11-09-2017 08:24 AM - edited 03-08-2019 12:41 PM
I have an 871W router connected to a 3560 switch. Clients are unable to obtain an IP address via DHCP from the router and they never connect. If I statically assign and address from the DHCP pool however, they work and are able to access the internet just fine. The DHCP doesn't seem to be working. Below is the output of the router in question.
Building configuration...
Current configuration : 12281 bytes
!
! Last configuration change at 16:13:21 UTC Thu Nov 9 2017 by flogie
! NVRAM config last updated at 16:14:04 UTC Thu Nov 9 2017 by flogie
!
version 12.4
no service pad
service telnet-zeroidle
service timestamps debug uptime
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname US_Dayton_871W
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-24.T8.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 16384 informational
logging rate-limit all 30
no logging console
enable secret 5 $1$fNXD$4GotGpv8gOq8OPjl7aUV7.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid LHHCLIENT
 vlan 2
 max-associations 20
 authentication open 
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 7 032853030F01221C1F
!
dot11 ssid LHHCORP
 vlan 1
 max-associations 20
 authentication open 
 authentication key-management wpa
 wpa-psk ascii 7 08701E1D5D4C53404A525C
!
no ip source-route
no ip gratuitous-arps
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.9.32 172.16.9.33
ip dhcp excluded-address 10.170.220.1 10.170.222.20
!
ip dhcp pool LHHCLIENT
 network 172.16.9.32 255.255.255.224
 default-router 172.16.9.33 
 dns-server 66.193.182.194 
 lease 0 4
!
ip dhcp pool LAN
 network 10.170.220.0 255.255.255.0
 dns-server 10.16.242.11 10.16.242.59 
 default-router 10.170.220.1 
 domain-name lhhinc.local
 lease 0 8
!
ip dhcp pool LHHUSER
 network 172.16.10.0 255.255.255.0
 default-router 172.16.10.33 
 dns-server 10.16.242.59 10.16.242.11 
!
!
ip cef 
no ip bootp server
no ip domain lookup
ip domain name lhhinc.local
ip inspect name CBAC udp timeout 30
ip inspect name CBAC tcp timeout 2000
ip inspect name CBAC fragment maximum 256 timeout 1
ip inspect name CBAC ftp timeout 60
login on-failure log every 3
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
vtp domain lhhinc.local
vtp mode transparent
username SVC_ORION privilege 15 secret 5 $1$qbVP$0mwrKdyb3/aZ4QT3MenOB.
username flogie privilege 15 secret 5 $1$FXck$xOKjCWGgFvhqy2cLhlGnf0
username ykarim privilege 15 secret 5 $1$cIp8$O3eCJGba27fegURWEV/Et.
! 
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key &G01n6VpNH3r3#@ address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set DBMVPN3DES esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile DBMVPN
 set transform-set DBMVPN3DES 
!
!
archive
 log config
 hidekeys
!
!
vlan 2-3 
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh logging events
ip ssh version 2
ip ssh dh min size 2048
!
!
!
interface Tunnel0
 bandwidth 1100
 ip address 192.168.22.15 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication Here2DBM
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.22.1 209.208.34.220
 ip nhrp map multicast 209.208.34.220
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.22.1
 ip tcp adjust-mss 1360
 no ip mroute-cache
 delay 900
 tunnel source FastEthernet4
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DBMVPN shared
!
interface Tunnel1
 bandwidth 1000
 ip address 192.168.23.15 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication Here2DBM
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.23.1 209.208.34.219
 ip nhrp map multicast 209.208.34.219
 ip nhrp network-id 2
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.23.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet4
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile DBMVPN shared
!
interface FastEthernet0
 description LHHCORP LAN
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 66.193.182.222 255.255.255.252
 ip access-group INTERNET in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 no dot11 extension aironet
 !
 encryption vlan 1 mode ciphers tkip 
 !
 encryption vlan 2 mode ciphers tkip 
 !
 ssid LHHCLIENT
 !
 ssid LHHCORP
 !
 speed basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 no preamble-short
 station-role root
!
interface Dot11Radio0.1
 description LHHCORP USERS
 encapsulation dot1Q 1 native
 ip address 172.16.10.33 255.255.255.0
 ip access-group LHH-RADIO in
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1200
 no ip mroute-cache
 no cdp enable
!
