cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

378
Views
65
Helpful
24
Replies
Highlighted
Contributor

configure dhcp relay / ip helper address need help

i have Cisco ASA5516-X and core switch SW3850 and the all dhcp pools are placing on the switch for each vlan 

now i need to configure ip helper address ( dhcp relay agent) and remove the local dhcp services so i can get the ip parameters from main data center

from ASA i cant configure the dhcp relay agent i dont know why ? 

ill attach the switch configuration and the diagram , is there any option to place the help address on switch ?

the gateways are on firewall but i cant configure helper address ?

SW3850#SHOW RUN
Building configuration...

Current configuration : 23864 bytes
!
! Last configuration change at 01:40:40 UTC Wed Jul 22 2020 by MOCAS01S
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname SW3850
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 32768 informational
logging rate-limit 10
logging console warnings
enable secret 
!

no aaa new-model
switch 1 provision ws-c3850-48p
ip routing
!
ip domain-name -------
ip device tracking
i
!
ip dhcp pool Wifi-guest
network 10.233.175.0 255.255.255.0
default-router 10.233.175.1
domain-name xxxxxx
dns-server 10.38.4.171 8.8.8.8
!
ip dhcp pool Wifi-Office
network 10.233.178.0 255.255.255.0
default-router 10.233.178.1
domain-name xxxxx
dns-server 10.38.4.171 8.8.8.8
!
ip dhcp pool FACE-client
network 10.233.168.0 255.255.255.0
default-router 10.233.168.1
domain-name GDS.LOCAL
dns-server 10.38.4.171 8.8.8.8
!
!
qos wireless-default-untrust
!
crypto pki trustpoint TP-self-signed-3157014277
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3157014277
revocation-check none
rsakeypair TP-self-signed-3157014277
!
!
crypto pki certificate chain TP-self-signed-3157014277
certificate self-signed 01
3082025C 308201C5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313537 30313432 3737301E 170D3138 30383136 31333138
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31353730
31343237 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1F9 C7698BC1 3AFDC008 31ADBB05 78A6EF69 D3B47768 28298B8E 18546E9D
26E8B008 3A117377 88172C05 857ACBF2 242EB76E BC55B244 11E2D672 9D264931
0E167DC4 458916EB CB6AA9AC FE851298 47A13ABC 0A740037 0D61DB27 FA959FEB
FAD4F28C F5270B51 967B6F15 4CA19859 70D3E073 96A4406D E4593240 9D0E353A
FF3F0203 010001A3 81833081 80300F06 03551D13 0101FF04 05300301 01FF302D
0603551D 11042630 24822253 57333835 302D4D4F 43415330 31532E6D 6F636173
3031732E 6E6D732E 6C6F6361 6C301F06 03551D23 04183016 8014B2C5 3206DF68
A2071990 F0101513 904AB9A6 1024301D 0603551D 0E041604 14B2C532 06DF68A2
071990F0 10151390 4AB9A610 24300D06 092A8648 86F70D01 01040500 03818100
51C8698B CCBF09B0 41BE570E D0662A15 5FE18C49 573E3DE4 09F0DB4E E87C3917
FCF4DB44 CB51DFCC 70053CB4 F10CFD21 C22C3DC9 E29BB6D3 8C7CE78A EA051E4D
5EFAF022 E6CF9D7B 67207416 1FB2F8F4 08EE8003 D9BA012D 363BC267 31F8680B
6B2B27A4 EC8069EA 4ED4E47B 17642618 DD279CA3 A2EEB96A 83319288 862F77F5
quit
!
!
!
!
!
diagnostic bootup level minimal
identity policy webauth-global-inactive
inactivity-timer 3600
!
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 4096
!
redundancy
mode sso
!
!
ip ssh time-out 90
ip ssh version 2
ip scp server enable
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
interface Port-channel1
description FTD PO1
switchport trunk native vlan 250
switchport mode trunk
switchport nonegotiate
logging event trunk-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast trunk
!
interface Port-channel2
description FTD PO2
switchport trunk native vlan 250
switchport mode trunk
switchport nonegotiate
logging event trunk-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast trunk
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
description connected_WLC
switchport mode trunk
!
interface GigabitEthernet1/0/2
description connected_AP_Campina
switchport trunk native vlan 250
switchport mode trunk
!
interface GigabitEthernet1/0/3
description to_Firepower_LAN_Filaire
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/4
description to_Clients-Wifi_firepower
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/5
description to_guest_firepower
switchport access vlan 912
switchport mode access
!
interface GigabitEthernet1/0/6
description mgmt_Firepower
switchport access vlan 250
switchport mode access
!
interface GigabitEthernet1/0/7
description mgmt_WLC
switchport access vlan 250
switchport mode access
!
interface GigabitEthernet1/0/8
description mgmt
switchport access vlan 250
switchport mode access
!
interface GigabitEthernet1/0/9
description PRINTER
switchport access vlan 9
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 9
switchport mode access
!
interface GigabitEthernet1/0/11
description Access-Printer-SP-4510
switchport access vlan 9
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/14
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/15
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/16
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/17
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/18
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/19
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/20
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/21
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/22
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/23
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/24
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/25
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/26
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/27
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/28
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/29
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/30
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/31
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/32
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/33
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/34
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/35
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/36
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/37
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/38
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/39
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/40
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
switchport access vlan 2
switchport mode access
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/48
description Access_to_server_HP
switchport access vlan 2
switchport mode access
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
description FACE-client
ip address 10.233.168.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan9
description PRINTER
ip address 10.233.171.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan12
description BADGE
ip address 10.233.172.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan20
description Wifi-Office
ip address 10.233.178.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan50
description SERVER
ip address 10.233.170.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan60
ip address 10.233.190.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan200
description VOICE
ip address 10.233.169.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan201
description wan
ip address 10.233.180.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan230
description CCTV
ip address 10.233.173.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan250
description mgmt
ip address 10.233.191.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan912
description WIFI_GUEST
ip address 10.233.175.254 255.255.255.0
no ip redirects
no ip unreachables
!
no ip http server
ip http secure-server
!
!
logging trap notifications
logging source-interface Vlan250
logging 10.189.8.10

