Re: Default Gateway on different subnet to DHCP

geoffknight · ‎01-09-2018

Hi, help needed please for a charity in Kenya. I have inherited a router for the main internet connection on site. The config has been (mis)managed by the ISP up to now. I am no router expert so I desperately need some help. It is a Cisco 887. The behaviour seems very strange with the default gateway witnessed at each of the clients seems to change from 192.168.0.1 to 192.168.1.1. The changes may be caused by intermittent power to the router (trying to fix this!). This causes problems for clients. DHCP pool appears to be 192.168.0.1 and therefore regularly on a different subnet to the router. I can't see how this ever worked, but with increasing need for wifi we are having big problems. A redacted config is below.

Could you give some hints on how to fix or why it would be configured this way please?

Many thanks... (please don't assume much networking or ios command knowledge)

"ip source-route
!
ip dhcp pool OURNAME
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.1.1
dns-server x.x.x.x y.y.y.y //removed
lease 0 2
!
ip dhcp pool excluded-address 192.168.1.1
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip name-server xx.xx.xx.xx

ip name-server yy.yy.yy.yy.

no ipv6 cef
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description INTERNET
no ip address
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet4.883
description ISPNAME //this is the name of our ISP
encapsulation dot1Q 883
ip address xxx.xxx.xxx.xxx 255.255.255.252 //this is the external IP address
ip nat outside
ip virtual-reassembly in
no cdp enable
!
interface Vlan1
description LAN
ip address 192.168.0.1 255.255.255.0 secondary
ip address 192.168.0.127 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
no ip address
ip nat outside
ip virtual-reassembly in
no cdp enable
!
interface Dialer1
no ip address
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 102 interface FastEthernet4.883 overload

//load of nat rules which we probably don't need and don't work

ip route 0.0.0.0 0.0.0.0 yyy.yyy.yyy.yyy //this is a second external IP address

Harold Ritter · ‎01-09-2018

Hi Geoff,

You should change the following two commands as follow:

from:

default-router 192.168.1.1
ip dhcp pool excluded-address 192.168.1.1

to:

default-router 192.168.0.1
ip dhcp pool excluded-address 192.168.0.1

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

geoffknight · ‎01-09-2018

thanks will try this.

Rich Uline · ‎01-09-2018

Geoffknight,

Taking a cursory glance at your config, I find the following issues:

You should never allow the source of the traffic tell the router how to route.
Your DHCP pool is using a default-router outside of its subnet.
On the VLAN 1 SVI, you have an unnecessary IP address assigned.

Additionally, because you have a static IP on Fa4.883 and you are a stub, you should specify both the next-hop IP and the exit interface if your device allows it. You are missing a lot of basic security settings as well, but I think the scope of which is too large to go into here.

no ip source-route

ip dhcp pool
 no default-router 192.168.1.1
 default-router 192.168.0.1

no ip route 0.0.0.0 0.0.0.0 yyy.yyy.yyy.yyy
ip route 0.0.0.0 0.0.0.0 Fa4.883 yyy.yyy.yyy.yyy name DEFAULT_ROUTE_ISPNAME

int Vlan1
 no ip address 192.168.0.1 255.255.255.0 secondary
 ip address 192.168.0.1 255.255.255.0

Try making these changes and let us know how it worked out for you.

geoffknight · ‎01-09-2018

Thank you - very helpful.

What does this command do?

no ip route 0.0.0.0 0.0.0.0 yyy.yyy.yyy.yyy
ip route 0.0.0.0 0.0.0.0 Fa4.883 yyy.yyy.yyy.yyy name DEFAULT_ROUTE_ISPNAME

and I assume I don't need this on VLAN1?:
ip address 192.168.0.127 255.255.255.0

Thanks again.

paul driver · ‎01-09-2018

Hello

Just like to add - Not sure why you have secondary addressing on the svi vlan1 interface?
Also I don't see any access-list 102 for the nat translation.

So with the other suggestions i would say also create an access-list if one isn't already applied

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

geoffknight · ‎01-09-2018

I have the access list actually, I just hadn't posted - apologies.

I don't understand what the secondary addressing would be doing. Removing the 192.168.0.127 address (which isn't correct), seems to have removed that 192.168.0.1 secondary address and the interface has no ip address.

apologies for stupid questions, but if I run:

conf t

int Vlan1

ip address 192.168.0.1 255.255.255.0 secondary

It should commit to config again right? This does not seem to work.

Harold Ritter · ‎01-09-2018

Hi Geoff,

Since you have only one ip address on the interface. you do not need the secondary keyword.

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)