Boot from Network no working , with cisco DHCB on L3 Switch 4510

makrab · ‎12-26-2016

Hello all

I have problem in booting from my lan, I have core switch connected to 2960 switches with Vlan 19 192.168.19.1/24 and vlan 16 192.168.16.1/24 and valn 17 192.168.17.1/24 . I have DHCP server on L3 switch .

And boot server (WDS ) on vlan 19 with IP :- 192.168.19.200

when boot clients on Vlan 16 a message Say T FTP appears

when booting from the same switch of WDS server the boot is successful , when the client become on different switch or different Vlan the error occur .

I added Ip helper Address on All Vlan interfaces on L3 core switch . I ask If The IP Helper address must be applied to all 2960 switches ?

and to boot from different Vlan , what kind of traffic must be forwarded to all Vlans and on which interfaces ?

Thank you for helping me

Georg Pauwen · ‎12-26-2016

Hello,

I think 'ip helper' only forwards UDP ports 67 and 69, while WDS also requires UDP port 4011. Try and configure 'ip forward-protocol udp 4011' globally on the L3 core switch.

makrab · ‎12-28-2016

Thank you very much ,gpauwen

I will do it now , and tell if that work

makrab · ‎01-03-2017

hello Gpauwen I solved it I used ip helper-address in all interface vlans point to WDS server and ip forward-protocol udp 4011,69 Note : you must use ip helper-address in the home vlan also THAT made it working on the same vlan But not working in different vlan , with error said: Can not find boot file exit boot when I saw this error I thought in DHCP option Dhcp 60 result in error 4011 port don not response TFTP So I cancelled Option 60 and used Option 67 leaded me to seccessful boot in all vlans . So Concolution : Ip helper is not enuogh You must use DHCP option 67 only on all pools of Dhcp . Thank you for reading this leaded to successful boot fron all vlans

makrab · ‎12-28-2016

I did That ,But did not work

I have the DHCP on core switch L3 4510

I have arp inspection on 2960 switches and dhcp snooping

If i have DHCP options 66 ,67 at the same time with helper-address. could that make a conflict?

this is my show Run command

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname CoreSW_A
!
boot-start-marker
boot system flash bootflash:cat4500e-universalk9.SPA.03.05.03.E.152-1.E3.bin
boot-end-marker
!
!
vrf definition mgmtVrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable password 7 105A0D18255317050F547A79717861
!
username debugger secret 5 $1$Lw7F$JFX0rkBM/O6uH0n/Hy6RZ0
username Ahafez privilege 15 secret 5 $1$1GkI$mrrW9nr.xam26xZ6rnIHx0
no aaa new-model
clock timezone Egypt 2 0
!
ip vrf Liin-vrf
!
ip domain-name tda.local
ip name-server 192.168.253.2
ip name-server 192.168.253.29
ip dhcp excluded-address 192.168.17.1 192.168.17.50
ip dhcp excluded-address 192.168.10.1 192.168.10.50
ip dhcp excluded-address 192.168.11.1 192.168.11.50
ip dhcp excluded-address 192.168.12.1 192.168.12.50
ip dhcp excluded-address 192.168.13.1 192.168.13.50
ip dhcp excluded-address 192.168.14.1 192.168.14.50
ip dhcp excluded-address 192.168.15.1 192.168.15.50

ip dhcp excluded-address 192.168.16.1 192.168.16.50
ip dhcp excluded-address 192.168.18.1 192.168.18.50
ip dhcp excluded-address 192.168.19.1 192.168.19.50
!
ip dhcp pool EXEC_DEP
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.253.2 192.168.253.29
!
ip dhcp pool LAW_DEP
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server 192.168.253.2 192.168.253.29
!
ip dhcp pool Evaluation_DEP
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
dns-server 192.168.253.2 192.168.253.29
!
ip dhcp pool Region_DEV_DEP
network 192.168.13.0 255.255.255.0
default-router 192.168.13.1
dns-server 192.168.253.2 192.168.253.29
!
ip dhcp pool Region_Aff_DEP
network 192.168.14.0 255.255.255.0
default-router 192.168.14.1
dns-server 192.168.253.2 192.168.253.29
!
ip dhcp pool Energy_DEP
network 192.168.15.0 255.255.255.0
default-router 192.168.15.1
dns-server 192.168.253.2 192.168.253.29
!
ip dhcp pool IT_DEP
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 192.168.253.2 192.168.253.29
option 66 ip 192.168.19.206
option 67 ascii smsboot\x64\wdsnbp.com
!
ip dhcp pool Investement_DEP
network 192.168.17.0 255.255.255.0
default-router 192.168.17.1
dns-server 192.168.253.2 192.168.253.29

!
ip dhcp pool Accounting_DEP
network 192.168.18.0 255.255.255.0
default-router 192.168.18.1
dns-server 192.168.253.2 192.168.253.29
!
ip dhcp pool Internet
network 192.168.19.0 255.255.255.0
default-router 192.168.19.1
dns-server 192.168.253.2 192.168.253.29
option 66 ip 192.168.19.206
option 67 ascii smsboot\x64\wdsnbp.com
lease 365
!
ip dhcp pool Accounting
!
!
ip device tracking
!
!
!
power redundancy-mode redundant
!
!
spanning-tree mode pvst
spanning-tree extend system-id