interface Dot11Radio0.2
 description LHHCLIENTS
 encapsulation dot1Q 2
 ip address 172.16.9.33 255.255.255.0
 ip access-group CLIENT-RADIO in
 ip access-group CLIENT-RADIO-RETURN out
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 rate-limit input 256000 512000 768000 conform-action transmit exceed-action drop
 rate-limit output 256000 512000 768000 conform-action transmit exceed-action drop
 no ip mroute-cache
 no cdp enable
!
interface Vlan1
 description LAN
 ip address 10.170.220.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
!
router eigrp 1
 passive-interface FastEthernet4
 network 10.170.220.0 0.0.0.255
 network 192.168.22.0
 network 192.168.23.0
 no auto-summary
 eigrp stub connected summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 66.193.182.221
no ip http server
no ip http secure-server
!
!
ip nat translation tcp-timeout 2000
ip nat translation udp-timeout 60
ip nat inside source list NAT interface FastEthernet4 overload
!
ip access-list standard NAT
 permit 172.16.9.0 0.0.0.255
 permit 10.170.220.0 0.0.0.255
 permit 172.16.10.0 0.0.0.255
!
ip access-list extended CLIENT-RADIO
 permit tcp any any eq www
 permit tcp any any eq 443
 permit udp any any eq domain
 permit tcp any any eq smtp
 permit tcp any any eq pop3
 permit tcp any any eq 143
 permit tcp any any eq 587
 permit tcp any any eq 465
 permit tcp any any eq 585
 permit tcp any any eq 993
 permit tcp any any eq 995
 permit tcp any any eq 1532
 permit tcp any any eq 1533
 permit udp any any eq bootps
 permit icmp any host 172.16.9.33 echo
 permit icmp any host 10.1.201.2 echo
 permit ip any host 65.211.153.81
 remark portal.dbm.com
 permit tcp any host 63.87.216.82
 permit ip host 10.1.201.8 any
 remark BLOOMBERG
 permit ip any 160.43.250.0 0.0.0.255
 permit ip any 206.156.53.0 0.0.0.255
 permit ip any 205.216.112.0 0.0.0.255
 permit ip any 208.22.56.0 0.0.0.255
 permit ip any 69.191.0.0 0.0.255.255
 deny icmp any any
 deny ip any any
ip access-list extended CLIENT-RADIO-RETURN
 permit udp any any eq bootpc
 permit icmp host 10.1.201.2 any echo-reply
 remark KC LAN Printer
 permit ip host 10.1.201.8 any
 remark inotestemp.dbm.com
 permit ip host 10.1.1.18 any
 deny ip 10.0.0.0 0.255.255.255 any
 permit ip any any
 deny ip any any
ip access-list extended INTERNET
 remark Deny RFC 3330
 deny ip host 0.0.0.0 any
 deny ip 127.0.0.0 0.255.255.255 any
 deny ip 192.0.2.0 0.0.0.255 any
 deny ip 224.0.0.0 31.255.255.255 any
 remark Deny RFC 1918
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 172.16.0.0 0.15.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 remark Return TCP/UDP Traffic
 permit tcp any any gt 1023 established
 permit udp any any gt 1023
 remark DMVPN Traffic
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 remark ICMP LHH_NET_ONLY
 permit icmp host 66.192.226.166 any
 permit icmp host 66.192.226.167 any
 permit icmp host 209.208.35.72 any
 permit icmp host 209.208.35.150 any
 remark ICMP RETURN
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 remark SSH LHH_NET_ONLY
 permit tcp host 66.192.226.166 any eq 22
 permit tcp host 66.192.226.167 any eq 22
 permit tcp host 209.208.35.72 any eq 22
 permit tcp host 209.208.35.150 any eq 22
 deny ip any any log
ip access-list extended LHH-RADIO
 permit icmp any host 172.16.9.1 echo
 deny icmp any 172.16.0.0 0.0.255.255
 deny ip any 172.16.0.0 0.0.255.255
 permit ip any any
 deny ip any any
!
logging 10.16.242.129
access-list 99 permit 10.16.242.129
!
!
!
