound http
ip inspect name inspect_outbound https
ip inspect name inspect_outbound ssh
ip inspect name inspect_outbound icmp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor responder
!
username XXXXXXXXXX
username XXXXXXXXXX
username XXXXXXXXXX
username XXXXXXXXXX
username XXXXXXXXXX
username XXXXXXXXXX
username XXXXXXXXXX
!
ip tftp source-interface Loopback0
!
class-map match-any video
match protocol rtp video
class-map match-any audio
match protocol rtp audio
!
policy-map mpls-qos
class audio
set ip precedence 3
class video
set ip precedence 3
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!crypto isakmp key <removed> addressXXXXXXXXXX
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
!
crypto map ipsecvpn 1 ipsec-isakmp
description IPSec VPN to XXXXXXXXXX
set peer XXXXXXXXXX
set transform-set 3des-sha
match address XXXXXXXXXX
!
interface Loopback0
ip addressXXXXXXXXXX
ip broadcast-address XXXXXXXXXX
!
interface FastEthernet0/0
description Internal Network
ip address XXXXXXXXXX
ip broadcast-address XXXXXXXXXX
no ip redirects
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
interface Serial0/0
description XXXXXXXXXX
ip address XXXXXXXXXX
ip broadcast-address XXXXXXXXXX
ip access-group XXXXXXXXXX
encapsulation ppp
auto discovery qos
service-policy output XXXXXXXXXX
!
interface FastEthernet0/1
description XXXXXXXXXX
ip address XXXXXXXXXX
ip access-group XXXXXXXXXX
ip access-group XXXXXXXXXX
ip nat outside
ip inspect inspect_outbound out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map ipsecvpn
!
router bgp XXXXXXXXXX
no synchronization
bgp log-neighbor-changes
network XXXXXXXXXX maskXXXXXXXXXX
network XXXXXXXXXX maskXXXXXXXXXX
neighbor level3 peer-group
neighbor level3 remote-as 1
neighbor level3 timers 30 90
neighbor XXXXXXXXXX
no auto-summary
!
ip forward-protocol nd
ip route XXXXXXXXXX
!
no ip http server
no ip http secure-server
ip nat pool outbound_nat_pool XXXXXXXXXXnetmask XXXXXXXXXX
ip nat inside XXXXXXXXXX

 
The only thing I see that stands out is speed and duplex settings (hard coded on fa0/0)---are they hard-coded on the pc NIC as well, or is it set to auto? If it is hard coded on the switch as well, then that is a common denominator...

Burt
 
This ended up being ip broadcast-address XXXXXXXXXX line for fastethernet 0/0. Take it out of the router and problem is solved!

Thanks everyone for their help
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top