04-28-2014 05:41 AM - edited 03-04-2019 10:51 PM
We have a 2900 router that acts as DHCP server and can not ping a new workstation that is not DHCP. I can ping the new workstation from the 10.45.4.1 interface, but not from any other. I can ping existing workstations from all interfaces. Is it some access list that is only allowing for DHCP addresses to be pingable? There is some legacy stuff in the router (BGP) that isn't being used. Here is the config:
Building configuration...
Current configuration : 22818 bytes
!
! Last configuration change at 15:58:47 EDT Fri Apr 25 2014 by
! NVRAM config last updated at 11:09:52 EDT Sat Apr 5 2014 by
! NVRAM config last updated at 11:09:52 EDT Sat Apr 5 2014 by
version 15.1
service timestamps debug datetime localtime
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
!
logging buffered informational
no logging console
!
no aaa new-model
ida-client server url https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl
!
clock timezone EDT -4 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.45.4.1 10.45.4.9
ip dhcp excluded-address 10.45.8.1 10.45.8.9
ip dhcp excluded-address 10.45.30.1 10.45.30.9
ip dhcp excluded-address 10.45.31.1 10.45.31.9
ip dhcp excluded-address 10.45.32.1 10.45.32.9
ip dhcp excluded-address 10.45.33.1 10.45.33.9
ip dhcp excluded-address 10.45.34.1 10.45.34.9
ip dhcp excluded-address 10.45.35.1 10.45.35.9
ip dhcp excluded-address 10.45.80.1 10.45.80.9
!
ip dhcp pool DataVLAN
network 10.45.4.0 255.255.255.0
default-router 10.45.4.1
dns-server 10.44.80.249 10.44.80.252
option 156 ascii ftpservers=10.44.8.2,country=1,language=1,layer2tagging= 1,vlanid=25
!
ip dhcp pool VoiceVLAN
network 10.45.8.0 255.255.255.0
default-router 10.45.8.1
dns-server 10.44.80.249 10.44.80.241
option 156 ascii ftpservers=10.44.8.2,country=1,language=1,layer2tagging= 1,vlanid=25
!
ip dhcp pool Access-Points
network 10.45.30.0 255.255.255.0
default-router 10.45.30.1
dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool Guest-Wireless
network 10.45.31.0 255.255.255.0
default-router 10.45.31.1
dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool Staff-Wireless
network 10.45.32.0 255.255.255.0
default-router 10.45.32.1
dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool Voice-Wireless
network 10.45.33.0 255.255.255.0
default-router 10.45.33.1
dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool Mobile-Wireless
network 10.45.34.0 255.255.255.0
default-router 10.45.34.1
dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool WAAS
network 10.45.35.0 255.255.255.0
default-router 10.45.35.1
dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool New Server
network 10.45.80.0 255.255.255.0
default-router 10.45.80.1
dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool voicevlan
dns-server 10.44.80.249 10.44.80.252
!
!
ip flow-cache timeout active 1
ip domain lookup source-interface GigabitEthernet0/1.21
ip name-server 10.44.80.249
ip name-server 10.44.80.241
ip ips config location flash:ips retries 1
ip ips name IPS_1 list IPS_ACL
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
ip ips auto-update
occur-at weekly 0-6 50 0-23
url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
password encryption aes
crypto pki token default removal timeout 0
!
crypto pki trustpoint
enrollment selfsigned
subject-name
revocation-check none
rsakeypair
!
crypto pki trustpoint root
enrollment terminal
revocation-check none
!
crypto pki trustpoint rootVeriSub
enrollment terminal
revocation-check none
!
!
crypto pki certificate chain
certificate self-signed 01
quit
crypto pki certificate chain root
certificate ca 01A
quit
crypto pki certificate chain rootVeriSub
certificate ca 07271446
quit
license udi pid CISCO2911/K9 sn FTX1604F049
!
!
archive
log config
hidekeys
path
write-memory
username Orlansinfrastructure password 0
username rancid privilege 15 secret 5
username orlans2 privilege 15 secret 5
!
redundancy
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
quit
!
!
!
