topic Re: ASA 5505 - DHCP pool per VLAN in Network Security

ASA 5505 - DHCP pool per VLAN

Isynth — Fri, 21 Feb 2020 14:49:27 GMT

Hallo,

I am struggling with a setup and I would be glad if I find help here.

The ASA is not capable of creating sub interfaces.

Still I would like to use different dhcp pools for different VLANS over trunks.

Please have a look at my config. So far no ip adresses are assigned to the clients.

Behind Ethernet 0/1 a managed cisco switch sg300 is connected.

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport trunk allowed vlan 1,10,20,30,40
 switchport mode trunk
!

vlan interfaces

interface Vlan1
 nameif managed
 security-level 100
 ip address 192.168.0.193 255.255.255.224
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan10
 nameif work
 security-level 100
 ip address 192.168.0.14 255.255.255.240
!
interface Vlan20
 nameif home
 security-level 80
 ip address 192.168.0.30 255.255.255.240
!
interface Vlan30
 nameif restricted
 security-level 50
 ip address 192.168.0.44 255.255.255.240
!
interface Vlan40
 nameif inside
 security-level 20
 ip address 192.168.0.254 255.255.255.224

dhcp pools

dhcpd dns 8.8.8.8
dhcpd auto_config outside
dhcpd option 3 ip 192.168.0.254
!
dhcpd address 192.168.0.1-192.168.0.13 work
dhcpd enable work
!
dhcpd address 192.168.0.17-192.168.0.29 home
dhcpd enable home
!
dhcpd address 192.168.0.33-192.168.0.43 restricted
dhcpd enable restricted

Thank you in advance for your time

Re: ASA 5505 - DHCP pool per VLAN

Julio Carvajal — Thu, 23 Nov 2017 15:33:22 GMT

Hello,

Can you share the output of

show dhcpd statistics

We might need to run debugs and captures later but after checking the config, everything seems good.

PD: You did not share the switch config, I hope that one is correct 🙂

Re: ASA 5505 - DHCP pool per VLAN

Isynth — Thu, 23 Nov 2017 22:04:00 GMT

Hallo Julio,

thank you for your participation in this.

If I connect a client directly to the ASA and add the ASA port to a VLAN the client receives the right ip configuration. If I connect the client to the switch the ASAs count on the dhcpd statistics doesnt change.

(config)# show dhcpd statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0

Address pools        3
Automatic bindings   0
Expired bindings     1
Malformed messages   0

Message              Received
BOOTREQUEST          0
DHCPDISCOVER         1
DHCPREQUEST          2
DHCPDECLINE          0
DHCPRELEASE          0
DHCPINFORM           0

Message              Sent
BOOTREPLY            0
DHCPOFFER            1
DHCPACK              2
DHCPNAK              0

To be honest I did not configure much on the switch.

on all ports I ran switchport mode access and switchport access VLAN 10

this is my trunk

#show interfaces switchport ge 9
Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN
Port : gi9
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE 😞 1

Port is member in:

Vlan               Name               Egress rule     Added by
---- -------------------------------- ----------- ----------------
 1                  1                  Untagged          V


Forbidden VLANS:
Vlan               Name
---- --------------------------------


Classification rules:

Mac based VLANs:
  Group ID   Vlan ID
------------ -------

does the management interface play any part in this?

interface vlan 1
 ip address 192.168.0.251 255.255.255.0
 no ip address dhcp

Re: ASA 5505 - DHCP pool per VLAN

Julio Carvajal — Thu, 23 Nov 2017 22:43:47 GMT

The switch SVI should be in VLAN 10 according to the IP address assignment in your network.

So port 9 on the switch connects to the asa trunk interface.

Can you share the output of show int trunk on the switch?

Re: ASA 5505 - DHCP pool per VLAN

Isynth — Fri, 24 Nov 2017 08:19:08 GMT

I added the SVI to Vlan10. But on my other switch I want to use 3 vlans. Which adress should I use for the SVI since all VLans belong to different sub nets?

I noticed that I can not ping the ASA from the home switch, the ASA doesn't even show a icmp debug message.

The show int trunk command is not recognized by the switch.

Here is the whole config. For some reason the last two interfaces G9 and G10 are not displayed when i run show run. I changed the trunk to GE 8

Home
v1.4.2.4 / R800_NIK_1_4_194_194
CLI v1.0
set system mode switch

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 10
exit

hostname Home
management access-list onlyssh
permit vlan1
permit service ssh
deny
exit
management access-class onlyssh
username cisco password encrypted 00 privilege 15
ip ssh server
no ip http server
no ip http secure-server
!
interface vlan 10
 ip address 192.168.0.13 255.255.255.240
 no ip address dhcp
!
interface gigabitethernet1
 switchport mode access
 switchport access vlan 10
!
:
:
!
interface gigabitethernet7
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet8
 switchport trunk native vlan 10

I changed the trunk to GE 8

Home#show int switchport GE 8
Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN
Port : gi8
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE 😞 10

Port is member in:

Vlan               Name               Egress rule     Added by
---- -------------------------------- ----------- ----------------
 10                 10                 Untagged          S


Forbidden VLANS:
Vlan               Name
---- --------------------------------


Classification rules:

Mac based VLANs:
  Group ID   Vlan ID
------------ -------

Re: ASA 5505 - DHCP pool per VLAN

Isynth — Fri, 24 Nov 2017 10:34:01 GMT

It looks like the switch does not communicate with the asa at all as soon as it is connected via a trunk port.

If I connect the switch via an access port everything works fine even dhcp. But since I want to use more VLANS in the future it isn't an option to connect the switch to an access port assigned to one VLAN.

Re: ASA 5505 - DHCP pool per VLAN

Isynth — Fri, 24 Nov 2017 11:28:53 GMT

After changing the native VLan on the trunk port to 99 and allowing it it works. Got the info from this article http://blog.braini.ac/?p=26.

But still I would like to know how the SVI needs to be defined as soon as I have more than one VLAN and different address ranges on the switch.

Thank you So far for your help on this.

Br,

Gerald