Solved: Re: DHCP not obtained on Vlan

wilmottech · ‎03-20-2018

Hi,

I'm trying to figure out why the DHCP is not being handed out on Vlan 1303. I have a DHCP server on Vlan 1300 that's working fine, but I have DCHP setup on an 800 series ISR and am not getting an IP address handed out. I have fastethernet2 setup on vlan 1303. When I enter a static IP into the machine it works fine.

I've copied the parts I think that are needed for this below:

ip dhcp excluded-address 192.168.168.1 192.168.168.127
!
ip dhcp pool vlan1303
network 192.168.168.0 255.255.255.0
default-router 192.168.168.1
dns-server 192.168.168.1
!

interface FastEthernet0
description a0-1000-r223.distribution.gi30
switchport trunk native vlan 1300
switchport mode trunk
no ip address
!
interface FastEthernet1
description tz300.x1
switchport trunk native vlan 1300
switchport mode trunk
no ip address
!
interface FastEthernet2

switchport access vlan 1303

no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address

!
interface Vlan1303
ip address 192.168.168.1 255.255.255.0
ip access-group vlan1303-in in
ip nat inside
ip virtual-reassembly in
!

ip access-list extended vlan1303-in
permit tcp any 192.168.0.0 0.0.0.255 eq 443
permit tcp any host 192.168.0.220 eq 3389
permit udp any any eq domain
permit tcp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
deny   ip any 192.168.0.0 0.0.255.255
deny   ip any 172.0.0.0 0.240.255.255
deny   ip any 10.0.0.0 0.255.255.255
permit ip any any

wilmottech · ‎03-23-2018

Hi Everyone,

I'm wonder if the ISR was in some loop, but I typed the show dhcp conflicts and there were quite a few of them, then I did the release of the dhcp bindings at which point I had no access to the ISR. I restarted the ISR by physically unplugging the power and back on. Then everything was working.

Thanks for everyone for your help on this. I'm not sure what exactly fixed the issue

View solution in original post

Richard Burts · ‎03-26-2018

Thanks for posting back and letting us know that you have solved your problem. +5 for that. The lesson that we can learn from this is that sometimes when we are looking at a problem and the config seems to be correct but the behavior is different that a reboot may get it working again.

HTH

Rick

HTH

Rick

View solution in original post

Reza Sharifi · ‎03-20-2018

Hi,

I think you may need an outbound acl for vlan 1301

ip access-list extended vlan1303-out

permit udp any any eq bootpc
permit ip any any

HTH

wilmottech · ‎03-20-2018

I did the following and I'm getting the same results. No DHCP on port 2:

interface Vlan1303
ip address 192.168.168.1 255.255.255.0
ip access-group vlan1303-in in
ip access-group vlan1303-out out
ip nat inside
ip virtual-reassembly in
!

ip access-list extended vlan1303-out
permit udp any any eq bootpc
permit ip any any
ip access-list extended wan-to-lan

Richard Burts · ‎03-20-2018

I am not sure why my colleague Reza is suggesting an access list here. If the suggested ACL includes permit ip any any then no other statement is needed.

I am not sure why this is not working. The DHCP pool configuration seems to be ok. The vlan interface has an appropriate IP address. I was a bit concerned when I saw an inbound ACL since I have seen this kind of thing impact DHCP. But the ACL does have permit for both bootpc and bootps. So I do not think the ACL is the problem.

Can you check and make sure that service dhcp is enabled. Can you post the output of show ip interface brief? Perhaps a more complete config might show us something?

HTH

Rick

HTH

Rick

wilmottech · ‎03-20-2018

Hi,

This is the information for the interface brief:

Interface                  IP-Address      OK? Method Status                Protocol
Async1                     unassigned      YES unset down                  down
FastEthernet0              unassigned      YES unset up                    up
FastEthernet1              unassigned      YES unset up                    up
FastEthernet2              unassigned      YES unset up                    up
FastEthernet3              unassigned      YES unset down                  down
FastEthernet4              unassigned      YES unset down                  down
FastEthernet5              unassigned      YES unset down                  down
FastEthernet6              unassigned      YES unset down                  down
FastEthernet7              unassigned      YES unset down                  down
FastEthernet8              64.39.176.102   YES NVRAM administratively down down
GigabitEthernet0           72.139.72.38    YES NVRAM up                    up
NVI0                       unassigned      YES unset administratively down down
Tunnel0                    unassigned      YES unset administratively down down
Virtual-Access1            unassigned      YES unset down                  down
Virtual-Access2            unassigned      YES unset up                    up
Virtual-Template1          192.168.0.2     YES unset down                  down
Vlan1                      unassigned      YES unset up                    up
Vlan1300                   192.168.0.2     YES NVRAM up                    up
Vlan1303                   192.168.168.1   YES NVRAM up                    up

Julio E. Moisa · ‎03-20-2018

Hi

The ACL direction could be implemented incorrectly. May I know the reason to apply the ACL to the network associated to the DHCP scope?

Thank you

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Richard Burts · ‎03-20-2018

The ACL is currently applied inbound. Changing the direction to outbound would not make sense to me - especially because of the deny for 192.168.0.0/16 which would deny all traffic going to hosts in network 192.168.168.0.

It looks to me that the deny statements are intended to deny traffic to all of the private address space. I am not sure why they are doing that, but do believe that is what they are trying to do. I note that one line is not configured correctly if that is the intent

deny ip any 172.0.0.0 0.240.255.255

should really be

deny ip any 172.16.0.0 0.240.255.255

HTH

Rick

HTH

Rick

Richard Burts · ‎03-20-2018

Given the discussion about the access list, I would make a suggestion that the ip access-group be removed from the vlan interface. Lets see what happens with no access list. My guess is that there will be no change in the symptoms. But it would be a good thing to test.

HTH

Rick

HTH

Rick

wilmottech · ‎03-20-2018

I have taken the access list out of the equation in the interface vlan1303 and continue to the have the same symptoms.

I'm just as confused because I'm able to get to the Vlan by entering a static IP to the machine.

Richard Burts · ‎03-20-2018

Thanks for trying to take the ACL off the interface. I am not surprised that it did not change things. But it is good that we have tried it and eliminated one potential issue. Have you tried putting service dhcp into global config mode?

HTH

Rick

HTH

Rick

Richard Burts · ‎03-20-2018

Would you post the output of the command show vlan

HTH

Rick

HTH

Rick

wilmottech · ‎03-22-2018

When I type show vlans, I'm getting No Virtual LANs configured

wilmottech · ‎03-20-2018

Basically Vlan1300 is for data/office, Vlan 1303 is for guest (wifi and lan). We don't want them to have access to other networks.

Deepak Kumar · ‎03-21-2018

Hi,

I am not sure what is going on in the network. Can you share a debug output?

debug ip dhcp server packet

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

wilmottech · ‎03-22-2018

It simply states dhcp server packet debugging is on