!
no ip ftp passive
ip tftp source-interface GigabitEthernet0/1.21
ip ssh version 2
!
class-map match-any COS2-Video
match ip dscp af41
match protocol telnet
match access-group name COS2-Video
class-map match-any bad-traffic
match protocol bittorrent
match protocol edonkey
match protocol gnutella
match protocol fasttrack
match protocol kazaa2
match protocol winmx
match protocol directconnect
match protocol gopher
class-map match-any voice-out
match ip dscp ef
match access-group name VOIP_TRAFFIC
class-map match-any sig-out
match ip dscp cs3
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map match-any sig-in
match ip dscp cs3 af31
match ip precedence 3
match ip precedence 4
class-map match-any voice-in
match ip dscp cs5 ef
match ip precedence 5
match protocol skinny
match protocol sip
match access-group name VOIP_TRAFFIC
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map match-any COS5
match ip dscp af11
match access-group name COS5
class-map match-any COS4
match ip dscp default
match access-group name COS4
class-map match-any COS3
match ip dscp af21
match access-group name COS3
class-map match-any COS2
match ip dscp cs3 af31
match protocol telnet
match access-group name COS2
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match protocol rtp audio
match access-group name AutoQoS-VoIP-RTCP
!
!
policy-map AutoQoS-Policy-UnTrust
class AutoQoS-VoIP-RTP-UnTrust
priority percent 70
set dscp ef
class AutoQoS-VoIP-Control-UnTrust
bandwidth percent 5
set dscp af31
class AutoQoS-VoIP-Remark
set dscp default
class class-default
fair-queue
policy-map QOS-MPLS-ISI
class voice-out
set ip dscp ef
priority percent 40
class sig-in
bandwidth remaining percent 5
class COS2-Video
set ip dscp af41
bandwidth remaining percent 30
class COS2
set ip dscp af31
bandwidth remaining percent 30
class COS3
set ip dscp af21
bandwidth remaining percent 15
class COS4
set ip dscp default
bandwidth remaining percent 4
class COS5
set ip dscp af11
class bad-traffic
drop
policy-map VOICE-INBOUND
class voice-in
set ip dscp ef
class sig-in
set ip dscp cs3
policy-map VOICE-OUTBOUND
class voice-out
priority percent 55
class sig-out
bandwidth percent 5
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set esp-aes esp-sha-hmac
crypto ipsec transform-set esp-3des esp-sha-hmac
!
crypto ipsec profile
set transform-set
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel
set peer
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ****connection to
ip address 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.20
description
encapsulation dot1Q 20
ip address 10.45.0.1 255.255.255.0
!
interface GigabitEthernet0/1.21
description ***USER VLAN ****
encapsulation dot1Q 21
ip address 10.45.4.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.25
encapsulation dot1Q 25
ip address 10.45.8.1 255.255.255.0
ip flow ingress
ip flow egress
!
!
interface GigabitEthernet0/2
description EPL$ES_LAN$
ip address 172.17.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
!
router eigrp 100
network 10.45.0.0 0.0.0.255
network 10.45.4.0 0.0.0.255
network 10.45.8.0 0.0.0.255
network 10.45.30.0 0.0.0.255
network 10.45.31.0 0.0.0.255
network 10.45.32.0 0.0.0.255
network 10.45.33.0 0.0.0.255
network 10.45.34.0 0.0.0.255
network 10.45.35.0 0.0.0.255
network 10.45.80.0 0.0.0.255
network 172.16.38.0 0.0.0.255
distance eigrp 201 201
passive-interface default
no passive-interface Tunnel2
!
!
router eigrp 101
network 10.45.0.0 0.0.0.255
network 10.45.4.0 0.0.0.255
network 10.45.8.0 0.0.0.255
network 10.45.30.0 0.0.0.255
network 10.45.31.0 0.0.0.255
network 10.45.32.0 0.0.0.255
network 10.45.33.0 0.0.0.255
network 10.45.34.0 0.0.0.255
network 10.45.35.0 0.0.0.255
network 10.45.80.0 0.0.0.255
network 172.16.39.0 0.0.0.255
distance eigrp 200 200
passive-interface default
no passive-interface Tunnel1
!
router bgp 65011
bgp router-id 66.251.39.122
bgp log-neighbor-changes
network 10.45.0.0 mask 255.255.255.0
network 10.45.4.0 mask 255.255.255.0
network 10.45.8.0 mask 255.255.255.0
network 10.45.30.0 mask 255.255.255.0
network 10.45.31.0 mask 255.255.255.0
network 10.45.32.0 mask 255.255.255.0
network 10.45.33.0 mask 255.255.255.0
neighbor remote-as 15270
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip flow-export source GigabitEthernet0/1.20
ip flow-export version 5
ip flow-export destination 10.44.80.251 9996
!
