10-02-2020 01:30 PM
Hello,
I have a Cisco router with a pretty complicated configuration that was done by a different company. I'm not as familiar with Cisco setups and I'm having issues getting DHCP setup. DHCP was configured and working on their primary LAN and VLAN10. I am trying to get it working on all their other VLANs to no avail. I removed most of the configuration for privacy sake including all VLANs other than the GUEST one. A few of them also fall inside the GUEST zone so the configuration for that should apply to them also. If any other configuration info is needed please let me know. I can't tell if it's an inbound ACL on the interface causing the problem or something with the policy based routing. Any help would be greatly appreciated.
ip dhcp excluded-address 192.168.43.1 192.168.43.20 ip dhcp excluded-address 172.17.0.1 172.17.10.255 ip dhcp excluded-address 172.17.12.0 172.17.255.255 ip dhcp excluded-address 192.168.43.245 192.168.43.254 ip dhcp excluded-address 172.28.4.0 172.28.5.100 ip dhcp excluded-address 172.28.6.0 172.28.7.255 ! ip dhcp pool VOICE network 192.168.43.0 255.255.255.0 default-router 192.168.43.254 dns-server 172.17.10.3 172.17.10.5 option 242 ascii MCIPADD=***,MCPORT=1719,TFTPSRVR=***,HTTPSRVR=***,L2QVLAN=10,TLSSRVR=*** ! ip dhcp pool DATA network 172.17.0.0 255.255.0.0 default-router 172.17.0.1 dns-server 172.17.10.3 172.17.10.5 option 242 ascii MCIPADD=***,MCPORT=1719,TFTPSRVR=***,HTTPSRVR=***,L2QVLAN=10,TLSSRVR=*** ! ip dhcp pool GUEST network 172.28.4.0 255.255.252.0 default-router 172.28.4.1 dns-server 8.8.8.8 4.2.2.2 ! class-map type inspect match-any ALLOW_DHCP_CLASS match access-group name ALLOW_DHCP_ACL class-map type inspect match-any FULL_ACCESS match protocol tcp match protocol udp match protocol icmp ! policy-map type inspect LAN_TO_SELF class class-default pass policy-map type inspect WIRELESS_TO_INTERNET class type inspect FULL_ACCESS inspect class class-default drop log policy-map type inspect SELF_TO_ANY class class-default pass policy-map type inspect INTERNET_TO_LAN class type inspect SERVERS inspect class class-default drop log policy-map type inspect LAN_TO_INTERNET class type inspect FULL_ACCESS inspect class class-default drop log policy-map type inspect INTERNET_TO_SELF class type inspect ANTISPOOF drop log class type inspect MANAGEMENT pass class type inspect VPN pass class class-default drop log policy-map type inspect GUEST_TO_SELF_POLICY class type inspect ALLOW_DHCP_CLASS pass class class-default drop log ! zone security LAN zone security GUEST zone security INTERNET ! zone-pair security GUEST_TO_INTERNET source GUEST destination INTERNET service-policy type inspect WIRELESS_TO_INTERNET zone-pair security GUEST_TO_SELF source GUEST destination self service-policy type inspect GUEST_TO_SELF_POLICY zone-pair security INTERNET_TO_LAN source INTERNET destination LAN service-policy type inspect INTERNET_TO_LAN zone-pair security INTERNET_TO_SELF source INTERNET destination self service-policy type inspect INTERNET_TO_SELF zone-pair security LAN_TO_INTERNET source LAN destination INTERNET service-policy type inspect LAN_TO_INTERNET zone-pair security LAN_TO_SELF source LAN destination self service-policy type inspect LAN_TO_SELF zone-pair security SELF_TO_GUEST source self destination GUEST service-policy type inspect SELF_TO_ANY zone-pair security SELF_TO_INTERNET source self destination INTERNET service-policy type inspect SELF_TO_ANY zone-pair security SELF_TO_LAN source self destination LAN service-policy type inspect SELF_TO_ANY ! interface GigabitEthernet0/0/0 description LAN ip address 172.17.0.1 255.255.0.0 ip nat inside ip access-group 105 in zone-member security LAN negotiation auto ! interface GigabitEthernet0/0/0.1 description GUEST encapsulation dot1Q 2 ip address 172.28.4.1 255.255.252.0 ip nat inside ip access-group 106 in zone-member security GUEST ip policy route-map PUBLIC2 no cdp enable ! interface GigabitEthernet0/0/0.10 description VOICE encapsulation dot1Q 10 ip address 192.168.43.254 255.255.255.0 ip nat inside zone-member security LAN no cdp enable ! ip access-list extended ALLOW_DHCP_ACL permit udp any any eq bootpc permit udp any any eq bootps ip access-list extended 106 permit tcp any any eq www permit tcp any any eq pop3 permit tcp any any eq 143 permit tcp any any eq smtp permit tcp any any eq 587 permit tcp any any eq 465 permit tcp any any eq 443 permit tcp any any range 5190 5193 permit tcp any any eq 1701 permit udp any any range 5190 5193 permit udp any any eq 1701 permit tcp any any eq domain permit udp any any eq domain permit udp any any eq bootps permit udp any any eq bootpc deny ip any any ip access-list extended 189 permit ip 172.28.4.0 0.0.3.255 any ! route-map PUBLIC2 permit 5 match ip address ALLOW_DHCP_ACL ! route-map PUBLIC2 permit 10 match ip address 189 set ip next-hop ***WAN IP***
Solved! Go to Solution.
10-03-2020 03:13 AM
Hello,
I have tested your configuration, the ZBF, ACL, and PBR all do not cause a problem.
Turn on dhcp debugging:
debug ip dhcp server events
debug ip dhcp server packet
and post the results when one of your clients tries to get an address through DHCP.
10-02-2020 01:52 PM
The configuration of the route map for PBR and the ACL on the interface look reasonable. If you connect a device in the GUEST vlan and manually configure an IP address, mask, and gateway is that device able to ping the vlan interface address?
The GUEST subinterface is configured for dot1q tagging. Can you confirm that the GUEST vlan on the connected switch is vlan 2? And can you confirm that vlan 2 is carried on that trunk to that interface?
10-02-2020 01:56 PM
where is your client connect, ? do you have a switch where the client device connected not getting IP address ? what post they connected, can you post switch configuration? what you see on ISR " show logging ?
another quick note we need is, is this never worked or broken?
if you like here is good thread help you :
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/116117-configure-dhcp-zbf-00.html
10-03-2020 03:13 AM
Hello,
I have tested your configuration, the ZBF, ACL, and PBR all do not cause a problem.
Turn on dhcp debugging:
debug ip dhcp server events
debug ip dhcp server packet
and post the results when one of your clients tries to get an address through DHCP.
10-05-2020 09:45 AM
Thanks for all the help and suggestions. Using the debug logs I was able to determine the cause was related to the inbound ACL on the guest interface. It varied slightly from what I posted due to a typo. The other VLANs worked as expected by just creating the security zone pairs since they don't have ACL's on the interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide