06-03-2012 05:54 AM - edited 03-04-2019 04:33 PM
Hi all,
I try to use fe0 as outside, with dhcp from my ISP, and fe1-fe3 as inside on my Cisco 877. I have done this successfully before but now it just will not work. This has been a long weekend . Please help me.
My ISP just forced DHCP on me (from static IP) and sent me this Xavi adsl modem. I successfully get IP addresses using DHCP from it with workstations, but not with my cisco. With current setup I get DHCP errors (DHCP: QScan: Timed out Selecting state%Unknown DHCP problem.). DHCP log is attached.
Setup is attached too, but the main parts are:
-----------------------
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan2
ip address dhcp
ip access-group 160 in
ip nat outside
ip virtual-reassembly
no autostate
!
access-list 160 permit udp any any eq bootpc
access-list 160 permit udp any any eq bootps
ip route 0.0.0.0 0.0.0.0 dhcp
----------------------------
What am I missing here?
Without 'no autostate' vlan2 would not get line UP. I take it that is normal? Setting fe3 to trunk and attaching a cable to an (empty) switch did not bring vlan2 up either. A few related views:
B10#sh ip int br
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
NVI0 unassigned YES unset administratively down down
Vlan1 10.10.10.1 YES NVRAM up up
Vlan2 unassigned YES DHCP up up
Vlan2 is up, line protocol is up
Hardware is EtherSVI, address is 58bc.27b3.1a51 (bia 58bc.27b3.1a51)
Internet address will be negotiated using DHCP
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 81
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 packets output, 0 bytes, 0 underruns
0 output errors, 1 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
FastEthernet0 is up, line protocol is up
Hardware is Fast Ethernet, address is 58bc.27b3.1a51 (bia 58bc.27b3.1a51)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
90 packets input, 9748 bytes, 0 no buffer
Received 8 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
/Pelle
Solved! Go to Solution.
06-03-2012 03:54 PM
negate the no autostate under interface vlan 2 and the static route commands.
int vlan 2
autostate
no ip route 0.0.0.0 0.0.0.0 vlan2
ip route 0.0.0.0 0.0.0.0 dhcp
restart the xavi modem and issue the 'renew dhcp vlan 2' on the 877.
06-03-2012 06:24 AM
/Pelle
The biggest issue is the access list that you apply inbound on VLAN 2. It permits DHCP but nothing else. So no traffic other than DHCP would get through.
I also notice that while you do have the ip nat inside and ip nat outside configured, I do not see any configuration to actually do address translation.
HTH
Rick
06-03-2012 06:59 AM
Richard,
thanks for your reply.
Yes, this is just a test setup to find out why I don't get an IP adress. Once I get an IP I will 1) perform a rain dance and 2) use a real, zone based, configuration. I thought it would be easier to analyze with a short, simple configuation.
06-03-2012 07:10 AM
/Pelle
Thanks for the additional information. As a test set up this makes more sense.
I do not see anything in the config that would prevent the router learning an IP address via DHCP. If it is not working I would suspect either some issue in the connection from the router to the ISP device or some issue in the ISP device.
HTH
Rick
06-03-2012 08:11 AM
hi pelle,
since this is a test setup, could you temporarily remove ACL 160 and put back the autostate command? have you tried using a cross cable between FE0 and the ISP device.
int vl2
no ip access-group 160 in
autostate
also, remove or change the IP address on VLAN 1. i suspect the ISP device is giving out an address of 10.x.x.x subnet which could have caused an IP address conflict.
int vl1
no ip address
06-03-2012 08:53 AM
John,
thanks for your reply.
For a long time I did not have any access-lists configured. Without the autostate vlan 2 would be up but line protocol down (spent a lot of time on that ).
Actually, I'm given a sharp IP adress (78.x.x.x) and the dhcp server is on a 172.x.x.x net.
No, I don't have a cross-over cable here. I have, however, confirmed that the cable I do use works.
I'm setting up ACLs to just log now, and have a syslog server receiving messages. I have, however, not gotten any messages at all from my ACL's (but debug dhcp messages, 'Configured fron console by ...' etc). I have set
* logging trap debugging
* 'log' on the end of my ACL's
* logging host my.internal.computer.ip
It feels like I'm moving backwards in my Cisco knowledge here, hehe.
/Pelle
06-03-2012 09:08 AM
hi pelle,
thanks for confirming back on your ACL and DHCP subnet. i would strongly urge to try using a cross cable though just to isolate a cable type issue. you're just forcing your SVI (vlan 2) to be in up/up state with the 'no autostate' command.
try using this ACL to debug DHCP:
access-list 100 permit ip host 0.0.0.0 host 255.255.255.255
debug ip packet detail 100
06-03-2012 09:30 AM
Woah,
before I answer you, John, I checked these commands:
-------------------------------------------------------
B10#sh access-lists
Standard IP access list 23
10 permit 10.10.10.0, wildcard bits 0.0.0.7 (11 matches)
Extended IP access list 160
10 permit udp any any eq bootpc log-input
20 permit udp any any eq bootps log-input
30 permit ip any any log-input
Extended IP access list 161
10 permit ip any any log-input
Extended IP access list 170
10 deny tcp any any eq 55555 log (4 matches)
20 permit ip any any (3745 matches)
Extended IP access list 171
10 deny tcp any any eq 55555 log
20 permit ip any any
B10#
B10#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, Vlan1
B10#
--------------------------------------------------------------------------
ACL 160 & 161 is for my outside vlan2. Observe that NO TRAFFIC at all has passed these rules. Hmmm. Must be hard to get DHCP to work if no traffic passes the outside interface....
'Gateway of last resort is not set.' Well, as the dhcp is not up yet perhasp that is in order. Or? In my config I have 'ip route 0.0.0.0 0.0.0.0 dhcp' set.
Now, John, seting debug ip on my rule 160 (about dhcp) actually caused a log storm for traffic between my router and my workstation (FIBipv4-packet-proc: packet routing succeeded) leading to disconnect and restart of the router .
I do know the outside network, with regards to gateway. Should I somehow set that in advance of getting an IP perhaps?
06-03-2012 10:05 AM
you should troubleshoot more on the layer 1 issue between the 877 and the ISP device.
what ipconfig do you get when you plug a PC behind the xavi modem?
06-03-2012 10:21 AM
John,
I'm leaning towards your comment too.
Ipconfig from a Windows gives:
Anslutningsspecifika DNS-suffix . : x.net
Beskrivning . . . . . . . . . . . : Atheros AR8151 PCI-E Gigabit Ethernet Controller
Fysisk adress . . . . . . . . . . : 84-xxx-DA
DHCP aktiverat. . . . . . . . . . : Ja
Autokonfiguration aktiverat . . . : Ja
Länklokal IPv6-adress . . . . . . : fe80::xxxa%11(Standard)
IPv4-adress . . . . . . . . . . . : 78.x.x.x(Standard)
Nätmask . . . . . . . . . . . . . : 255.255.254.0
Lånet erhölls . . . . . . . . . . : den 2 juni 2012 15:46:32
Lånet upphör. . . . . . . . . . . : den 3 juni 2012 01:04:37
Standard-gateway. . . . . . . . . : 78.x.x.1
DHCP-server . . . . . . . . . . . : 172.x.x.127
IAID för DHCPv6 . . . . . . . . . : 243568489
DUID för DHCPv6-klient. . . . . . : 00-01-00-01-xxxx-33-DA
DNS-servrar . . . . . . . . . . . : 2a02:470::27
2a02:470::28
195.58.103.124
213.150.135.210
NetBIOS över TCP/IP . . . . . . . : Aktiverat
Anslutningsspecifik söklista för DNS-suffix:
y.x.net
06-03-2012 10:27 AM
John,
I acutally found a crossover cable. It did not make any difference though, it seems.
:-(
I find it strange that my dhcp ACL's have not seen any traffic what-so-ever. Can I force the routing more than I do now?
06-03-2012 12:04 PM
plug back the 877 and restart the xavi modem. try to test again.
post your current router config and show vlan-switch brief output.
06-03-2012 12:39 PM
John,
I attach the config in a file, and three commands in a second file.
Vlan 2 is 'suspended'. Normal?
I think that:
* I do not get an external IP, because
* I do not get any traffic what so ever on my external interface, because
* My vlan 2 is not really up (gets marked as line UP by using no autostate, only), because
* ?
Any clues?
06-03-2012 12:57 PM
/Pelle
VLAN 2 suspended is not normal and I believe that this is part of the problem. I also believe that needing no autostate to get it up shows that there is a problem. I wonder if there is something else you need to define about VLAN 2 in the config.
HTH
Rick
06-03-2012 03:54 PM
negate the no autostate under interface vlan 2 and the static route commands.
int vlan 2
autostate
no ip route 0.0.0.0 0.0.0.0 vlan2
ip route 0.0.0.0 0.0.0.0 dhcp
restart the xavi modem and issue the 'renew dhcp vlan 2' on the 877.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide