cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11361
Views
0
Helpful
6
Replies

Issues with SG300-20 and DHCP Relay

j.bartholomew
Level 1
Level 1

I am having some issues with getting DHCP Relay to fuction properly over our SG300-20 Switch.

Out current layout is as follows. Hanging off the SG300-20 are a pair of Clustered Checkpoint Gateways with VLAN'ed interfaces in Both of our 2 VLANs, a 3COM 4200G In VLAN1 which has the DHCP server (And all the other Servers) connected to it, and a Pair of HP Procurve 2520's Stacked in VLAN 2 to provide PoE for our Phones/connectivity for our PCs.

The problem is I cannot get the DHCP Relay to fuction from VLAN 1 to VLAN 2. If I assign an address in VLAN 2 manually to a device connected to the Procurves, everything works fine. I am able to reach both VLAN 1 and VLAN 2, but DHCP aquisition fails even if the device is connected directly to a port assigned to VLAN 2 on the SG300. The SG300 is running at Layer 3 currently also.

Here is a copy of the running config:

--------------------------------------------------------------------------------------------------------------

switch4db24f#show running-config

vlan database

vlan 2

exit

interface range  gi8,gi16

switchport default-vlan tagged

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 1

ip address 10.0.20.126 255.255.255.0

exit

interface vlan 2

ip address 10.0.21.4 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 10.0.20.1

ip route 10.0.21.0 255.255.255.0 10.0.21.1

ip dhcp relay address 10.0.20.19

ip dhcp relay enable

ip dhcp information option

interface vlan 2

ip dhcp relay enable

exit

interface  gi16

ip dhcp relay enable

exit

interface vlan 1

no ip address dhcp

exit

ip helper-address all 10.0.20.19 37 42 49 53 137 138

bonjour interface range vlan 1

hostname switch4db24f

enable password level 15 encrypted

username cisco password encrypted privilege 15

no snmp-server server

macro auto processing type switch disabled

interface gigabitethernet1

switchport trunk allowed vlan add 2

exit

interface gigabitethernet2

switchport trunk allowed vlan add 2

exit

interface gigabitethernet8

switchport trunk native vlan 2

exit

interface gigabitethernet16

switchport trunk native vlan 2

exit

interface vlan 2

name HeadOffice

exit

---------------------------------------------------------------------------------------------------------------------------

Any assistance would be greatly appreciated

Thanks

6 Replies 6

Tom Watts
VIP Alumni
VIP Alumni

Hi Jesse, the switch config looks right. You may want to check the relay options on the DHCP server.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

The DHCP server on VLAN 1 is a win2K8 Server

I've run a Wireshark capture on both the DHCP Server and the Client and Heres what I've found

On the Client:

0.0.0.0    255.255.255.255    DHCP    342    DHCP Discover - Transaction ID 0x831de675

0.0.0.0    10.0.21.2    CPHA    70    CPHAv2220: FWHA_IFCONF_REQ - Interface configuration request

0.0.0.0    10.0.21.0    CPHA    83    CPHAv2220: FWHA_MY_STATE - Report source machine's state

0.0.0.0    10.0.21.0    CPHA    70    CPHAv2220: FWHA_IF_PROBE_REQ - Interface active check request

On Server:

10.0.21.4    10.0.20.19    DHCP    362    DHCP Discover - Transaction ID 0x831de675

10.0.20.19    10.0.21.4    DHCP    359    DHCP Offer    - Transaction ID 0x831de675

So The DHCP Request is getting relayed to the DHCP Server on VLAN 1 correctly, and the Offer is being sent back, but the Client is never receiving the Offer to send the DHCPREQUEST

and I have verified that 10.0.20.19 (DHCP Server) can ping 10.0.21.4 (VLAN 2 Interface/DHCP Relay Agent)

After mirroring VLAN1 and VLAN2 on a port on the SG300 and doing a packet capture I have found something interesting,

After getting the DHCPDISCOVER

0.0.0.0    255.255.255.255    DHCP    342    DHCP Discover - Transaction ID 0x6d5d63dd

I am getting 2 DHCPOFFER Packats back

10.0.20.19    10.0.21.4    DHCP    359    DHCP Offer    - Transaction ID 0x6d5d63dd

10.0.21.1    10.0.21.4    DHCP    359    DHCP Offer    - Transaction ID 0x6d5d63dd

Here are the settings for the DHCP server

Scope: 10.0.21.0

Address Pool: 10.0.21.1-10.0.21.255

Reservations: 10.0.21.1-10.0.21.10 (Used for VLAN'ed IPs of Switches/ Firewalls Etc

Scope Options:

     Router: 10.0.21.1

     DNS: 10.0.20.19

So it appears that the DHCPOFFER Packet is getting sent by both the DHCP Server (10.0.20.19) and the Firewall (10.0.21.1) but it is never arriving back at the Client. DHCP is off on the Firewall, as well as DHCP Relay

Any thoughts? I am pulling my hair out trying to sort this one out.

My lab configuration is pretty similar, 2 VLANs on one 300 Series switch. DHCP on VLAN1.

At first, the PC in VLAN2 cannot get IP from DHCP, I captured the packet and saw that it's exactly like you said - the DHCP REQUEST relayed successfully. But after that I found out that the DHCP server had no default gateway, I set it to be the IP of interface VLAN1 and it works.

consilience
Level 1
Level 1

Experiencing the same thing on firmware revision 1.3.0.59 w/ SG300-52 as well. Anyone got any ideas?

Brendan Kearney
Level 1
Level 1

i have had some fun learning about dhcp, and some of it might help here.  dhcp relay eats the broadcast from the client, and spits out a unicast on the interface(s) that is/are on segment/VLAN for the configured DHCP server(s).  i think the reverse is true for the responses.

in my firewall (not CP, but iptables on linux which may have different ways of doing the same thing), i created a rule allowing clients going to the DHCP servers on port 67 and a rule allowing the DHCP servers going to the clients on port 68.  i might not need that, though.

i also have a linux box acting as an internet gateway, that has DHCP on the ISP interface.  the rule i have for that is from the router to the ISP networks allow bootps (UDP port 67) outbound.  the inbound reply on port 68 i found to be allowed under the "stateful" matching of matched "connections".  i add quoting there because UDP is connectionless, but a stateful firewall will track the outbound "connection" on port 67 and expect/allow a response on port 68.  note that DHCP client and DHCP relay are different beasts and need different access when being firewalled.

are you sure your firewall is allowing the packets to flow?  i would verify with a tcpdump on each interface.  since the DHCP server is on a different subnet than the client, is a default route being given to the client, so that the DHCPACK can be returned to the server?

some logs from my network:      

Today 19:19:10     LOCAL1     INFO     server     dhcpd:      Syslog     DHCPREQUEST for 10.1.140.168 from xx:xx:xx:xx:xx:xx via  192.168.3.254: wrong network.

Today 19:19:10     LOCAL1     INFO     server     dhcpd:      Syslog     DHCPNAK on 10.1.140.168 to xx:xx:xx:xx:xx:xx via  192.168.3.254

Today 19:19:10     LOCAL1     INFO     vpn      dhcpd:     Syslog     DHCPREQUEST for 10.1.140.168 from  xx:xx:xx:xx:xx:xx via 192.168.3.254: wrong network.

Today  19:19:10     LOCAL1     INFO     vpn     dhcpd:     Syslog     DHCPNAK  on 10.1.140.168 to xx:xx:xx:xx:xx:xx via 192.168.3.254

Today  19:19:11     LOCAL1     DEBUG     server     dhcpd:     Syslog      DHCPDISCOVER from xx:xx:xx:xx:xx:xx via 192.168.3.254: load balance to  peer dhcp-failover

Today 19:19:11     LOCAL1     INFO     vpn     dhcpd:     Syslog     DHCPDISCOVER from xx:xx:xx:xx:xx:xx via 192.168.3.254

Today  19:19:12     LOCAL1     INFO     vpn     dhcpd:     Syslog      DHCPOFFER on 192.168.3.158 to xx:xx:xx:xx:xx:xx (HOSTNAME) via  192.168.3.254

Today 19:19:12     LOCAL1     DEBUG     server      dhcpd:     Syslog     DHCPREQUEST for 192.168.3.158 (192.168.50.1) from  xx:xx:xx:xx:xx:xx via 192.168.3.254: lease owned by peer

Today 19:19:12     LOCAL1     INFO     vpn     dhcpd:     Syslog     Wrote 0 class decls to leases file.

Today 19:19:12     LOCAL1     INFO     vpn     dhcpd:     Syslog     Wrote 0 deleted host decls to leases file.

Today 19:19:12     LOCAL1     INFO     vpn     dhcpd:     Syslog     Wrote 0 new dynamic host decls to leases file.

Today 19:19:12     LOCAL1     INFO     vpn     dhcpd:     Syslog     Wrote 374 leases to leases file.

Today  19:19:12     LOCAL1     INFO     vpn     dhcpd:     Syslog      DHCPREQUEST for 192.168.3.158 (192.168.50.1) from xx:xx:xx:xx:xx:xx  (HOSTNAME) via 192.168.3.254

Today 19:19:12     LOCAL1      INFO     vpn     dhcpd:     Syslog     DHCPACK on 192.168.3.158 to  xx:xx:xx:xx:xx:xx (HOSTNAME) via 192.168.3.254

Today 19:19:12      LOCAL1     INFO     vpn     dhcpd:     Syslog     Added reverse map from  158.3.168.192.in-addr.arpa. to HOSTNAME.sub.domain.tld

Today 19:19:14     LOCAL1     INFO     server     dhcpd:     Syslog     Wrote 0 class decls to leases file.

Today 19:19:14     LOCAL1     INFO     server     dhcpd:     Syslog     Wrote 0 deleted host decls to leases file.

Today 19:19:14     LOCAL1     INFO     server     dhcpd:     Syslog     Wrote 0 new dynamic host decls to leases file.

Today 19:19:14     LOCAL1     INFO     server     dhcpd:     Syslog     Wrote 374 leases to leases file.

Today  19:21:54     LOCAL1     INFO     vpn     dhcpd:     Syslog      DHCPREQUEST for 192.168.3.158 from xx:xx:xx:xx:xx:xx (HOSTNAME) via  192.168.3.254

Today 19:21:54     LOCAL1     INFO     vpn      dhcpd:     Syslog     DHCPACK on 192.168.3.158 to xx:xx:xx:xx:xx:xx  (HOSTNAME) via 192.168.3.254

Today 19:21:54     LOCAL1      INFO     server     dhcpd:     Syslog     DHCPREQUEST for 192.168.3.158  from xx:xx:xx:xx:xx:xx via 192.168.3.254

Today 19:21:54      LOCAL1     INFO     server     dhcpd:     Syslog     DHCPACK on  192.168.3.158 to xx:xx:xx:xx:xx:xx (HOSTNAME) via 192.168.3.254

Today  19:21:54     LOCAL1     ERR     vpn     dhcpd:     Syslog     bind  update on 192.168.3.158 from dhcp-failover rejected: incoming update is  less critical than outgoing update

Today 19:21:54     LOCAL1      INFO     server     dhcpd:     Syslog     Added reverse map from  158.3.168.192.in-addr.arpa. to HOSTNAME.sub.domain.tld