cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1059
Views
0
Helpful
6
Replies

Cisco 887 & 2960-S DHCP snooping problem

DOUGLAS DRURY
Level 1
Level 1

Hi,

I've configured a Cisco 887va router with a set of Cisco 2960-S switches.  The problem is anyone on VLAN 30 is not getting an IP address.  VLANs 10 & 25 are getting IP addresses fine from my laptop acting as a DHCP server.  But VLAN 30 are not getting IP addresses from the 887 nor my laptop?

Any suggestions?

Cisco 887

MH-RT-HT-02#sh run br
Building configuration...

Current configuration : 4207 bytes
!
! Last configuration change at 06:28:32 UTC Fri Apr 8 2016
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MH-RT-HT-02
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret <Removed>
!
aaa new-model
!
!
aaa authentication login VPNUSERSAUTH local
aaa authorization network VPNUSERS local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2009019470
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2009019470
revocation-check none
rsakeypair TP-self-signed-2009019470
!
!
crypto pki certificate chain TP-self-signed-2009019470
certificate self-signed 01
!
!
!
!


!
ip dhcp excluded-address 192.168.30.1 192.168.30.10
ip dhcp excluded-address 192.168.30.200 192.168.30.254
!
ip dhcp pool MH-POOL
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 192.168.30.1 8.8.8.8
domain-name <Removed>
lease 0 3
!
!
!
ip dhcp snooping vlan 10,25,30
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip domain name <Removed>
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ195370MJ
!
!
<Removed>
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 7
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNUSERS
key <Removed>
dns 192.168.30.21
domain meldrum-ext.local
pool VPN-POOL
acl VPNSPLIT
!
!
crypto ipsec transform-set <Removed> esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map VPNDYNMAP 1
set transform-set <Removed>
reverse-route
!
!
crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH
crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS
crypto map MAP-OUTSIDE client configuration address respond
crypto map MAP-OUTSIDE 1 ipsec-isakmp dynamic VPNDYNMAP
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 30
no ip address
ip dhcp snooping trust
!
interface FastEthernet1
switchport access vlan 30
no ip address
!
interface FastEthernet2
switchport access vlan 30
no ip address
!
interface FastEthernet3
switchport access vlan 30
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan30
description Guest_Extension
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <Removed>
ppp chap password 0 <Removed>
crypto map MAP-OUTSIDE
!
ip local pool VPN-POOL 10.1.74.5 10.1.74.250
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended NAT
deny ip 192.168.30.0 0.0.0.255 10.1.74.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended VPNSPLIT
permit ip 192.168.30.0 0.0.0.255 10.1.74.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner login ^C
***************************************************************************

<Removed>

***************************************************************************
^C
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
!
end

MH-RT-HT-02#

Cisco 2960-S

I've set int gig 0/11 in vlan 30 as a test


MH-SW-HT-01#sh run br
Building configuration...

Current configuration : 4526 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MH-SW-HT-01
!
boot-start-marker
boot-end-marker
!
enable secret <Removed>
!
<Removed>
!
!
no aaa new-model
!
!
ip dhcp snooping vlan 10,25,30
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip domain-name <Removed>
!
!
crypto pki trustpoint TP-self-signed-1326804608
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1326804608
revocation-check none
rsakeypair TP-self-signed-1326804608
!
!
crypto pki certificate chain TP-self-signed-1326804608
certificate self-signed 01
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
interface Port-channel1
switchport trunk native vlan 10
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet0/1
switchport trunk native vlan 10
switchport mode trunk
ip dhcp snooping trust
!
interface GigabitEthernet0/2
switchport access vlan 30
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
!
interface GigabitEthernet0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/11
switchport access vlan 30
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/12
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/13
switchport mode access
shutdown
spanning-tree portfast
!
interface GigabitEthernet0/14
switchport mode access
shutdown
spanning-tree portfast
ip dhcp snooping trust
!
interface GigabitEthernet0/15
switchport mode access
shutdown
spanning-tree portfast
!
interface GigabitEthernet0/16
switchport mode access
shutdown
spanning-tree portfast
!
interface GigabitEthernet0/17
switchport mode access
shutdown
spanning-tree portfast
!
interface GigabitEthernet0/18
switchport mode access
shutdown
spanning-tree portfast
!
interface GigabitEthernet0/19
switchport mode access
shutdown
spanning-tree portfast
!
interface GigabitEthernet0/20
switchport mode access
shutdown
spanning-tree portfast
!
interface GigabitEthernet0/21
switchport mode access
shutdown
spanning-tree portfast
!
interface GigabitEthernet0/22
description Trunk to MH-SW-SB-01
switchport trunk native vlan 10
switchport mode trunk
ip dhcp snooping trust
!
interface GigabitEthernet0/23
description EtherChannel GP1 to MH-SW-EX-01
switchport trunk native vlan 10
switchport mode trunk
channel-group 1 mode desirable
ip dhcp snooping trust
!
interface GigabitEthernet0/24
description EtherChannel GP1 to MH-SW-EX-01
switchport trunk native vlan 10
switchport mode trunk
channel-group 1 mode desirable
ip dhcp snooping trust
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan10
ip address 192.168.10.203 255.255.255.0
no ip route-cache
!
ip http server
ip http authentication local
ip http secure-server
banner login ^C
***************************************************************************
<Removed>
***************************************************************************
^C
!
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
login
!
end

MH-SW-HT-01#

1 Accepted Solution

Accepted Solutions

Douglas,

Sorry I should have said.

For your set up you put

!
no ip dhcp snooping information option allow-untrusted
!

On both the router & the switch

Hopefully DHCP will work then on the ports on the router that are in Vlan 30 &

the same on the switch

Regards

Alex

Regards, Alex. Please rate useful posts.

View solution in original post

6 Replies 6

Hi,

What are the ports that connect 887 to 2960?

Hi Douglas,

As I see it you have configured DHCP snooping to look at option 82.
with the "ip dhcp snooping information option allow-untrusted" command.

But the DHCP server config for Vlan 30 does not have Option 82 configured.

Can you try
!
no ip dhcp snooping information option allow-untrusted
!

Then retest

If you want information abvout configuring option 82try this link:-
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/12-4t/dhcp-12-4t-book/config-dhcp-server.html#GUID-B439F785-79EE-467E-BB2B-240BE8E05293


Regards
Alex

Regards, Alex. Please rate useful posts.

Hi Alex,

Thanks for the reply.

What device would i run that command on?

887 fa0 to 2960 gig0/2

The PC connects to port gig0/11

Douglas,

Sorry I should have said.

For your set up you put

!
no ip dhcp snooping information option allow-untrusted
!

On both the router & the switch

Hopefully DHCP will work then on the ports on the router that are in Vlan 30 &

the same on the switch

Regards

Alex

Regards, Alex. Please rate useful posts.

Hi Alex,

I ran that command no ip dhcp snooping information option allow-untrusted on the switch and router but same issue so ran no ip dhcp snooping  leaving ip dhcp snooping vlan 10,25,30 in place.  By using no ip dhcp snooping will that have a negative affect?

I set up a rouge DHCP server on the same vlan to give out a different subnet (192.168.40.x) and the test PC got the correct IP from the 192.168.30x subnet.

Thanks for your help

Review Cisco Networking for a $25 gift card