DHCP not passing across VLANs

Matthew Lucas · ‎03-23-2015

All,

I'm missing something very basic here - can someone give me a pointer please?

I have a L3 core switch (3550) connected to two access switches (both 2960's) and a DHCP server connected to the core switch. Config summary as follows:

VLAN 100 CORPORATE_WIRED

VLAN 200 GUEST_WIRED

L3 Switch has interface VLAN 100 on 10.1.0.2/24, VLAN 200 on 10.2.0.2/24.

First L2 switch has interface VLAN 100 on 10.1.0.3/24

IP routing is enabled on the L3 Switch

VLAN 100 IP Helper-address on both L3 and L2 switches is 10.1.0.1 - the DHCP server (on the L3 switch port f0/2, switchport mode access, switchport access VLAN 100)

Default-gateway on the L2 switch is 10.1.0.2 (VLAN 100 interface on the L3)

L2 switch has interfaces f0/1 -10 as access ports on VLAN 100, ports f0/11 -21 as access ports on VLAN 200, interface f0/22 as trunk port connected to f0/19 on the L3, also trunk, encapsulation dot1q. On both ports, VLAN's 1-1001 allowed

DHCP server is on 10.1.0.1/24 and has two scopes:

CORPORATE_WIRED on 10.1.0.10 - 254/24 with default gateway of 10.1.0.2 (VLAN 100 interface IP on L3)

GUEST_WIRED on 10.2.0.10 - 254/24 with default gateway of 10.2.0.2 (VLAN 200 interface IP on L3)

I have an ACL of: Access-list 101 permit IP 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 (this may not be correct... sort of fumbling around with this area - could this be the problem?)

A device on a VLAN 100 access port on either the L3 or the L2 switch gets the correct DHCP address just fine, but move it onto a VLAN 200 access port on either switch and it fails.

Could someone cast their eye over this and let me know where I've gone wrong, please?

Jon Marshall · ‎03-23-2015

Do you have the "ip helper-address 10.1.0.1" under the vlan 200 vlan interface ?

If so the the issue may be with your acl although you haven't said where you have applied it and in which direction.

By the way you don't need an "ip helper-address ..." command under the vlan 100 interface anywhere just in case you have it.

Jon

Matthew Lucas · ‎03-23-2015

Hi Jon - that was a quick response.

Yes, I have IP helper of 10.1.0.1 on SVI 200 (and have it on SVI 100 also, but good point that I don't need it).

The ACL I'm not 100% sure on.

The running-config shows: access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

My thinking on that being to allow traffic from anything on 10.x.x.x to access anything on 10.x.x.x but not entirely sure on how correct/elegant/intelligent that is.

Jon Marshall · ‎03-23-2015

Where is the acl applied ie. do you have "ip access-group 101 in" under either of the vlan interfaces ?

And what is the acl meant to be doing ?

Jon

Matthew Lucas · ‎03-23-2015

sorry, just replied before you asked the question. Yes, the ACL is applied to both VLAN interfaces - I'm not sure if I need the ACL or not - I just wanted to ensure that traffic from one VLAN is allowed to travel to the other, though I was pretty sure that was enabled by virtue of enabling IP routing (it's just that I couldn't get DHCP to pass so figured I'd give it a try).

Happy to be corrected :)

Jon Marshall · ‎03-23-2015

Okay, traffic will be allowed by default.

You need to remove the acl.

What was happening is that for vlan 100 the acl didn't apply for DHCP because the DHCP server is in the same vlan.

But for vlan 200 the acl is applied and because the clients don't yet have an IP your acl is not allowing the DHCP request.

Jon

Matthew Lucas · ‎03-23-2015

Ah, ok, I get that. However, have removed the ACL completely, and removed the ACL entries for the two SVI's, and still no DHCP for devices on ports in VLAN 200 (on L3 or L2 switch).

L3 Switch config as below now:

Switch01#sh run
Building configuration...

Current configuration : 2205 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch01
!
!
ip routing
!
!
spanning-tree mode rapid-pvst
!
!
interface FastEthernet0/1
description UPLINK_TO_ROUTER
no switchport
ip address 10.0.0.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/2
description LINK_TO_DHCP_SERVER
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
switchport trunk allowed vlan 1-1001
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/20
switchport trunk allowed vlan 1-1001
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/21
switchport trunk allowed vlan 1-1001
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/22
switchport trunk allowed vlan 1-1001
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/23
switchport trunk allowed vlan 1-1001
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/24
switchport trunk allowed vlan 1-1001
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address 10.1.0.2 255.255.255.0
!
interface Vlan200
ip address 10.2.0.2 255.255.255.0
ip helper-address 10.1.0.1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
ip flow-export version 9
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
end

Matthew Lucas · ‎03-23-2015

It's ok - sorted it, thank you.

The issue was simply that I hadn't set the correct default gateway for the server's own NIC. As soon as that was set correctly, DHCP dropped in for the clients.

Thanks for your help.

Matthew Lucas · ‎03-23-2015

Oh, and I have put SVI 100 and 200 in ACL 101 and have modified ACL 101 as per below (still no joy though):

interface Vlan100

ip address 10.1.0.2 255.255.255.0

ip access-group 101 in

!

interface Vlan200

ip address 10.2.0.2 255.255.255.0

ip access-group 101 in

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.0.1

!

ip flow-export version 9

!

access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255

Jon Marshall · ‎03-23-2015

I wasn't asking you to apply it.

I was asking if it was already applied ?

If it wasn't please remove it as it will stop traffic working.

So, was it applied on either vlan interface before ?

Jon