ip nat inside source route-map NATLIST interface GigabitEthernet0/0 overload
ip nat inside source static 10.44.80.250
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.44.0.0 255.255.255.0 172.17.1.1
ip route 10.44.4.0 255.255.255.0 172.17.1.1
ip route 10.44.8.0 255.255.255.0 172.17.1.1
ip route 10.44.31.0 255.255.255.0 172.17.1.1
ip route 10.44.32.0 255.255.255.0 172.17.1.1
ip route 10.44.80.0 255.255.255.0 172.17.1.1
ip route 10.44.100.0 255.255.255.0 172.17.1.1
ip route 192.168.1.0 255.255.255.0 172.17.1.1
!
ip access-list standard SNMP_ACCESS
permit 10.44.80.251
deny any
!
ip access-list extended AutoQoS-VoIP-Control
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
permit udp any any range 16384 32767
ip access-list extended COS2-Video
permit ip any host 10.44.80.235
permit ip any host 10.44.80.236
ip access-list extended COS3
remark COS3 - DSCP AF21
permit tcp any any eq 389
permit tcp any any eq 8471
ip access-list extended COS4
remark COS4 - DSCP 0
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 143
permit tcp any any eq 2525
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 139
permit tcp any any eq 445
permit tcp any any eq 137
permit tcp any any eq 8473
permit tcp any any eq ftp
permit tcp any any eq ftp-data
ip access-list extended COS5
remark DEFAULT TRAFFIC
permit ip any any
ip access-list extended INTERNET_FILTER
permit tcp 10.0.0.0 0.0.0.255 any
permit udp 10.0.0.0 0.0.0.255 any
permit tcp 172.16.0.0 0.0.255.255 any
permit udp 172.16.0.0 0.0.255.255 any
permit tcp 192.168.0.0 0.0.255.255 any
permit udp 192.168.0.0 0.0.255.255 any
permit tcp any any established
permit tcp any any eq smtp
deny ip any any
ip access-list extended IPS_ACL
remark ACL Traffic to be scanned
permit ip any any
ip access-list extended NAT_ACL
remark CCP_ACL Category=18
remark IPSec Rule
deny ip 10.45.4.0 0.0.0.255 10.44.0.0 0.0.255.255
permit ip 10.45.4.0 0.0.0.255 any
permit ip 10.45.31.0 0.0.0.255 any
permit ip 10.45.32.0 0.0.0.255 any
permit ip 10.45.34.0 0.0.0.255 any
permit ip 10.45.80.0 0.0.0.255 any
permit ip 10.45.0.0 0.0.0.255 any
permit ip 10.44.4.0 0.0.0.255 any
permit ip 10.44.80.0 0.0.0.255 any
permit ip 172.17.1.0 0.0.0.255 any
permit ip any any
!
logging 10.44.80.251
access-list 5 permit 10.44.8.235
access-list 5 permit 10.45.4.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.45.0.0 0.0.255.255 10.44.0.0 0.0.255.255
access-list 144 permit ip host 10.45.4.60 host 10.44.80.235
access-list 144 permit ip host 10.44.80.235 host 10.45.4.60
!
!
!
!
route-map NATLIST permit 10
match ip address NAT_ACL
!
!
!
control-plane
!
!
banner exec ^CC
!
!
scheduler allocate 20000 1000
ntp server 10.44.0.1
end
04-28-2014 05:50 AM
The IP of the workstation in question is 10.45.4.9. If I traceroute from something connected to G0/2, it gets to G0/2 and dies.
04-29-2014 01:20 PM
Have you set a default gateway to your client? And have you set the right vlan to the switchport where the workstation is connected?
05-01-2014 08:07 AM
Yes. The default gateway is set to G0/1.21 and the vlan is correct. I can ping the workstation from the switch it is plugged into and from the G0/1 interface on the router.
05-01-2014 08:46 AM
05-01-2014 08:51 AM
Did not try different switchport. Manually assigned an ip of 10.45.4.60 and it works fine. Why won't it work with 10.45.4.9? The device can not be set to DHCP.
05-01-2014 11:16 AM
access-list 144 allows 10.45.4.60, but access-list is not connected to any interface on this router.
Can you try another ip-address. Not listed in any access-list. You can try to take an existing dhcp workstation set to a manual ip address. So you can decide the new workstation is the problem or the router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide