Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2293
Views
5
Helpful
4
Replies

ISR 4331 DHCP doesn't work on VLANs

Go to solution
Jarvis1
Level 1
Level 1

‎10-02-2020 01:30 PM

Hello,

I have a Cisco router with a pretty complicated configuration that was done by a different company. I'm not as familiar with Cisco setups and I'm having issues getting DHCP setup. DHCP was configured and working on their primary LAN and VLAN10. I am trying to get it working on all their other VLANs to no avail. I removed most of the configuration for privacy sake including all VLANs other than the GUEST one. A few of them also fall inside the GUEST zone so the configuration for that should apply to them also. If any other configuration info is needed please let me know. I can't tell if it's an inbound ACL on the interface causing the problem or something with the policy based routing. Any help would be greatly appreciated.

 

ip dhcp excluded-address 192.168.43.1 192.168.43.20
ip dhcp excluded-address 172.17.0.1 172.17.10.255
ip dhcp excluded-address 172.17.12.0 172.17.255.255
ip dhcp excluded-address 192.168.43.245 192.168.43.254
ip dhcp excluded-address 172.28.4.0 172.28.5.100
ip dhcp excluded-address 172.28.6.0 172.28.7.255
!
ip dhcp pool VOICE
 network 192.168.43.0 255.255.255.0
 default-router 192.168.43.254
 dns-server 172.17.10.3 172.17.10.5
 option 242 ascii MCIPADD=***,MCPORT=1719,TFTPSRVR=***,HTTPSRVR=***,L2QVLAN=10,TLSSRVR=***
!
ip dhcp pool DATA
 network 172.17.0.0 255.255.0.0
 default-router 172.17.0.1
 dns-server 172.17.10.3 172.17.10.5
 option 242 ascii MCIPADD=***,MCPORT=1719,TFTPSRVR=***,HTTPSRVR=***,L2QVLAN=10,TLSSRVR=***
!
ip dhcp pool GUEST
 network 172.28.4.0 255.255.252.0
 default-router 172.28.4.1
 dns-server 8.8.8.8 4.2.2.2
!
class-map type inspect match-any ALLOW_DHCP_CLASS
 match access-group name ALLOW_DHCP_ACL
class-map type inspect match-any FULL_ACCESS
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect LAN_TO_SELF
 class class-default
  pass
policy-map type inspect WIRELESS_TO_INTERNET
 class type inspect FULL_ACCESS
  inspect
 class class-default
  drop log
policy-map type inspect SELF_TO_ANY
 class class-default
  pass
policy-map type inspect INTERNET_TO_LAN
 class type inspect SERVERS
  inspect
 class class-default
  drop log
policy-map type inspect LAN_TO_INTERNET
 class type inspect FULL_ACCESS
  inspect
 class class-default
  drop log
policy-map type inspect INTERNET_TO_SELF
 class type inspect ANTISPOOF
  drop log
 class type inspect MANAGEMENT
  pass
 class type inspect VPN
  pass
 class class-default
  drop log
policy-map type inspect GUEST_TO_SELF_POLICY
 class type inspect ALLOW_DHCP_CLASS
  pass
 class class-default
  drop log
!
zone security LAN
zone security GUEST
zone security INTERNET
!
zone-pair security GUEST_TO_INTERNET source GUEST destination INTERNET
 service-policy type inspect WIRELESS_TO_INTERNET
zone-pair security GUEST_TO_SELF source GUEST destination self
 service-policy type inspect GUEST_TO_SELF_POLICY
zone-pair security INTERNET_TO_LAN source INTERNET destination LAN
 service-policy type inspect INTERNET_TO_LAN
zone-pair security INTERNET_TO_SELF source INTERNET destination self
 service-policy type inspect INTERNET_TO_SELF
zone-pair security LAN_TO_INTERNET source LAN destination INTERNET
 service-policy type inspect LAN_TO_INTERNET
zone-pair security LAN_TO_SELF source LAN destination self
 service-policy type inspect LAN_TO_SELF
zone-pair security SELF_TO_GUEST source self destination GUEST
 service-policy type inspect SELF_TO_ANY
zone-pair security SELF_TO_INTERNET source self destination INTERNET
 service-policy type inspect SELF_TO_ANY
zone-pair security SELF_TO_LAN source self destination LAN
 service-policy type inspect SELF_TO_ANY
!
interface GigabitEthernet0/0/0
 description LAN
 ip address 172.17.0.1 255.255.0.0
 ip nat inside
 ip access-group 105 in
 zone-member security LAN
 negotiation auto
!
interface GigabitEthernet0/0/0.1
 description GUEST
 encapsulation dot1Q 2
 ip address 172.28.4.1 255.255.252.0
 ip nat inside
 ip access-group 106 in
 zone-member security GUEST
 ip policy route-map PUBLIC2
 no cdp enable
!
interface GigabitEthernet0/0/0.10
 description VOICE
 encapsulation dot1Q 10
 ip address 192.168.43.254 255.255.255.0
 ip nat inside
 zone-member security LAN
 no cdp enable
!
ip access-list extended ALLOW_DHCP_ACL
 permit udp any any eq bootpc
 permit udp any any eq bootps
ip access-list extended 106
 permit tcp any any eq www
 permit tcp any any eq pop3
 permit tcp any any eq 143
 permit tcp any any eq smtp
 permit tcp any any eq 587
 permit tcp any any eq 465
 permit tcp any any eq 443
 permit tcp any any range 5190 5193
 permit tcp any any eq 1701
 permit udp any any range 5190 5193
 permit udp any any eq 1701
 permit tcp any any eq domain
 permit udp any any eq domain
 permit udp any any eq bootps
 permit udp any any eq bootpc
 deny   ip any any
ip access-list extended 189
 permit ip 172.28.4.0 0.0.3.255 any
!
route-map PUBLIC2 permit 5
 match ip address ALLOW_DHCP_ACL
!
route-map PUBLIC2 permit 10
 match ip address 189
 set ip next-hop ***WAN IP***
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎10-03-2020 03:13 AM

