Chris,

Who is 10.0.1.5? This device appears to be posing as your DHCP server, handing off addresses in 10.0.0.0/16 scope. It is neither your router nor your switch. This device should stop being the DHCP server in VLAN21, or any other VLAN where you already have a DHCP server present.

Best regards,
Peter

10.0.1.5 is the Server.  The Domain Controller. The Big Guy on the network.  Let me check to see if DHCP is still running on there. I could have sworn I disabled the DHCP Servers on there a LONG time ago and just used the router.

Hey Chris,

Well, 10.0.1.5 as a DHCP server is very much alive and kicking ;) Clearly recorded in the last Wireshark you've posted.

By the way, another observation. If you are using Windows AD, you should not be advertising a DNS address of 8.8.8.8, or any other DNS besides your internal DNS, to your clients. With Windows AD, clients locate the servers based on the specific DNS SRV records for your domain which - obviously - are not present on Google's 8.8.8.8. This can cause intermittent issues with your clients being randomly unable to talk to the domain controllers, servers, etc.

Best regards,
Peter

OKay, so I disabled the DHCP Server Scope on the Domain Controller, and VOILA! I now get a correct IP with Internet via both wifi and LAN. However, my DC and my other server still have NO communication with Network Clients. I still cannot communicate with the servers, but I can PING the servers.

Should I move ALL DHCP scopes for all VLANs to the Domain Controller instead of the switch? and use the ip-helper command on the switch for each VLAN? would that help reestablish Domain AD Communication?

Chris,

No, I do not believe that migrating the DHCP scopes be helpful at this point. Keep them on the switch for the time being.

See my earlier post about the DNS server. Do not advertise 8.8.8.8 as the DNS server to your clients. Google's 8.8.8.8 cannot possible have the necessary DNS SRV records for your Windows AD domain. The only DNS server you should ever advertise to your Windows AD clients should be the AD controller itself, assuming that one hosts the DNS service. Otherwise, you'll be facing intermittent inability of the hosts to talk to the AD PDCs etc.

This will require you to modify the "dns-server" lines in your DHCP pools on the switch to remove 8.8.8.8 and only keep 10.0.1.5. After that, you will need to completely return and refresh the IP settings on the clients, either through "ipconfig /release ; ipconfig /renew", or even better, just reload them, as the DNS cache on the hosts needs to be flushed, too.

Best regards,
Peter

okay, I removed all 8.8.8.8 ip address from the switch and only have 10.0.1.5 as anything Domain or DNS related. Let me check to see if I have Domain Communication back.

HEY LOOK AT THAT!   DOMAIN COMMUNICATIONS ARE BACK!!!!!!!!!!!!!!!!  Lots of network usage right now cuz all the clients are communicating with the DC and the other server trying to update everything after being "offline" for 24 hours. LOL.

Thanks so much Peter.  You have been awesome!   One more question though....hopefully you can help....do you know how to write ACLs on the switch?   I want VLANs 22 and 26 to be Internet Only...NO internal network resources at all.  BUT...I want the other VLANs to be able to talk to VLANs 22 and 26 (for management and administration purposes). Would you know how to do that?  I have never written ACLs so I have NO clue how to do that.

Chris,

That's great news! Thank you for letting me know - and also thank you for the kind words!

Regarding ACLs on Catalyst switches - yes, I am well-acquainted with them, but what you require is not that easy to accomplish by simple ACLs on switches. The problem is that you want your VLANs 22 and 26 to be prevented from opening a connection to hosts in other VLANs, but you still want them to respond to connections from other VLANs. The difficulty is in distinguishing what packets initiate a new session, and which packets are responses to a session initiated from the "other end". This calls for a stateful firewall that is capable of creating a dynamically populated table of opened sessions, and permitting packets based on this table's contents. The Catalyst 3750 series do not support any kind of dynamic firewall rules, and all we would be able to do is to simply create static ACLs that tediously allow the particular management communication from other VLANs, then deny every other communication with other VLANs, and allow everything else (essentially permitting the internet access). Depending on the protocols involved for management, this might be challenging to do, and if they use dynamic ports, this might be entirely impossible.

What I suggest is you trying to describe as precisely and as extensively as possible the nature of the management connections that you want to allow into VLANs 22 and 26 (including addresses of management hosts, particular protocols, L4 ports, etc.). We will know based on this description whether we can do it with static ACLs.

I'll do my best to respond during the next day - as it's past 2:30AM for me over here, I'll drop off for a couple of hours of sleep :)

Best regards,
Peter

You know what, VLANS 22 and 26 are Entertainment Devices and Guest access respectively.  So, therefore, my servers do not need to communicate with the Entertainment Devices and DEFINITELY do not need access to the Guest Network.  Sooooo, I just want the two VLANs to be blocked from everything but the internet.  Nothing more, nothing less. They do not need any network resources (not even printers). So internet only.