amr alrazzaz
24 REPLIES 24
Highlighted
VIP Mentor

Re: configure dhcp relay / ip helper address need help

Hello,

 

the IP helper goes on the first layer 3 device in the path towards the DHCP server. In your case, that appears to be the 3850. Put the helper address on the Vlan interfaces, e.g.:

 

interface Vlan60
ip address 10.233.190.254 255.255.255.0

--> ip helper-address x.x.x.x
no ip redirects
no ip unreachables

Highlighted
Contributor

Re: configure dhcp relay / ip helper address need help

is it fine to put the up helper address on vlan int and the vlan int is not the default gateway of the interface 

for example as below :

 

 ip dhcp pool Wifi-Office
network 10.233.178.0 255.255.255.0
default-router 10.233.178.1  ---------- this is the default gateway   (this ip are configured on the ASA interface port and same for lan and mgmt and wifi office/guest )
domain-name xxxxx
dns-server 10.38.4.171 8.8.8.8

 

interface Vlan20
description Wifi-Office
ip address 10.233.178.254 255.255.255.0   ----- this ip is not the default gateway
no ip redirects
no ip unreachables

 

so if i confgured the ip helpwer address under these int vlans which taking different ip for managing the device it will works 

amr alrazzaz
Highlighted
VIP Mentor

Re: configure dhcp relay / ip helper address need help

Hello,

 

I don't think this is going to work. Why would you want to use a different default router than the Vlan interface itself ?

Highlighted
Contributor

Re: configure dhcp relay / ip helper address need help

if u look into design u will see that its connected to firewall and this is for the management ips to connect to switch and also each vlan is connected to its own gateway interface on ASA ..... check please the diagram

 

 

the dchp pools were created on switch but not i need to remove the local dhcp pool and configure the ip helper address and from asa i cant find how to configure it ( i cant find dhcp relay agent ) also i cant configure it from CLI because cant login to enable and config mode 

 

im using below asa 

 

> show version
-------------------[ CampinaFTD ]-------------------
Model : Cisco ASA5516-X Threat Defense (75) Version 6.2.3.3 (Build 76)
UUID : 992fa59e-0135-11e8-a180-9f33b9f2f505
Rules update version : 2019-02-07-001-vrt
VDB version : 308
----------------------------------------------------

 

amr alrazzaz
Highlighted
VIP Mentor

Re: configure dhcp relay / ip helper address need help

Hello,

 

ip dhcp pool Wifi-Office
network 10.233.178.0 255.255.255.0
default-router 10.233.178.1 ---------- this is the default gateway (this ip are configured on the ASA interface port and same for lan and mgmt and wifi office/guest )
domain-name xxxxx
dns-server 10.38.4.171 8.8.8.8

 

interface Vlan20
description Wifi-Office
ip address 10.233.178.254 255.255.255.0 ----- this ip is not the default gateway
no ip redirects
no ip unreachables

 

So 10.233.178.1 is configured on the ASA and not the switch ? The default gateway for your clients needs to be on the first layer 3 device (the switch in this case) your clients are connected to.

Highlighted
Contributor

Re: configure dhcp relay / ip helper address need help

check the below on switch : currently now

----------------------------------

interface Vlan20
description Wifi-Office
ip address 10.233.178.254 255.255.255.0 
no ip redirects
no ip unreachables

 

ip dhcp pool Wifi-Office
network 10.233.178.0 255.255.255.0

default-router 10.233.178.1
domain-name xxxxx
dns-server 10.38.4.171 8.8.8.8

 

and this is on ASA : currently now

---------------------------------

interface GigabitEthernet1/5
nameif it-client-ap
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.233.178.1 255.255.255.0

 

 

so in that case what should to do ?

and if i cant configure the dhcp agent on asa so is there any way to make it on core switch ? 

 

So 10.233.178.1 is configured on the ASA and not the switch ? The default gateway for your clients needs to be on the first layer 3 device (the switch in this case) your clients are connected to. (how to do that ?)

 

amr alrazzaz
Highlighted
Hall of Fame Guru

Re: configure dhcp relay / ip helper address need help

This is one of the few times that I do not agree with @Georg Pauwen. There is no requirement that the default gateway (or default-router in the DHCP pool) be the switch. It should work just fine for the DHCP to be on the switch and for the default gateway to be on the ASA.

 

[edit] Additional thought: It is very frequently done to have the default gateway be the first L3 device (in this case the switch). And there might be a suggestion that having the default gateway on the switch is more efficient (the switch is closer than the ASA). But it is not a requirement.

HTH

Rick
Highlighted
VIP Mentor

Re: configure dhcp relay / ip helper address need help

Hello,

 

the problem is that this breaks the inter-Vlan routing. None of the other Vlans will be able to reach the Vlan whose clients have the ASA as the default gateway, and vice versa. Unless this is what you want of course...

Highlighted
VIP Mentor

Re: configure dhcp relay / ip helper address need help

Hello

@Georg Pauwen 

If you think about it, the switch is just basically a host device that is running dhcp service for a subnet it has an ip address on. It doesn't need to do any intervlan routing (just like any other pc or server).

Any clients that receive dhcp allocation from this scope with a default-gateway of the ASA will arp the ASAs L3 interface for reach ability off it own subnet



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
VIP Mentor

Re: configure dhcp relay / ip helper address need help

I tested this in a lab. The 3850 is configured as layer 3 (ip routing enabled), so it takes care of the inter-Vlan routing. The DHCP clients will get the IP address of the ASA as their default gateway, but cannot be reached from any other Vlan (and vice versa) anymore in that setup. What did you configure to get this to work ?

Highlighted
VIP Mentor

Re: configure dhcp relay / ip helper address need help

Hello

@Georg Pauwen 
Why does the 3850 require i routing enabled when the ASA is performing it?



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
VIP Mentor

Re: configure dhcp relay / ip helper address need help

It is not my setup, OP has posted the configs. I tested his setup in a lab and it doesn't work.

Highlighted
Contributor

Re: configure dhcp relay / ip helper address need help

i have changed the ip addresses between below and then remove the local dhcp server from switch , adding the ip helper address but it didnt get the ips from main data center , is there any netting should i do or any other configurations 

... actually i didnt add the dhcp relay agent on ASA because my GUI is local and dhcp agent not exists so thats why im trying to find a way to let the gateways on switch so i can add the helper address  on it 

on ASA:

interface GigabitEthernet1/5
nameif it-client-ap
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
NO ip address 10.233.178.1 255.255.255.0
ip address 10.245.233.254 255.255.255.0

-----------------

ON SWITCH 

NO ip dhcp pool Wifi-Office

network 10.245.178.0 255.255.255.0
default-router 10.245.178.1
domain-name GDS.LOCAL
dns-server 8.8.8.8 8.8.4.4

 

interface Vlan20
no ip address 10.233.178.254 255.255.255.0
ip address 10.233.178.1 255.255.255.0
ip helper-address 10.31.0.221
ip helper-address 10.50.161.183

but i dont know if there is any thing to do more to let it happen .... i didnt rcv any from main data center even i can ping asa( 10.233.178.254) int from sw but not from host after switching the ip 

amr alrazzaz
Highlighted
VIP Mentor

Re: configure dhcp relay / ip helper address need help

Hello


@amralrazzaz wrote:

i have changed the ip addresses between below and then remove the local dhcp server from switch , adding the ip helper address but it didnt get the ips from main data center , is there any netting should i do or any other configurations 

... actually i didnt add the dhcp relay agent on ASA because my GUI is local and dhcp agent not exists so thats why im trying to find a way to let the gateways on switch so i can add the helper address  on it 

on ASA:

interface GigabitEthernet1/5
nameif it-client-ap
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
NO ip address 10.233.178.1 255.255.255.0
ip address 10.245.233.254 255.255.255.0

-----------------

ON SWITCH 

NO ip dhcp pool Wifi-Office

network 10.245.178.0 255.255.255.0
default-router 10.245.178.1
domain-name GDS.LOCAL
dns-server 8.8.8.8 8.8.4.4

 

interface Vlan20
no ip address 10.233.178.254 255.255.255.0
ip address 10.233.178.1 255.255.255.0
ip helper-address 10.31.0.221
ip helper-address 10.50.161.183

but i dont know if there is any thing to do more to let it happen .... i didnt rcv any from main data center even i can ping asa( 10.233.178.254) int from sw but not from host after switching the ip 


Now you have changed the addressing-
Do you have a route to 10.50.161.183?
Is that dhcp scope active on that host?
Is the fw allowing udp through?




kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future