cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
884
Views
25
Helpful
22
Replies
frayedends
Beginner

1111 Won't pull DHCP for WAN from Comcast - Migration from 891

Well I'm stumped for the moment.   I'm migrating my office from an 891 that just can't keep up with the speeds anymore to a new 1111-8P, and I can't get it to receive a DHCP address from Comcast via the same little Arris SB8200 I was using before.  

 

I'm almost duplicating the config from the old to the new, although there's a few differences.   First, I was using reflexive access lists to do some firewalling on the 891.  That worked good, but the 1111 supports zone based, which I intend to use, but have not yet configured.  

 

The config is attached, and I can do things internally, but there's no DHCP address assignment like I had working on the 891.   I do plan on using the 2nd Gig WAN interface to connect to the 2nd port on the SB8200 later, but I need to get this workin first.

 

I have tried the "renew dhcp gigabitethernet0/0/0" command to try to refresh it, but nothing happens.   

 

Yes, the SB8200 is in bridge mode, the 891 gets a DHCP address just fine.

Any hints or direct help would be greatly appreciated at this point!!

1 ACCEPTED SOLUTION

Accepted Solutions
Georg Pauwen
VIP Expert

Hello,

 

chances are that the Arris/Comcast has stored the MAC address of your old 891 and tied that to their DHCP. Check the 'Addresses' in the Web GUI SB8200 Web Manager Screen Options (Table 4, page 18 of the attached manual):

 

https://www.midco.com/contentassets/a8faa9563b6b49e5b244ef7418c1b314/arris-sb8200-user-guide.pdf

 

In any case, make the configuration changes/additions marked in bold:

 

Gateway#sh run
Building configuration...

Current configuration : 7141 bytes
!
! Last configuration change at 20:19:14 GMT Tue Sep 7 2021
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone GMT -6 0
!
ip name-server 8.8.8.8, 8.8.4.4
no ip domain lookup
ip domain name local
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
no device-tracking logging theft
!
license feature hseck9
license udi pid C1111-8P sn [xxx]
license boot level securityk9
license smart reservation
memory free low-watermark processor 71820
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username [xxx] privilege 15 secret 9 [xxx]
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
no lldp tlv-select management-address
no lldp tlv-select port-description
no lldp tlv-select system-capabilities
no lldp tlv-select system-description
no lldp tlv-select system-name
no lldp tlv-select port-vlan
no lldp tlv-select mac-phy-cfg
no lldp tlv-select power-management
no lldp tlv-select 4-wire-power-management
!
interface GigabitEthernet0/0/0
description WAN to Comcast
ip address dhcp
ip nat outside
--> no ip access-group 197 in
--> no ip access-group 197 out
negotiation auto
no ip virtual-reassembly
!
interface GigabitEthernet0/0/1
ip address dhcp
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
spanning-tree portfast
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
description Internal VLAN
ip address 10.10.10.1 255.255.255.0
ip nat inside
--> no ip access-group 197 in
--> no ip access-group 197 out
!
no ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
--> ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
--> access-list 1 permit 10.10.10.0 0.0.0.255
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
end

View solution in original post

22 REPLIES 22
Georg Pauwen
VIP Expert

Hello,

 

chances are that the Arris/Comcast has stored the MAC address of your old 891 and tied that to their DHCP. Check the 'Addresses' in the Web GUI SB8200 Web Manager Screen Options (Table 4, page 18 of the attached manual):

 

https://www.midco.com/contentassets/a8faa9563b6b49e5b244ef7418c1b314/arris-sb8200-user-guide.pdf

 

In any case, make the configuration changes/additions marked in bold:

 

Gateway#sh run
Building configuration...

Current configuration : 7141 bytes
!
! Last configuration change at 20:19:14 GMT Tue Sep 7 2021
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone GMT -6 0
!
ip name-server 8.8.8.8, 8.8.4.4
no ip domain lookup
ip domain name local
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
no device-tracking logging theft
!
license feature hseck9
license udi pid C1111-8P sn [xxx]
license boot level securityk9
license smart reservation
memory free low-watermark processor 71820
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username [xxx] privilege 15 secret 9 [xxx]
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
no lldp tlv-select management-address
no lldp tlv-select port-description
no lldp tlv-select system-capabilities
no lldp tlv-select system-description
no lldp tlv-select system-name
no lldp tlv-select port-vlan
no lldp tlv-select mac-phy-cfg
no lldp tlv-select power-management
no lldp tlv-select 4-wire-power-management
!
interface GigabitEthernet0/0/0
description WAN to Comcast
ip address dhcp
ip nat outside
--> no ip access-group 197 in
--> no ip access-group 197 out
negotiation auto
no ip virtual-reassembly
!
interface GigabitEthernet0/0/1
ip address dhcp
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
spanning-tree portfast
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
description Internal VLAN
ip address 10.10.10.1 255.255.255.0
ip nat inside
--> no ip access-group 197 in
--> no ip access-group 197 out
!
no ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
--> ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
--> access-list 1 permit 10.10.10.0 0.0.0.255
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
end

View solution in original post

frayedends
Beginner

Greatly appreciate the help with that!!  I am wondering if you can elaborate on why using that "permit ip any any" ACL doesn't work in that situation?   

Hello,

 

with NAT, an ip any any access list does not work, as far as I recall it is because with that access list, there is no source, so NAT does not support it.

Hello
Using the any any  in a nat acl can produce non deterministic results regarding your routing and NAT

it can nat packets you don’t wish to nat so best practice is to specify the network you wish to Translate leaving “other” packets to egress the wan interface untranslated .



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Thanks for the clarification!   Now I need to read 234,523 pages on zone-based policies to understand how to do the firewall.  

