Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1674
Views
0
Helpful
1
Replies

DHCP/LAN/VLAN trouble. Can't get DHCP server working

Go to solution
jking13602
Level 1
Level 1

‎07-17-2014 12:00 PM - edited ‎03-07-2019 08:06 PM

Hello,

I am semi familiar with PIX/ASA but I am having problems with IOS syntax. I am working with an 819 4G ISR

Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 30-Jan-14 02:12 by prod_rel_team

ROM: System Bootstrap, Version 15.2(2r)T, RELEASE SOFTWARE (fc1)

 

I am working on an initial config for this router. I am planning on using these 819's as remote site routers, with the 4G cellular backup/wan DSL or Cable as primary wan with 2 vpn tunnels 1 back to HDQ one to 3rd party vendor. I have just begun working with this router. I am trying to configure the VLAN to the 4 port switch as the inside LAN with the Gigabit 0 as primary wan Cellular 0 back up wan. But I am stuck at the moment trying to get DHCP on VLAN 2 to the 4 port switch.

What I am trying to accomplish is give the router an IP on local LAN of 192.168.34.1 which will also provide DCHP of 192.168.34.100-200 on LAN with the 192.168.34.1 having access to VPN tunnel eventually. I really wish there was a nice converter so I could just drop my ASA config into and recreate for IOS

See Below:

 

version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 122
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!

!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-476046398
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-476046398
 revocation-check none
 rsakeypair TP-self-signed-476046398
!
!

!
!
!
!


!
ip dhcp excluded-address 192.168.34.0
ip dhcp excluded-address 192.168.34.210
ip dhcp excluded-address 192.168.34.1 192.168.34.99
!
ip dhcp pool Inside
 import all
 network 192.168.34.0 255.255.255.0
 default-router 192.168.34.1
 dns-server 192.168.0.5
 lease 7
!
!
!
no ip domain lookup
ip domain name bentire.com
ip name-server 4.2.2.2
ip name-server 8.8.8.8
ip name-server 192.168.0.5
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
!
!
!
!
!
!
license udi pid C819G-4G-V-K9 sn FTX182083AB
!
!
username ****** privilege 15 secret 5 *****
!
!
!
!
!
controller Cellular 0
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 no ip address
!
interface Cellular0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation slip
 dialer in-band
 dialer string lte
 dialer-group 1
 async mode interactive
!
interface FastEthernet0
 description InsideLAN
 switchport access vlan 2
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 switchport access vlan 2
 no ip address
!
interface FastEthernet3
 switchport access vlan 2
 no ip address
!
interface GigabitEthernet0
 description OutsideWan
 ip address dhcp
 ip nat enable
 duplex auto
 speed auto
!
interface Serial0
 no ip address
 shutdown
 clock rate 2000000
!
interface Vlan1
 no ip address
!
interface Vlan2
 ip address 192.168.34.1 255.255.255.0
 ip nat enable
!
ip local policy route-map track-primary-if
ip default-gateway 192.168.0.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map nat2backup interface Cellular0 overload
ip nat inside source route-map nat2primary interface GigabitEthernet0 overload
ip default-network 192.168.0.0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0 253
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip sla auto discovery
ip sla 1
 icmp-echo 74.125.39.99 source-interface GigabitEthernet0
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
!
route-map track-primary-if permit 1
 match ip address 197
 set interface GigabitEthernet0
!
route-map nat2primary permit 1
 match ip address 198
 match interface GigabitEthernet0
!
route-map nat2backup permit 1
 match ip address 198
 match interface Cellular0
!
access-list 198 permit ip any any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line 3
 script dialer lte
 modem InOut
 no exec
 transport input all
line vty 0 4
 privilege level 15
 password 
 login local
 transport input telnet ssh
 transport output telnet ssh
line vty 5 15
 privilege level 15
 password 
 login local
 transport input telnet ssh
 transport output telnet ssh
!
scheduler allocate 20000 1000
!
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ghostinthenet
Level 7
Level 7

‎07-17-2014 02:08 PM

The DHCP configuration looks good for the most part. Here are the first things I would do:

If you want DHCP assignments in the range of 192.168.34.100-200, add the following lines to your configuration:

no ip dhcp excluded-address 192.168.34.0
no ip dhcp excluded-address 192.168.34.210
ip dhcp excluded-address 192.168.34.200 192.168.34.254

Those will define the range a bit better.

You're also using two different kinds of NAT statements that aren't going to produce a working configuration. If you're going to use "ip nat enable" on your interfaces, you're using a technology called NAT Virtual Interface (NVI) which requires a different syntax in your NAT definitions later in the configuration.

Remove the existing NAT definitions with the following commands:

no ip nat inside source route-map nat2backup interface Cellular0 overload
no ip nat inside source route-map nat2primary interface GigabitEthernet0 overload

Add NVI-compatible definitions with the following commands:

ip nat source route-map nat2backup interface Cellular0 overload
ip nat source route-map nat2primary interface GigabitEthernet0 overload

You also need an access-list 197 to cover your local policy routing. A missing ACL with a local policy can mess up communications to and from the router. This should accomplish what you're looking for:

access-list 197 permit icmp any host 74.125.39.99 echo

Your local policy is also using an interface clause that relies on the ISP supporting proxy ARP... and many don't. This may give better results:

route-map track-primary-if permit 1
 match ip address 197
 no set interface GigabitEthernet0
 set ip next-hop dynamic dhcp
 set interface null0

The above will cause your local policy to use the DHCP-assigned next hop from the WAN interface and will drop the ICMP echo if there isn't one.

Lastly, do a "show vlan-switch" and make sure that VLAN 2 has been defined. If it hasn't, no traffic will flow on any ports that have been assigned to it.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
ghostinthenet
Level 7
Level 7

‎07-17-2014 02:08 PM

The DHCP configuration looks good for the most part. Here are the first things I would do:

If you want DHCP assignments in the range of 192.168.34.100-200, add the following lines to your configuration:

no ip dhcp excluded-address 192.168.34.0
no ip dhcp excluded-address 192.168.34.210
ip dhcp excluded-address 192.168.34.200 192.168.34.254

Those will define the range a bit better.

You're also using two different kinds of NAT statements that aren't going to produce a working configuration. If you're going to use "ip nat enable" on your interfaces, you're using a technology called NAT Virtual Interface (NVI) which requires a different syntax in your NAT definitions later in the configuration.

Remove the existing NAT definitions with the following commands:

no ip nat inside source route-map nat2backup interface Cellular0 overload
no ip nat inside source route-map nat2primary interface GigabitEthernet0 overload

Add NVI-compatible definitions with the following commands:

ip nat source route-map nat2backup interface Cellular0 overload
ip nat source route-map nat2primary interface GigabitEthernet0 overload

You also need an access-list 197 to cover your local policy routing. A missing ACL with a local policy can mess up communications to and from the router. This should accomplish what you're looking for:

access-list 197 permit icmp any host 74.125.39.99 echo

Your local policy is also using an interface clause that relies on the ISP supporting proxy ARP... and many don't. This may give better results:

route-map track-primary-if permit 1
 match ip address 197
 no set interface GigabitEthernet0
 set ip next-hop dynamic dhcp
 set interface null0

The above will cause your local policy to use the DHCP-assigned next hop from the WAN interface and will drop the ICMP echo if there isn't one.

Lastly, do a "show vlan-switch" and make sure that VLAN 2 has been defined. If it hasn't, no traffic will flow on any ports that have been assigned to it.

0 Helpful
Customers Also Viewed These Support Documents