Re: Cisco 6509 NAT/DHCP issue

caplinktech · ‎12-01-2011

Hi,

We are looking to avoid the need to install an additional device in our network as our core 6509s are not being pushed by any stretch. However, we are having an issue getting the 6509 to assign DHCP addresses and perform NAT.

Most interfaces and VLANs on the 6509 are using public IPs and have BGP routing at the edge. We have a trunk uplink coming into the 6509 on a ws-6816 card via a SMF GBIC in slot 9, port 2 that feeds a wifi link where we are looking to provide guest access to our network.

We created 2 Vlans on the switch 20 and 21. We assigned a private IP and network to the VLAN20 interface and assigned a new public /30 subnet ip to the VLAN 21 interface. The following configuration was applied which I thought was the required configuration based on how we would typically configure ISR routers for the same services...

ip dhcp excluded-address 10.200.200.1

!

ip dhcp pool Wifi_Pool

network 10.200.200.0 255.255.255.0

default-router 10.200.200.1

dns-server 4.2.2.1 4.2.2.2

Extended IP access list PermitNat_Wifi
10 permit ip 10.237.192.0 0.0.0.255 any

ip nat inside source list PermitNat_Wifi interface GigabitEthernet5/1 overload <-- initially configured to Vlan21 overload, changed to try IP enabled interface in case nat on vlan was not supported

interface GigabitEthernet9/2

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 10 <----- management VLAN

switchport trunk allowed vlan 10,20,30

switchport mode trunk

no ip address

speed nonegotiate

end

interface Vlan20
description "Private Interface for Wifi Access"
ip address 10.200.200.1 255.255.255.0
ip nat inside
end

interface Vlan21
description "Public Interface for Wifi Access"
ip address 1.2.3.133 255.255.255.252
ip nat outside
end

What am I missing in this configuration?

Note that if I create an access switchport for vlan 20 on the switch and plug a laptop in directly to the 6509, the laptop is unable to receive a DHCP address. If I assign the laptop an address in the 10.200.200.0 /24 range manually, I can ping 10.200.200.1 from the laptop, however, the laptop will not get to the internet as it appears to be failing to perform nat.

Any insight on this issue would be greatly appreciated.

rsimoni · ‎12-01-2011

hi,

for the nat part the nat acl is not permitting hosts in vlan 20

Extended IP access list PermitNat_Wifi

10 permit ip 10.237.192.0 0.0.0.255 any

you should modify it and allow vlan 20 subnet.

for the dhcp part the configuration seems ok. try to debug dhcp and see if it gets requests and how it handles it

Riccardo

caplinktech · ‎12-01-2011

Sorry...I changed the IP before posting....the IPs on the router all match from the access list and the interfaces and DHCP config.

Beetlejuice01 · ‎12-02-2011

Before nat, it seems a problem of dhcp. So the configuration of dhcp seems to be correct, try remove ip nat inside from int vlan 20, and chek if the lease work.

Can you post the actual running config, a show ip route, and a dhcp binding?

caplinktech · ‎12-02-2011

I had already attempted your suggestion.

With or without ip nat inside applied to the interface, DHCP fails. With or without ip nat inside applied to the interface, I am able to assign a static ip and ping the gateway ip assigned to VLAN 20, but nothing after that.

The complete running config and route table are several thousand lines as this is a device running bgp.

The output of show ip dhcp bind is below (nothing basically):

IP address Client-ID/ Lease expiration Type

Hardware address

The output of show ip dhcp server statistics (below) does not offers and acknowledgements, but they somehow never reach the computer:

Memory usage         814
Address pools        1
Database agents      0
Automatic bindings   0
Manual bindings      0
Expired bindings     0
Malformed messages   0

Message              Received
BOOTREQUEST          0
DHCPDISCOVER         101
DHCPREQUEST          101
DHCPDECLINE          0
DHCPRELEASE          0
DHCPINFORM           0

Message              Sent
BOOTREPLY            0
DHCPOFFER            101
DHCPACK              101
DHCPNAK              0

I also ran wireshark on the pc attached to the switchport and when the gateway is pinged, wireshark can see the replies coming from the switch, however, it does not show any traffic related to DHCP offers, etc.

The relevant IP route blocks for the subnets in question show the following details...

#sho ip route 1.2.3.133
Routing entry for 1.2.3.132/30
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via ospf 1
Advertised by ospf 1 subnets
Routing Descriptor Blocks:
* directly connected, via Vlan21
Route metric is 0, traffic share count is 1

#sho ip route 10.200.200.0
Routing entry for 10.200.200.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via ospf 1
Advertised by ospf 1 subnets
Routing Descriptor Blocks:
* directly connected, via Vlan20
Route metric is 0, traffic share count is 1

So the routing table is both showing them as directly connected in the routing table.

We are using an older version of the IOS image as we have never had an issues to make me upgrade it, however, I am beginning to think that this may be related to a bug in the IOS as it appears that both of you seem to believe that the configuration applied should be correct.

Beetlejuice01 · ‎12-04-2011

Today i was playing with my 1841 i've configured dhcp without succes, due to a stupid command who i i have forget to do, maybe is not your case but have you configured command service dhcp in configuration terminal?

Julio Carvajal · ‎12-04-2011

Hello Caplin,

Have you tried to reboot the Router, or at least can you remove the DHCP setup and then put it back again, sometimes the DHCP process (Daemon) can get stuck into the Router IOS.

Try that and lets us know the results because as per your configuration everything seems to be the right.

Please rate helpful posts.

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Beetlejuice01 · ‎12-12-2011

The issue was resolved?