Hello,

 

instead of reading all these pages, you can leave it to us ! I'll put together a basic, standard Zone Based Firewall for your configuration and send it over...

That'd be great!   I do still want to understand the how and why, but I'd be gracious for any help!

 

3 zones, internet (wan), intranet (internal 10.10.10.0 255.255.255.0), and a single server in a dmz.   The dmz server is rdp access from in or out (there is a static route for it on 3389).

Hello,

 

here is the Zone Based Firewall configuration (ZBF related lines marked in bold

 

Gateway#sh run
Building configuration...

Current configuration : 7141 bytes
!
! Last configuration change at 20:19:14 GMT Tue Sep 7 2021
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone GMT -6 0
!
ip name-server 8.8.8.8, 8.8.4.4
no ip domain lookup
ip domain name local
!
login on-success log
!
subscriber templating
!
zone security INSIDE
zone security OUTSIDE
!
multilink bundle-name authenticated
no device-tracking logging theft
!
license feature hseck9
license udi pid C1111-8P sn [xxx]
license boot level securityk9
license smart reservation
memory free low-watermark processor 71820
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username [xxx] privilege 15 secret 9 [xxx]
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
no lldp tlv-select management-address
no lldp tlv-select port-description
no lldp tlv-select system-capabilities
no lldp tlv-select system-description
no lldp tlv-select system-name
no lldp tlv-select port-vlan
no lldp tlv-select mac-phy-cfg
no lldp tlv-select power-management
no lldp tlv-select 4-wire-power-management
!
interface GigabitEthernet0/0/0
description WAN to Comcast
ip address dhcp
ip nat outside
zone-member security OUTSIDE
negotiation auto
no ip virtual-reassembly
!
interface GigabitEthernet0/0/1
ip address dhcp
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
spanning-tree portfast
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
description Internal VLAN
ip address 10.10.10.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
no ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
access-list 1 permit 10.10.10.0 0.0.0.255
!
access-list extended 111
10 permit udp any any eq 67
!
access-list extended 112
10 permit udp any any eq 68
!
ip access-list extended OUTSIDE-TO-INSIDE-ACL
permit icmp any 10.10.10.0 0.0.0.255
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CM
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol pop3
match protocol smtp
match protocol icmp
!
class-map type inspect match-all OUTSIDE-TO-INSIDE-CM
match access-group name OUTSIDE-TO-INSIDE-ACL
!
class-map type inspect match-any SELF-TO-OUTSIDE-CM
match access-group 111
!
class-map type inspect match-any OUTSIDE-TO-SELF-CM
match access-group 112
!
policy-map type inspect INSIDE-TO-OUTSIDE-PM
class type inspect INSIDE-TO-OUTSIDE-CM
inspect
class class-default
drop log
!
policy-map type inspect OUTSIDE-TO-INSIDE-PM
class type inspect OUTSIDE-TO-INSIDE-CM
pass
class class-default
drop log
!
policy-map type inspect OUTSIDE-TO-SELF-PM
class type inspect out-OUTSIDE-TO-SELF-CM
pass
class class-default
drop
!
policy-map type inspect SELF-TO-OUTSIDE-PM
class type inspect SELF-TO-OUTSIDE-CM
pass
class class-default
drop
!
zone-pair security IN-TO-OUT-ZP source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-PM
zone-pair security OUT-TO-IN-ZP source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-PM
zone-pair security OUTSIDE-TO-SELF-ZP source OUTSIDE destination self
service-policy type inspect OUTSIDE-TO-SELF-PM
zone-pair security SELF-TO-OUTSIDE-ZP source self destination OUTSIDE
service-policy type inspect SELF-TO-OUTSIDE-PM
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
end

Thanks for all of that!   I had done a little work on it, but was starting to run into some issue.   I did notice one thing in yours, this section here:

class-map type inspect match-all INSIDE-TO-OUTSIDE-CM
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol pop3
match protocol smtp
match protocol icmp
!

I believe that should be "match-any"?   As match-all it doesn't work and blocks everything.  If that's not correct, please advise, as I missed something else! 

 

Making that change enabled it to work, and I went on to add in the DHCP addresses, and the other VLAN for the DMZ server, and I used your examples to configure the ZBF for that as well.   As of now, I believe everything is working.  Can you look over the final config and see if you see any issues or potential problems?   Attached with the crypto stuff cut out.  

 

The DMZ server needs to be accessed via RDP on 3389 from inside, or outside the network.   It also needs to be able to send email only - no receive, and get windows updates via https, and should not respond to icmp.   There are no other connections to/from that server.

Hello,

 

you are absolutely right about the match any.

 

I'll check the config and get back with you...

Hello,

 

the config looks perfect ! 

George, having a little problem with this though.   All our internal clients on VLAN1 were getting DHCP addresses via the Comcast WAN, and not from the router.   If I get rid of the two ACL's and maps you had in yours to allow those requests in and out (self-out, out-self), then the WAN can't get it's address.   So I made a few changes, it seems to work from the client side.  They are getting internal addresses now, and so is the WAN if I reload.  

 

Also the VLAN2 wasn't able to access any internet, so I added in DNS and HTTPS so it's windows update can work.  That seems fine now too.

 

Can you take a double-check to see that I didn't miss anything?   There's a situation every so often where the console locks up.   Such as:  sh dhcp lease *, it goes black and I can't input or break.  Log entries are still listing on the console page, but no more input.   Haven't figured out why this is happening yet.   

 

 

Hello,

 

the config looks fine. When you say the console locks up, from where are you accessing the console ?

Via the console cable to USB.  Works fine, except on a few commands which it locks up.

 

Actually, the config isn't working 100%, I've still got some devices getting IP addresses from outside.