!
snmp-server group SNMP-AUTH v3 auth match exact read SNMP-VIEW write SNMP-VIEW access 99
snmp-server group SNMP-AUTH v3 priv match exact read SNMP-VIEW write SNMP-VIEW access 99
snmp-server view SNMP-VIEW iso included
snmp-server location US
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps adslline
snmp-server enable traps flash insertion removal
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps pw vc
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host 10.16.242.129 version 3 priv lhhsnmpv3 
!
control-plane
!
banner login ^C Management ID: $(hostname) ^C
banner motd ^C
 * * * * * * * * * * W A R N I N G * * * * * * * * * *
This system is for the use of authorized users only. 
Individuals using this computer system without
authority, or in excess of their authority, are subject
to having all of their activities on this system
monitored and recorded by system personnel. In the
course of monitoring individuals improperly using this
system, or in the course of system maintenance, the
activities of authorized users may also be monitored.
Use of any Company data obtained by unauthorized means,
is prohibited and no data may be transfered to any external
device without express authorization. 
Anyone using this system expressly consents to such
monitoring and is advised that if such monitoring
reveals possible evidence of criminal activity, system
personnel may provide the evidence of such monitoring
to law enforcement officials.
^C
!
line con 0
 session-timeout 9 
 exec-timeout 9 0
 login local
 no modem enable
line aux 0
 no exec
 transport output none
line vty 0 4
 session-timeout 9 
 exec-timeout 9 0
 login local
 transport input ssh
 transport output ssh
!
scheduler max-task-time 5000
ntp server 192.168.23.1
ntp server 192.168.22.1
Solved! Go to Solution.
11-09-2017 12:01 PM
Hello,
is this a typo ?
ip dhcp excluded-address 10.170.220.1 10.170.222.20
Change that to:
ip dhcp excluded-address 10.170.220.1 10.170.220.20
otherwise you are excluding the entire DHCP range...
 
					
				
		
11-09-2017 08:35 AM
Hello,
how are the client ports on the switch configured ? Make sure they look like this
interface FastEthernet0/2
spanning-tree portfast
Can you post the configuration of your 3560 switch as well ?
11-09-2017 08:39 AM
11-09-2017 09:08 AM
Hello,
which IOS version are you running on the 3560 ? Typically, the configuration of access ports should look like this:
interface GigabitEthernet0/2
description LHH LAN
spanning-tree portfast
switchport mode access
11-09-2017 09:37 AM
11-09-2017 10:13 AM
For some reason the DHCP requests are not getting through to the 871. Post the full configuration of the switch, we may be able to spot something. Also, which port on the switch is connected to the 871 ?
11-09-2017 11:10 AM
11-09-2017 11:41 AM
Hello,
currently the port on the switch connecting to the router is a trunk port, while the connecting port on the router is a (default) access port in Vlan 1. Since you are only using the default VLAN, you don't really need the trunk.
Either way, both sides need to match, so it has to be:
US_Dayton_871W
interface FastEthernet0
description LHHCORP LAN
switchport mode trunk
US_Dayton_3560CX_SW1
interface GigabitEthernet0/10
description Uplink to US_Dayton_871W
switchport mode trunk
or
US_Dayton_871W
interface FastEthernet0
description LHHCORP LAN
US_Dayton_3560CX_SW1
interface GigabitEthernet0/10
description Uplink to US_Dayton_871W
11-09-2017 11:45 AM
11-09-2017 12:01 PM
Hello,
is this a typo ?
ip dhcp excluded-address 10.170.220.1 10.170.222.20
Change that to:
ip dhcp excluded-address 10.170.220.1 10.170.220.20
otherwise you are excluding the entire DHCP range...
11-09-2017 12:18 PM
11-09-2017 01:12 PM
Typos are easily made, glad you got it resolved...
11-09-2017 08:36 AM
The mask for one of the subnet seems to be incorrect. Under the interface you have a /24
ip address 172.16.9.33 255.255.255.0
and the pool is a /27
p dhcp pool LHHCLIENT
network 172.16.9.32 255.255.255.224
Can you verify?
HTH
11-09-2017 08:40 AM
11-09-2017 08:37 AM - edited 11-09-2017 08:38 AM
Hi
whats happens if you connect a laptop direct to the router does it receive an ip address ?
or if you move one of the pools back to the 3560 do they get an address ?
or debug dhcp detail or use wireshark on client pc to make sure there sending and receiving the dhcp offers and requests correctly and make sure the dhcop service is on , conft service dhcp 
That's just a coupe of things i would try
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide