Issues with SG300-20 and DHCP Relay

j.bartholomew · ‎12-06-2012

I am having some issues with getting DHCP Relay to fuction properly over our SG300-20 Switch.

Out current layout is as follows. Hanging off the SG300-20 are a pair of Clustered Checkpoint Gateways with VLAN'ed interfaces in Both of our 2 VLANs, a 3COM 4200G In VLAN1 which has the DHCP server (And all the other Servers) connected to it, and a Pair of HP Procurve 2520's Stacked in VLAN 2 to provide PoE for our Phones/connectivity for our PCs.

The problem is I cannot get the DHCP Relay to fuction from VLAN 1 to VLAN 2. If I assign an address in VLAN 2 manually to a device connected to the Procurves, everything works fine. I am able to reach both VLAN 1 and VLAN 2, but DHCP aquisition fails even if the device is connected directly to a port assigned to VLAN 2 on the SG300. The SG300 is running at Layer 3 currently also.

Here is a copy of the running config:

--------------------------------------------------------------------------------------------------------------

switch4db24f#show running-config

vlan database

vlan 2

exit

interface range gi8,gi16

switchport default-vlan tagged

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 1

ip address 10.0.20.126 255.255.255.0

exit

interface vlan 2

ip address 10.0.21.4 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 10.0.20.1

ip route 10.0.21.0 255.255.255.0 10.0.21.1

ip dhcp relay address 10.0.20.19

ip dhcp relay enable

ip dhcp information option

interface vlan 2

ip dhcp relay enable

exit

interface gi16

ip dhcp relay enable

exit

interface vlan 1

no ip address dhcp

exit

ip helper-address all 10.0.20.19 37 42 49 53 137 138

bonjour interface range vlan 1

hostname switch4db24f

enable password level 15 encrypted

username cisco password encrypted privilege 15

no snmp-server server

macro auto processing type switch disabled

interface gigabitethernet1

switchport trunk allowed vlan add 2

exit

interface gigabitethernet2

switchport trunk allowed vlan add 2

exit

interface gigabitethernet8

switchport trunk native vlan 2

exit

interface gigabitethernet16

switchport trunk native vlan 2

exit

interface vlan 2

name HeadOffice

exit

---------------------------------------------------------------------------------------------------------------------------

Any assistance would be greatly appreciated

Thanks

Tom Watts · ‎12-06-2012

Hi Jesse, the switch config looks right. You may want to check the relay options on the DHCP server.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

j.bartholomew · ‎12-06-2012

The DHCP server on VLAN 1 is a win2K8 Server

I've run a Wireshark capture on both the DHCP Server and the Client and Heres what I've found

On the Client:

0.0.0.0 255.255.255.255 DHCP 342 DHCP Discover - Transaction ID 0x831de675

0.0.0.0 10.0.21.2 CPHA 70 CPHAv2220: FWHA_IFCONF_REQ - Interface configuration request

0.0.0.0 10.0.21.0 CPHA 83 CPHAv2220: FWHA_MY_STATE - Report source machine's state

0.0.0.0 10.0.21.0 CPHA 70 CPHAv2220: FWHA_IF_PROBE_REQ - Interface active check request

On Server:

10.0.21.4 10.0.20.19 DHCP 362 DHCP Discover - Transaction ID 0x831de675

10.0.20.19 10.0.21.4 DHCP 359 DHCP Offer - Transaction ID 0x831de675

So The DHCP Request is getting relayed to the DHCP Server on VLAN 1 correctly, and the Offer is being sent back, but the Client is never receiving the Offer to send the DHCPREQUEST

and I have verified that 10.0.20.19 (DHCP Server) can ping 10.0.21.4 (VLAN 2 Interface/DHCP Relay Agent)

j.bartholomew · ‎12-11-2012

After mirroring VLAN1 and VLAN2 on a port on the SG300 and doing a packet capture I have found something interesting,

After getting the DHCPDISCOVER

0.0.0.0 255.255.255.255 DHCP 342 DHCP Discover - Transaction ID 0x6d5d63dd

I am getting 2 DHCPOFFER Packats back

10.0.20.19 10.0.21.4 DHCP 359 DHCP Offer - Transaction ID 0x6d5d63dd

10.0.21.1 10.0.21.4 DHCP 359 DHCP Offer - Transaction ID 0x6d5d63dd

Here are the settings for the DHCP server

Scope: 10.0.21.0

Address Pool: 10.0.21.1-10.0.21.255

Reservations: 10.0.21.1-10.0.21.10 (Used for VLAN'ed IPs of Switches/ Firewalls Etc

Scope Options:

Router: 10.0.21.1

DNS: 10.0.20.19

So it appears that the DHCPOFFER Packet is getting sent by both the DHCP Server (10.0.20.19) and the Firewall (10.0.21.1) but it is never arriving back at the Client. DHCP is off on the Firewall, as well as DHCP Relay

Any thoughts? I am pulling my hair out trying to sort this one out.

p.ngoctri · ‎12-13-2012

My lab configuration is pretty similar, 2 VLANs on one 300 Series switch. DHCP on VLAN1.

At first, the PC in VLAN2 cannot get IP from DHCP, I captured the packet and saw that it's exactly like you said - the DHCP REQUEST relayed successfully. But after that I found out that the DHCP server had no default gateway, I set it to be the IP of interface VLAN1 and it works.

consilience · ‎05-08-2013

Experiencing the same thing on firmware revision 1.3.0.59 w/ SG300-52 as well. Anyone got any ideas?

Brendan Kearney · ‎05-08-2013

i have had some fun learning about dhcp, and some of it might help here. dhcp relay eats the broadcast from the client, and spits out a unicast on the interface(s) that is/are on segment/VLAN for the configured DHCP server(s). i think the reverse is true for the responses.

in my firewall (not CP, but iptables on linux which may have different ways of doing the same thing), i created a rule allowing clients going to the DHCP servers on port 67 and a rule allowing the DHCP servers going to the clients on port 68. i might not need that, though.

i also have a linux box acting as an internet gateway, that has DHCP on the ISP interface. the rule i have for that is from the router to the ISP networks allow bootps (UDP port 67) outbound. the inbound reply on port 68 i found to be allowed under the "stateful" matching of matched "connections". i add quoting there because UDP is connectionless, but a stateful firewall will track the outbound "connection" on port 67 and expect/allow a response on port 68. note that DHCP client and DHCP relay are different beasts and need different access when being firewalled.

are you sure your firewall is allowing the packets to flow? i would verify with a tcpdump on each interface. since the DHCP server is on a different subnet than the client, is a default route being given to the client, so that the DHCPACK can be returned to the server?

some logs from my network:

Today 19:19:10 LOCAL1 INFO server dhcpd: Syslog DHCPREQUEST for 10.1.140.168 from xx:xx:xx:xx:xx:xx via 192.168.3.254: wrong network.

Today 19:19:10 LOCAL1 INFO server dhcpd: Syslog DHCPNAK on 10.1.140.168 to xx:xx:xx:xx:xx:xx via 192.168.3.254

Today 19:19:10 LOCAL1 INFO vpn dhcpd: Syslog DHCPREQUEST for 10.1.140.168 from xx:xx:xx:xx:xx:xx via 192.168.3.254: wrong network.

Today 19:19:10 LOCAL1 INFO vpn dhcpd: Syslog DHCPNAK on 10.1.140.168 to xx:xx:xx:xx:xx:xx via 192.168.3.254

Today 19:19:11 LOCAL1 DEBUG server dhcpd: Syslog DHCPDISCOVER from xx:xx:xx:xx:xx:xx via 192.168.3.254: load balance to peer dhcp-failover

Today 19:19:11 LOCAL1 INFO vpn dhcpd: Syslog DHCPDISCOVER from xx:xx:xx:xx:xx:xx via 192.168.3.254

Today 19:19:12 LOCAL1 INFO vpn dhcpd: Syslog DHCPOFFER on 192.168.3.158 to xx:xx:xx:xx:xx:xx (HOSTNAME) via 192.168.3.254

Today 19:19:12 LOCAL1 DEBUG server dhcpd: Syslog DHCPREQUEST for 192.168.3.158 (192.168.50.1) from xx:xx:xx:xx:xx:xx via 192.168.3.254: lease owned by peer

Today 19:19:12 LOCAL1 INFO vpn dhcpd: Syslog Wrote 0 class decls to leases file.

Today 19:19:12 LOCAL1 INFO vpn dhcpd: Syslog Wrote 0 deleted host decls to leases file.

Today 19:19:12 LOCAL1 INFO vpn dhcpd: Syslog Wrote 0 new dynamic host decls to leases file.

Today 19:19:12 LOCAL1 INFO vpn dhcpd: Syslog Wrote 374 leases to leases file.

Today 19:19:12 LOCAL1 INFO vpn dhcpd: Syslog DHCPREQUEST for 192.168.3.158 (192.168.50.1) from xx:xx:xx:xx:xx:xx (HOSTNAME) via 192.168.3.254

Today 19:19:12 LOCAL1 INFO vpn dhcpd: Syslog DHCPACK on 192.168.3.158 to xx:xx:xx:xx:xx:xx (HOSTNAME) via 192.168.3.254

Today 19:19:12 LOCAL1 INFO vpn dhcpd: Syslog Added reverse map from 158.3.168.192.in-addr.arpa. to HOSTNAME.sub.domain.tld

Today 19:19:14 LOCAL1 INFO server dhcpd: Syslog Wrote 0 class decls to leases file.

Today 19:19:14 LOCAL1 INFO server dhcpd: Syslog Wrote 0 deleted host decls to leases file.

Today 19:19:14 LOCAL1 INFO server dhcpd: Syslog Wrote 0 new dynamic host decls to leases file.

Today 19:19:14 LOCAL1 INFO server dhcpd: Syslog Wrote 374 leases to leases file.

Today 19:21:54 LOCAL1 INFO vpn dhcpd: Syslog DHCPREQUEST for 192.168.3.158 from xx:xx:xx:xx:xx:xx (HOSTNAME) via 192.168.3.254

Today 19:21:54 LOCAL1 INFO vpn dhcpd: Syslog DHCPACK on 192.168.3.158 to xx:xx:xx:xx:xx:xx (HOSTNAME) via 192.168.3.254

Today 19:21:54 LOCAL1 INFO server dhcpd: Syslog DHCPREQUEST for 192.168.3.158 from xx:xx:xx:xx:xx:xx via 192.168.3.254

Today 19:21:54 LOCAL1 INFO server dhcpd: Syslog DHCPACK on 192.168.3.158 to xx:xx:xx:xx:xx:xx (HOSTNAME) via 192.168.3.254

Today 19:21:54 LOCAL1 ERR vpn dhcpd: Syslog bind update on 192.168.3.158 from dhcp-failover rejected: incoming update is less critical than outgoing update

Today 19:21:54 LOCAL1 INFO server dhcpd: Syslog Added reverse map from 158.3.168.192.in-addr.arpa. to HOSTNAME.sub.domain.tld