11-26-2017 03:02 PM - edited 03-08-2019 12:53 PM
Hey guys, 
 
 So, I just got my network reconfigured and Intervlan Routing set up with 6 different VLANs. The switch has DHCP enabled and configured and WAS issuing IP addresses to the devices. What SEEMS to be happening is when the lease expires for a device and tries to renew, the switch fails to renew or reissue and IP Address, thus resulting in the device losing its IP Address and no longer having connection to the internet.
Once I get DHCP working correctly, all that is left is getting help with ACLs so I can BLOCK VLAN22 and 26 from accessing any other VLAN (Internet Only) but still allowing the other VLANs to see and communicate with VLAN 22 and 26 (Management and Administrative purposes). 
 
 I have attached the Configs of both my Router and my Switch. 
 
 Any help would be amazing. 
11-26-2017 03:03 PM
11-26-2017 03:22 PM
Hi Chris,
I have quickly reviewed your configurations but I do not see any obvious issue. Especially the switch should not have any issues refreshing an IP address lease.
From an IP point of view, the difference between obtaining a new IP address from a DHCP server and renewing a lease from DHCP is that the renewal is done using unicast - from the client's momentary IP address to the DHCP server's IP address. This is different from obtaining a fresh IP address where the client usually sends a broadcast from 0.0.0.0 to 255.255.255.255.
A couple of suggestions:
Thanks!
Best regards,
Peter
11-26-2017 03:26 PM
My laptop, for example, had no issue last night. I woke up this morning and it had no IP address (wifi) and was issued a 169.x.x.x address. It was connected to the WAP, but didn't get an IP back. I can try the wireshark thing.
Could it be a problem with the WAP? its a WAP371 and each SSID is configured to access the correct VLAN on the switch.
11-26-2017 03:30 PM
Here is my WAP Configuration.
11-26-2017 03:36 PM - edited 11-26-2017 03:39 PM
Hi Chris,
Hmmm... if your laptop had the APIPA address 169.254.x.x/16 instead of the proper one that it means that is has already tried to talk to the DHCP server both via unicast (during refresh) and broadcast (after it failed to get a proper IP address and assigned itself the APIPA address; it would still keep trying to reach the server). This would suggest more that the computer could not reach the DHCP server at all.
Unfortunately, there are too many variables in play to suggest at this point where the problem could be. Ideally, we need a PC/laptop in the problematic state to start the troubleshooting off that state. Are you able to reproduce the issue on demand? Again, assuming that the laptop is running Windows, the sequence of commands ipconfig /release and ipconfig /renew completely restarts the DHCP process. Would you mind trying this a few times - always the /release first, then the /renew - to see if you can reproduce the problem?
I'll check the WAP configuration but I only have limited experience with WAPs.
Best regards,
Peter
P.S.: My sincere apologies for confusing your name in this response - it was entirely inadvertent. Corrected it... My apologies once again.
11-26-2017 03:39 PM
Yes, I can reproduce the problem simply by setting my wifi adapter to (obtain automatically) instead of static assignment. That is when it will lose connection. When I do this, I will have wireshark running on my laptop. Give me a couple of mins to get the report going. I will post the wireshark report soon.
11-26-2017 03:43 PM
11-26-2017 03:50 PM
Chris,
I've checked the PCAP file - thanks for providing it so expediently! - but there are no DHCP packets there whatsoever (the filter to display DHCP packets only is, somewhat unintuitively, bootp as DHCP is an extension of the earlier BOOTP protocol). Either your computer did not send them out that WiFi interface, or the Wireshark did not capture them. Under Windows, this sometimes can happen if you tell Wireshark to set the network card into promiscuous mode. Can you try once again while telling Wireshark not to set the network adapters into promisc mode?
Thanks!
Best regards,
Peter
11-26-2017 04:12 PM
New problem now. My Domain Controller cannot communicate with any devices on any VLAN except for VLAN 21. My laptop is showing as "Unauthenticated" and when I try to force a Group Policy Update....it responds back with "Cannot update Group Policy because there is no network connectivity to the Domain Controller. Domain Controller not found." So, basically, unless I am connected to VLAN 21, I have no connection to the Domain Controller. The DC is on VLAN 21.
I seem to be getting an IP address correctly on other VLANs except for VLAN 21. There is something going on with the Switch Routing between VLANs and the Switch DHCP Servers. I think I configured everything incorrectly. Maybe I should I have the DHCP Server on the Router instead of the Switch???
11-26-2017 04:14 PM
When I am connected to a network that is assigned to VLAN 25, I can still PING the Domain Controller with success. Which is really weird.
11-26-2017 04:24 PM
Chris,
Let's focus on one issue at a time; it is likely that if that one gets resolved, the others will improve or become resolved, too.
As your switch is configured for inter-VLAN routing and does not have a trunk extended to the router, having the DHCP server on the router would not help you; you would need to configure a DHCP Relay on your switch. In fact, you do have a DHCP server on the router (configured for 10.0.0.0/16 which is confusing at best as it overlaps multiple VLANs at once - but once again, as the switch is the L3 device isolating the VLANs, the DHCP broadcasts in those VLANs do not reach your router so there is no immediate danger of two overlapping DHCP servers in your network).
We have started looking on the DHCP issues for clients in VLAN 21. So far, we know that if they connect through WiFi, they won't get their IP settings through DHCP, and if they are configured with a static IP configuration, they work - is this correct?
If so, can you try connecting a test PC/laptop to the VLAN 21 via a cable, bypassing the WiFi, and see if the PC get obtain its IP settings through DHCP? I need to understand if the problems are caused by the WiFi part of the network.
Thanks!
Best regards,
Peter
11-26-2017 04:27 PM
The DHCP on the Router for Network 10.0.0.0/16 was my OLD network. All one VLAN. I changed my network to multiple VLANs using the switch because the network performance started to decline rapidly due to all the traffic from all the devices and the servers. So I am trying to segregate my network to ease the work load on the servers, the switch and the router. I just do not know how to remove the DHCP Settings off the router.
11-26-2017 04:25 PM
CORRECTION....my domain controller server cannot communicate with ANY client on ANY VLAN. I can ping the Domain Controller (10.0.1.5) and get responses, but there is no Domain Communication whatsoever. So I do not have access to any Server Resources. My other server is also "Offline" and it too is on VLAN 21. Both servers have a static IP that is excluded in the DHCP Pool on the switch. But no host can communicate with any of the servers. Both servers can be pinged from any VLAN and from the switch.
11-26-2017 04:30 PM
I attempted to connect my Laptop via Cable directly to the Switch via port G2/0/3. I configured the port as such:
Switchport mode access
Switchport access vlan 21
spanning-tree portfast
no shutdown
when I connected the cable to my laptop, no ip address was issued it seems. It just said "identifying..." and would not let me connect to the internet.
I will try again to confirm what I just stated.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide