Solved: Re: DHCP not obtained on Vlan - Page 2

wilmottech · ‎03-20-2018

Hi,

I'm trying to figure out why the DHCP is not being handed out on Vlan 1303. I have a DHCP server on Vlan 1300 that's working fine, but I have DCHP setup on an 800 series ISR and am not getting an IP address handed out. I have fastethernet2 setup on vlan 1303. When I enter a static IP into the machine it works fine.

I've copied the parts I think that are needed for this below:

ip dhcp excluded-address 192.168.168.1 192.168.168.127
!
ip dhcp pool vlan1303
network 192.168.168.0 255.255.255.0
default-router 192.168.168.1
dns-server 192.168.168.1
!

interface FastEthernet0
description a0-1000-r223.distribution.gi30
switchport trunk native vlan 1300
switchport mode trunk
no ip address
!
interface FastEthernet1
description tz300.x1
switchport trunk native vlan 1300
switchport mode trunk
no ip address
!
interface FastEthernet2

switchport access vlan 1303

no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address

!
interface Vlan1303
ip address 192.168.168.1 255.255.255.0
ip access-group vlan1303-in in
ip nat inside
ip virtual-reassembly in
!

ip access-list extended vlan1303-in
permit tcp any 192.168.0.0 0.0.0.255 eq 443
permit tcp any host 192.168.0.220 eq 3389
permit udp any any eq domain
permit tcp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
deny   ip any 192.168.0.0 0.0.255.255
deny   ip any 172.0.0.0 0.240.255.255
deny   ip any 10.0.0.0 0.255.255.255
permit ip any any

amikat · ‎03-22-2018

Hi,

Will you please add the command "ip helper-address address_of_your_DHCP_server _at_Vlan1300" under the "Interface Vlan1303".

Best regards,

Antonin

Richard Burts · ‎03-22-2018

Antonin makes an interesting suggestion about using helper address. If they have configured the DHCP scope on the router I doubt that there is also a scope for that network on the server. But perhaps they can move the scope to the server and solve the issue that way.

HTH

Rick

HTH

Rick

wilmottech · ‎03-22-2018

I did this as well and it did not resolve the issue.

wilmottech · ‎03-22-2018

Here's a full dump of what's in my ISR, public IPs are altered:

boot-start-marker
boot-end-marker
!
!
logging buffered 4096
logging persistent
logging monitor informational
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default none
aaa authentication ppp vpdn_auth group radius
aaa authorization network default group radius
!
!
!
!
!
aaa session-id common
!
clock timezone EST -5 0
clock summer-time EDT recurring
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 192.168.168.1 192.168.168.127
!
ip dhcp pool vlan1303
network 192.168.168.0 255.255.255.0
default-router 192.168.168.1
dns-server 192.168.168.1
!
!
ip cef
ip flow-cache timeout inactive 60
ip flow-cache timeout active 1
ip domain name company.local
ip name-server xxx.xxx.x.x
ip name-server xxx.xxx.x.x
ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw icmp
ip inspect name fw dns
ip inspect name fw tacacs
ip inspect name fw tacacs-ds
ip inspect name fw l2tp
ipv6 unicast-routing
ipv6 cef
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
!
!
!
license udi pid CISCO891-K9 sn FGL164623MY
!
!
object-group network facs-hosts
host yyy.yy.yy.yyy
!
object-group network infrastructure
host 192.168.0.4
!
object-group network level3.dns
host xxx.xxx.x.x
host xxx.xxx.x.x
!
object-group network mgmt-hosts
host zzz.zz.zz.zz
host zzz.zz.zz.zz.

host zzz.zz.zz.zz.!
object-group network servers
range 192.168.0.200 192.168.0.254
range 192.168.0.200 192.168.0.229
host 192.168.0.44
host 192.168.0.71
host 192.168.0.35
host 192.168.0.67
host 192.168.0.60
host 192.168.0.38
!
!
no spanning-tree vlan 1300
vtp mode transparent
!
!
!
!
vlan 1300,1302-1307
!
!
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key weBu6puww address ff.ff.ff.ff
crypto isakmp key QT359ybruk address ff.ff.ff.ff
crypto isakmp key HEeKd5ewUs address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set default_windows esp-aes esp-sha-hmac
crypto ipsec transform-set ipsec_dyn_ts esp-3des esp-md5-hmac
crypto ipsec transform-set L2TP esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map L2TP_dm 1000
set transform-set L2TP
!
crypto dynamic-map ipsec_dyn 10
set security-association lifetime seconds 86400
set transform-set ipsec_dyn_ts
match address ipsec_dyn
!
!
crypto map site_monitor_tunnel 12 ipsec-isakmp
set peer gg.gg.gg.gg
set transform-set default_windows
match address local_to_wilmottechnologies
crypto map site_monitor_tunnel 14 ipsec-isakmp dynamic ipsec_dyn
crypto map site_monitor_tunnel 1000 ipsec-isakmp dynamic L2TP_dm
!
!
!
!
!
interface Tunnel0
no ip address
shutdown
ipv6 address 20d01:4470:1C:912::2/64
ipv6 enable
ipv6 traffic-filter publicRX in
tunnel source ss.ss.ss.ss
tunnel mode ipv6ip
tunnel destination hh.hh.hh.hh
!
interface FastEthernet0
description a0-1000-r223.distribution.gi30
switchport trunk native vlan 1300
switchport mode trunk
no ip address
!
interface FastEthernet1
description tz300.x1
switchport trunk native vlan 1300
switchport mode trunk
no ip address
!
interface FastEthernet2
switchport access vlan 1303

switchport mode access

no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
ip address gg.gg.gg.gg ff.ff.ff.ff
ip access-group wan-to-lan in
ip nat outside
ip inspect fw out
ip virtual-reassembly in
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Vlan1300
peer default ip address dhcp
ppp authentication ms-chap-v2 vpdn_auth
!
interface GigabitEthernet0
ip address 45.18.66.54 255.255.255.251
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map site_monitor_tunnel
!
interface Vlan1
no ip address
ip virtual-reassembly in
ipv6 nd ra suppress
!
interface Vlan1300
ip address 192.168.20.8 255.255.255.0 secondary
ip address 192.168.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan1303
ip address 192.168.168.1 255.255.255.0
ip access-group vlan1303-in in
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
ip local pool l2tptest 192.168.22.127 192.168.22.132
ip forward-protocol nd
!
ip flow-export version 9
!
no ip http server
no ip http secure-server
ip dns view company.local
no domain lookup
dns forwarding
dns forwarder 192.168.0.216
dns forwarder 192.168.0.204
dns forwarding source-interface Vlan1
ip dns view default
dns forwarder 209.234.0.3
dns forwarder 209.234.0.4
ip dns view-list view-default
view anselmahouse.local 1
restrict name-group 1
view default 100
ip dns name-list 1 permit company.LOCAL
ip dns name-list 1 permit .*.company.LOCAL
ip dns server view-group view-default
ip dns server
ip nat inside source static tcp 192.168.0.204 1723 interface FastEthernet8 1723
ip nat inside source list 199 interface GigabitEthernet0 overload
ip nat inside source static tcp 192.168.0.212 2525 132.149.172.238 25 extendable
ip nat inside source static tcp 192.168.0.204 80 132.149.172.238 80 route-map nonat extendable
ip nat inside source static tcp 192.168.0.204 443 132.149.172.238 443 route-map nonat extendable
ip nat inside source static tcp 192.168.0.204 1688 132.149.172.238 1688 route-map nonat extendable
ip nat inside source static tcp 192.168.20.90 1911 132.149.172.238 1911 route-map nonat extendable
ip nat inside source static tcp 192.168.0.60 22 132.149.172.238 2201 route-map nonat extendable
ip nat inside source static tcp 192.168.20.90 3011 132.149.172.238 3011 route-map nonat extendable
ip nat inside source static tcp 192.168.20.90 8011 132.149.172.238 8011 route-map nonat extendable
ip nat inside source static tcp 192.168.0.221 3389 132.149.172.238 8903 route-map nonat extendable
ip nat inside source static tcp 192.168.0.204 3389 132.149.172.238 8904 route-map nonat extendable
ip nat inside source static tcp 192.168.0.220 3389 132.149.172.238 8908 route-map nonat extendable
ip nat inside source static tcp 192.168.0.222 3389 132.149.172.238 8909 route-map nonat extendable
ip route 0.0.0.0 0.0.0.0 72.139.72.37
ip route 172.164.44.0 255.255.255.0 192.168.0.8
ip route 192.168.16.0 255.255.255.0 192.168.0.8
ip route 192.168.18.0 255.255.255.0 192.168.0.8
ip route 192.168.99.0 255.255.255.0 192.168.0.8
!
ip access-list standard management4
permit 192.168.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255
permit 172.0.0.0 0.240.255.255
permit 172.142.50.0 0.0.0.255
!
ip access-list extended ipsec_dyn
permit ip 192.168.0.0 0.0.0.255 172.16.8.0 0.0.0.255
ip access-list extended local_to_technologies
permit ip 192.168.0.0 0.0.0.255 172.16.4.0 0.0.0.255
ip access-list extended nat_routemap_nonat
deny   ip 192.168.0.0 0.0.0.255 172.16.3.0 0.0.0.255
deny   ip 192.168.0.0 0.0.0.255 172.16.4.0 0.0.0.255
deny   ip 172.16.4.0 0.0.0.255 172.16.9.0 0.0.0.255
deny   ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
permit ip 172.16.5.0 0.0.0.255 any
ip access-list extended vlan1303-in
permit tcp any 192.168.0.0 0.0.0.255 eq 443
permit tcp any host 192.168.0.220 eq 3389
permit udp any any eq domain
permit tcp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
deny   ip any 192.168.0.0 0.0.255.255
deny   ip any 172.0.0.0 0.240.255.255
deny   ip any 10.0.0.0 0.255.255.255
permit ip any any
ip access-list extended wan-to-lan
permit tcp any any range 8900 8909
permit tcp any any range 2201 2209
permit tcp any any eq 22
permit tcp any any eq 443
permit tcp any any eq 1723
permit tcp any any eq www
permit gre any any
permit esp any any
permit ahp any any
permit tcp any any eq 8011
permit tcp any any eq 1911
permit tcp any any eq 3011
permit tcp any any eq smtp
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit ip object-group level3.dns any
permit icmp any any echo
permit udp any any eq snmp
permit tcp 72.148.61.0 0.0.0.255 any eq 1688
permit tcp 205.124.127.0 0.0.0.255 any eq 1688
permit tcp host 172.142.117.6 any eq 1688
permit tcp host 64.39.171.21 any eq 1688
permit tcp host 199.27.203.58 any eq 1688
permit tcp host 199.235.216.22 any eq 1688
permit tcp 198.143.185.167 0.0.0.7 any eq 1688
!
ip radius source-interface Vlan1
logging source-interface Vlan1
logging 192.168.0.216
logging 192.168.16.208
access-list 199 deny   ip any host 192.42.116.41 log
access-list 199 deny   ip any host 212.227.252.198 log
access-list 199 deny   ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 199 deny   ip 172.16.4.0 0.0.0.255 172.16.7.0 0.0.0.255
access-list 199 deny   ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 199 deny   ip 192.168.0.0 0.0.0.255 172.16.7.0 0.0.0.255
access-list 199 deny   ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 199 deny   tcp 192.168.0.0 0.0.255.255 any eq 57650 log
access-list 199 permit ip host 192.168.18.22 any
access-list 199 permit ip host 192.168.18.10 any
access-list 199 permit ip 192.168.0.0 0.0.0.255 any
access-list 199 permit ip 192.168.20.0 0.0.0.255 any
access-list 199 permit ip 192.168.99.0 0.0.0.255 any
access-list 199 permit ip 192.168.168.0 0.0.0.255 any
access-list 199 permit ip 173.160.4.0 0.0.0.255 any
no cdp run
ipv6 route ::/0 Tunnel0
!
!
!
!
route-map nonat permit 10
match ip address nat_routemap_nonat
!
!
snmp-server community publicIPV6 RO ipv6 management
snmp-server community public RO management4
!
radius server auth04-1-1.company.local
address ipv4 192.168.0.216 auth-port 1645 acct-port 1646
key 7 08167C572E21303F2B3F
!
!
!
ipv6 access-list publicRX
deny tcp any any eq 445
deny tcp any any eq 137
deny tcp any any eq 139
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
permit ipv6 any any
permit icmp any any
!
ipv6 access-list management
permit ipv6 2001:470:1D:90E::/64 any
permit ipv6 2001:470:1D:90D::/64 any
permit ipv6 2001:470:B2AA::/48 any
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
session-timeout 120 output
exec-timeout 120 0
transport input ssh
!
ntp source Vlan1
ntp peer 0.pool.ntp.org
end

amikat · ‎03-22-2018

Hi,

Will you please post the "show ip dhcp conflict" command output.

Thanks & Regards,

Antonin

Deepak Kumar · ‎03-22-2018

Hi,

I tested your configuration in my lab and it is working fine:

60 permit udp any any eq bootps (33 matches)

Please clear DHCP Binding, DHCP database from the router and check again. I hope this will clear your issues.

One more thing: Kindly confirm that there will no ACL, ARP spoofing, DHCP spoofing is configured on your switches.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

wilmottech · ‎03-23-2018

Hi Everyone,

I'm wonder if the ISR was in some loop, but I typed the show dhcp conflicts and there were quite a few of them, then I did the release of the dhcp bindings at which point I had no access to the ISR. I restarted the ISR by physically unplugging the power and back on. Then everything was working.

Thanks for everyone for your help on this. I'm not sure what exactly fixed the issue

Richard Burts · ‎03-26-2018

Thanks for posting back and letting us know that you have solved your problem. +5 for that. The lesson that we can learn from this is that sometimes when we are looking at a problem and the config seems to be correct but the behavior is different that a reboot may get it working again.

HTH

Rick

HTH

Rick