Showing results for 
Search instead for 
Did you mean: 

1111 Won't pull DHCP for WAN from Comcast - Migration from 891

Well I'm stumped for the moment.   I'm migrating my office from an 891 that just can't keep up with the speeds anymore to a new 1111-8P, and I can't get it to receive a DHCP address from Comcast via the same little Arris SB8200 I was using before.  


I'm almost duplicating the config from the old to the new, although there's a few differences.   First, I was using reflexive access lists to do some firewalling on the 891.  That worked good, but the 1111 supports zone based, which I intend to use, but have not yet configured.  


The config is attached, and I can do things internally, but there's no DHCP address assignment like I had working on the 891.   I do plan on using the 2nd Gig WAN interface to connect to the 2nd port on the SB8200 later, but I need to get this workin first.


I have tried the "renew dhcp gigabitethernet0/0/0" command to try to refresh it, but nothing happens.   


Yes, the SB8200 is in bridge mode, the 891 gets a DHCP address just fine.

Any hints or direct help would be greatly appreciated at this point!!




I'll check the config again...will get back with you...

Georg, don't worry too much about that one - I discovered why some of the devices were getting ip addresses assigned from some other DHCP server, and the story is really out there!!


I'm in a 115 year old renovated building, which has both cable and Cat5 wired to each unit.  They include a base internet offering over the Cat5 as a part of the lease.   Since their base isn't fast enough for Zoom, let alone anything else, I've opted for a business class Xfinity service that comes in thru the cable port.  I had them disconnect the cat5 in the hall closet so I wouldn't get that service.   Inside my unit's switchbox panel, there's a switch and it's connected to all the RJ-45 ports in the office, and one of those connections is to the closet down 1 floor and in the hallway - which was disconnected in the hallway closet.


Until it wasn't.


Yes, someone reconnected it, probably thinking it had gotten unplugged by mistake.   I couldn't tell you when it happened, but building maintenance says there's service techs in there every other week.


After unplugging that cable from BOTH ends now and labeling it as "do not connect", it seems my pared back config is working.   WAN is getting a DHCP address through the cable modem (although they're giving me a /22 block for some reason), and all my computers, printers, phones, etc are all getting proper internal IP's now.  


DMZ can talk to INSIDE and OUTSIDE, and vice versa.   I think it's all working, but I did remove the OUT-TO-SELF and SELF-TO-OUT zone pairs, CM's and PM's.   I'm not sure I need it.   


So disregard the last config and if you would take a peek at this one, I think it's correct and secure.   Then I have to figure out why it can't call home for licensing.   That's a whole different thing.  At least I have 356 more days to get that working





config looks good. With regard to the call home, can you send an inventory message ?


Gateway#call-home send alert-group inventory profile CiscoTAC-1

There's no indication it works at all.  Same with doing "license smart trust idtoken".   Even forced does nothing.  Tried smart and call-home transport.   



odd. I am not sure how the C1111 handles the revocation check, but check item 4 in the link to the PDF attached. Is that how you installed the security certificate ?

Yep, checked that.  I didn't have the email in there, I thought it would show up on my account once I used the token, but it doesn't.  Adding my email in there does get the reply, but it's temporary because apparently you can't use Call-Home without a service contract now???   Well, I don't have a contract so I'll have to use another method then.   

You would probably need to allow access to the rtr itself (self-policy) from the inside your Lan especially dhcp
Lasty suggest to exclude the static nat host from you nat acl.



kind regards

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Paul, can you elaborate on this?   


Understand your correction on the access list 1 and taking out the relevant NAT entry.   Clients are getting DHCP and DNS from the router, that seems to work.  SSH I do have to add into the config eventually.


Question about the CM where you have h323 in there...  What's that for in the self_cm?   I wonder if the lack of that, or something else, is causing an issue with a few ppl's cell phones here dropping calls when they're on the wifi network.   Not sure what protocol is used for that.


Also, new issue...   I can't ping out of the router anymore, and the licensing check now fails with an 'can't resolve address' error.    Did we block something somewhere that we shouldn't have?