Re: DHCP issue On Cisco 3650

nishantagrawal0322 · ‎06-19-2023

Hello,

We have a weird issue here with a 3650 switch. We have it configured to give out dhcp addresses below are the details:-

Network:- 10.106.148.0 255.255.254.0 (/23)

default router: -10.106.148.2

Vlan 148:- ip:- 10.106.148.2 255.255.254.0

The issue is :- client who gets address assigned in the range of 148, works perfectly fine and can browse internet, but the clients who get's address assigned in the range of 10.106.149.0 cannot browse internet. Can you help?.

Flavio Miranda · ‎06-19-2023

Hi

What about this guy "default router: -10.106.148.2" Does this gateway have /23 or /24 subnet mask on its interface?

nishantagrawal0322 · ‎06-19-2023

it has /23. it's svi vlan 148 se below.

interface Vlan148
description New_Wireless_VLAN_AQUA_GYM_3rd_FLOOR_DECK
ip address 10.106.148.2 255.255.254.0

Flavio Miranda · ‎06-19-2023

What abouth NAT? Do you have NAT on this device of other device? Any chance the Access list is matching only /24?

Can you share the show running config?

nishantagrawal0322 · ‎06-19-2023

NAT is being done on ASA. added a static route on it also.

dhcp config is all on core 3650 switch.

nishantagrawal0322 · ‎06-19-2023

Attached

MHM Cisco World · ‎06-19-2023

there is ASA check the ACL and NAT in FW.

nishantagrawal0322 · ‎06-19-2023

What should be the correct ACL and NAT for this>?

how is /24 working, that's what I'm confused with..

MHM Cisco World · ‎06-19-2023

the supernet /23 include many /24 subnet
if you use /24 in ACL and NAT then you allow portion of /23 supernet not all.

MHM Cisco World · ‎06-19-2023

Can I see the NAT and ACL you apply in ASA?

nishantagrawal0322 · ‎06-19-2023

What I can't understand is how is 10.106.148.x working and how is 10.106.149.X not able to get out to internet?

Flavio Miranda · ‎06-19-2023

It should be able.

The only thing I see weird it that you have an access group applied to the interface vlan but you do not have an access list for it.

interface Vlan148
description New_Wireless_VLAN_AQUA_GYM_3rd_FLOOR_DECK
ip address 10.106.148.2 255.255.254.0
ip access-group 148 in
!

Anything else is fine.

You should check on the firewall. You might have some Access list there with /24 or NAT with /24

nishantagrawal0322 · ‎06-19-2023

The access-list for it is any any. I just tested it. still doesn't work.

Flavio Miranda · ‎06-19-2023

I dont believe you problem is on the switch. You need to check on the firewall. Either you have ACL with /24 or NAT with /24

nishantagrawal0322 · ‎06-19-2023

here is the access-lists on asa

AQUA-ASA# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inside-acl; 1 elements; name hash: 0x9aaccf92
access-list inside-acl line 1 extended permit ip any4 any4 (hitcnt=8659241) 0x8c f63941
access-list outside_cryptomap; 2 elements; name hash: 0x39bea18f
access-list outside_cryptomap line 1 extended permit ip object Aqua-Secuirty-Net work object-group Remote-Radisson-Network (hitcnt=0) 0x65e20539
access-list outside_cryptomap line 1 extended permit ip 10.106.157.0 255.255.2 55.0 10.144.20.0 255.255.255.0 (hitcnt=0) 0xd1b43512
access-list outside_cryptomap line 1 extended permit ip 10.106.157.0 255.255.2 55.0 10.144.24.0 255.255.254.0 (hitcnt=1314) 0x6937437b
access-list inbound; 4 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit tcp any object building_automation_sy s eq www (hitcnt=0) 0xcd0ab5a1
access-list inbound line 1 extended permit tcp any host 10.106.160.125 eq www (hitcnt=0) 0xcd0ab5a1
access-list inbound line 2 extended permit tcp any object building_automation_sy s eq https (hitcnt=1063) 0x0a6f4bd0
access-list inbound line 2 extended permit tcp any host 10.106.160.125 eq http s (hitcnt=1063) 0x0a6f4bd0
access-list inbound line 3 extended permit tcp any object building_automation2 e q www (hitcnt=0) 0xf784a3a7
access-list inbound line 3 extended permit tcp any host 10.0.76.9 eq www (hitc nt=0) 0xf784a3a7
access-list inbound line 4 extended permit tcp any object building_automation2 e q https (hitcnt=7062) 0x9905aeb6
access-list inbound line 4 extended permit tcp any host 10.0.76.9 eq https (hi tcnt=7062) 0x9905aeb6
access-list vpn20; 1 elements; name hash: 0x9abed872
access-list vpn20 line 1 extended permit ip 10.106.0.0 255.255.255.0 10.0.12.0 2 55.255.255.0 (hitcnt=0) 0x7cb745fc
access-list split; 2 elements; name hash: 0x279e4d7e
access-list split line 1 standard permit 10.1.30.0 255.255.255.0 (hitcnt=0) 0x8f e0d327
access-list split line 2 standard permit 10.106.0.0 255.255.0.0 (hitcnt=0) 0x9af 85c32
access-list AnyConnect_Client_Local_Print; 8 elements; name hash: 0xe76ce9d1
access-list AnyConnect_Client_Local_Print line 1 extended deny ip any4 any4 (hit cnt=0) 0x1431053a
access-list AnyConnect_Client_Local_Print line 2 extended permit tcp any4 any4 e q lpd (hitcnt=0) 0xf431783b
access-list AnyConnect_Client_Local_Print line 3 remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print line 4 extended permit tcp any4 any4 eq 631 (hitcnt=0) 0x0a055e45
access-list AnyConnect_Client_Local_Print line 5 remark Windows' printing port
access-list AnyConnect_Client_Local_Print line 6 extended permit tcp any4 any4 eq 9100 (hitcnt=0) 0x077d9659
access-list AnyConnect_Client_Local_Print line 7 remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print line 8 extended permit udp any4 host 224.0.0.251 eq 5353 (hitcnt=0) 0xaad2a11b
access-list AnyConnect_Client_Local_Print line 9 remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print line 10 extended permit udp any4 host 224.0.0.252 eq 5355 (hitcnt=0) 0xbf7a7137
access-list AnyConnect_Client_Local_Print line 11 remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print line 12 extended permit tcp any4 any4 eq 137 (hitcnt=0) 0xe657df61
access-list AnyConnect_Client_Local_Print line 13 extended permit udp any4 any4 eq netbios-ns (hitcnt=0) 0x3094a846
AQUA-ASA#