Hello,

 

I have tested your configuration, the ZBF, ACL, and PBR all do not cause a problem.

 

Turn on dhcp debugging:

 

debug ip dhcp server events

debug ip dhcp server packet

 

and post the results when one of your clients tries to get an address through DHCP.

View solution in original post

4 Replies 4

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-02-2020 01:52 PM

The configuration of the route map for PBR and the ACL on the interface look reasonable. If you connect a device in the GUEST vlan and manually configure an IP address, mask, and gateway is that device able to ping the vlan interface address? 

 

The GUEST subinterface is configured for dot1q tagging. Can you confirm that the GUEST vlan on the connected switch is vlan 2? And can you confirm that vlan 2 is carried on that trunk to that interface?

HTH

Rick
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-02-2020 01:56 PM

where is your client connect, ? do you have a switch where the client device connected not getting IP address ? what post they connected, can you post switch configuration? what you see on ISR " show logging ?

 

another quick note we need is, is this never worked or broken?

 

if you like here is good thread help you :

 

https://community.cisco.com/t5/security-documents/ios-zone-based-firewall-step-by-step-basic-configuration/ta-p/3142774

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/116117-configure-dhcp-zbf-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎10-03-2020 03:13 AM

Hello,

 

I have tested your configuration, the ZBF, ACL, and PBR all do not cause a problem.

 

Turn on dhcp debugging:

 

debug ip dhcp server events

debug ip dhcp server packet

 

and post the results when one of your clients tries to get an address through DHCP.

Go to solution
Jarvis1
Level 1
Level 1

‎10-05-2020 09:45 AM

Thanks for all the help and suggestions. Using the debug logs I was able to determine the cause was related to the inbound ACL on the guest interface. It varied slightly from what I posted due to a typo. The other VLANs worked as expected by just creating the security zone pairs since they don't have ACL's on the interfaces.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card