begin of interfaces
here is the interfaces

>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>>
end interfaces part
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Connected To EXC_DEP
ip address 192.168.10.1 255.255.255.0
!
interface Vlan11
description Connected To LAW_DEP
ip address 192.168.11.1 255.255.255.0
!
interface Vlan12
description Connected To Evaluation_DEP
ip address 192.168.12.1 255.255.255.0
!
interface Vlan13
description Connected To RegionP_DEV_DEP
ip address 192.168.13.1 255.255.255.0
!
interface Vlan14
description Connected To Region_Aff_DEP
ip address 192.168.14.1 255.255.255.0
!
interface Vlan15
description Connected To Energy_DEP
ip address 192.168.15.1 255.255.255.0
!
interface Vlan16
description Connected To IT_DEP
ip address 192.168.16.1 255.255.255.0
ip helper-address 192.168.19.206
ip helper-address 192.168.253.2
ip helper-address 192.168.253.20
ip helper-address 192.168.19.255
!
interface Vlan17
description Connected To Investement_DEP
ip address 192.168.17.1 255.255.255.0
ip helper-address 192.168.19.206
!
interface Vlan18
description Connected To Accounting_DEP
ip address 192.168.18.1 255.255.255.0
!
interface Vlan19
description Connected To Internet
ip address 192.168.19.1 255.255.255.0
ip helper-address 192.168.19.206
ip helper-address 192.168.16.255
ip helper-address 192.168.17.255
!
interface Vlan101
description Connected To ASA Inside
ip address 192.168.251.1 255.255.255.252
!
interface Vlan102
description Connected To Servers Farm
ip address 192.168.253.1 255.255.255.0
!
interface Vlan1000
description Connected To
ip address 192.168.250.2 255.255.255.0
ip helper-address 192.168.19.206
ip helper-address 192.168.253.20
ip helper-address 192.168.253.2
ip helper-address 192.168.19.255
!
router rip
version 2
network 192.168.19.0
network 192.168.251.0
network 192.168.253.0
no auto-summary
!
ip forward-protocol nd
ip forward-protocol udp 4011
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.253.20
!
!
kron occurrence saveconfigschedule at 23:00 Thu recurring
policy-list saveconfig
!
access-list 19 permit 192.168.19.0 0.0.0.255 log
access-list 19 permit 192.168.253.0 0.0.0.255 log
access-list 198 permit ip 192.168.253.0 0.0.0.255 any
access-list 199 permit ip any 192.168.253.0 0.0.0.255
access-list 199 permit ip any 0.0.253.0 255.255.0.0
no cdp run
!

makrab · ‎12-28-2016

the access list part what is that mean of log word ?

now I disabled all DHCP options and all interfaces helper

and i will do

that

int vlan 16

ip helper-address 192.168.19.206 = wds SERVER IP

int vlan 19

ip helper-address 192.168.19.206 = wds SERVER IP

int vlan 17

ip helper-address 192.168.19.206 = wds SERVER IP

EXIT

ip forward-protocol udp 4011

exit

wr

Sorry for wasting your time

Georg Pauwen · ‎12-28-2016

Hello,

have you got it working ?

makrab · ‎12-29-2016

hello ,

After using WireShark to trace the packet in seccessful boot and in unsucceesful boot i

I noted that my core switch filter my tftp traffic . I have many access list created by friend .

Frame 1385: 69 bytes on wire (552 bits), 69 bytes captured (552 bits) on interface 0
Ethernet II, Src: CiscoInc_80:27:7f (74:a2:e6:80:27:7f), Dst: FujitsuT_93:94:e6 (90:1b:0e:93:94:e6)
Internet Protocol Version 4, Src: 192.168.16.52, Dst: 192.168.19.109
User Datagram Protocol, Src Port: 2070, Dst Port: 69
Trivial File Transfer Protocol

Now I want to create Access-list to allow tftp on all interfaces to go through 192.168.19.200

my access-list is

CoreSW_A#show access-list
Standard IP access list 19
10 permit 192.168.19.0, wildcard bits 0.0.0.255 log
20 permit 192.168.253.0, wildcard bits 0.0.0.255 log
Extended IP access list 198
10 permit ip 192.168.253.0 0.0.0.255 any
Extended IP access list 199
10 permit ip any 192.168.253.0 0.0.0.255
20 permit ip any 0.0.253.0 255.255.0.0
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any any
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
Extended IP access list tftp
10 permit udp any any eq tftp
20 permit udp any any range 1025 6000 (39720 matches)
IPv6 access list DHCP Sever
permit udp any eq 546 any eq 547 sequence 10
permit udp any eq 547 any eq 546 sequence 20
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100
IPv6 access list system-cpp-dhcpv6-cs
permit udp any eq 546 any eq 547 sequence 10
IPv6 access list system-cpp-dhcpv6-sc
permit udp any eq 547 any eq 546 sequence 10
IPv6 access list system-cpp-icmpv6-na
permit icmp any any nd-na sequence 10
IPv6 access list system-cpp-icmpv6-ns
permit icmp any any nd-ns sequence 10
IPv6 access list system-cpp-icmpv6-ra
permit icmp any any router-advertisement sequence 10
IPv6 access list system-cpp-icmpv6-rr
permit icmp any any redirect sequence 10
IPv6 access list system-cpp-icmpv6-rs
permit icmp any any router-solicitation sequence 10
Extended MAC access list system-cpp-bpdu-range
permit any 0180.c200.0000 0000.0000.0003
Extended MAC access list system-cpp-cdp
permit any host 0100.0ccc.cccc
Extended MAC access list system-cpp-dot1x
permit any any 0x888E
Extended MAC access list system-cpp-mcast-cfm
permit any 0180.c200.0030 0000.0000.000f
Extended MAC access list system-cpp-sstp
permit any host 0100.0ccc.cccd
Extended MAC access list system-cpp-ucast-cfm
permit any host 74a2.e680.277d

Please help me to create access list . I am CCNA studier