Solved: DHCP problem 3750G switch.

christopherboley · ‎02-10-2017

Ok I just config'd a switch: a WS-C3750G-48PS-S I'm using C3750-IPBASEK9-M SW Version: 12.2(55)SE11

I put the config on and shipped it out to the site. The Switch came right up. I was able to remote in. Initially it was on a port channel. I have since also configured a normal single cable trunk link and had the site personnel remove the port channel cables in the process of troubleshooting the issue. I have a "no ip routing" command applied to this switch.

It's running in a layer 2 capacity only. (mpls cloud)<<<<BGP>>>>(router on a stick)<<<trunk>>>(coreswitch c3650)<<<trunk>>>(c3750G*problem switch*)

*Problem Description*

VLAN 1 is the default user vlan. I can't seem to plug in a client on VLAN 1 access port on the 3750G and get a DHCP address?? But here's a funny thing, the phones get a dhcp address..They are on vlan 22..

Why? If I plug into the core switch and configure an access port it works great.. Keep in mind I'm remote accessing this problem switch via ssh and everything. I can't figure out what I'm doing wrong.

On the router there is a Gi0/0.1 with a PVID tag for vlan 1 'native'. And it has an ip helper config to point at the site's domain controller for DHCP.

interface GigabitEthernet0/0.1
description MLGA_ADMIN_NET
encapsulation dot1Q 1 native
ip address x.x.x.x 255.255.255.224
ip helper-address x.x.x.x
no ip unreachables
no ip proxy-arp
[hsrp config here but removed]

Here's the switch config Redacted and it's really basic, nothing crazy going on in this config:

--- I truncated all the port output because 3-46 are identical----

no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname MASW03
!
boot-start-marker
boot-end-marker
!
logging console emergencies
enable secret 5 xxxxxx
!
username xxxxxx privilege 15 secret 5 xxxxxx
username xxxxxx privilege 15 secret 5 xxxxxx
username xxxxxxprivilege 15 secret 5 xxxxxx
!
!
aaa new-model
!
!
aaa authentication login xxxxxx group tacacs+ local
aaa authentication login xxxxxx local
aaa authorization exec xxxxxx group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting commands 15 xxxxxx start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Mar 2:00 1 Sun Nov 2:00
switch 1 provision ws-c3750g-48ps
system mtu routing 1500
no ip domain-lookup
ip domain-name xxxx.com
ip name-server x.x.x.x
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
archive
path ftp://x.x.x.x/MASW03
write-memory
time-period 40320
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
vlan dot1q tag native
!
ip ftp username xxxx
ip ftp password 7 xxxxxx
ip ssh version 2
!
!
interface Port-channel1
description To_MASW01_Gi21_Gi22
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 22
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
!
interface GigabitEthernet1/0/3 - 46
switchport mode access
switchport voice vlan 22
spanning-tree portfast
!
i
!
interface GigabitEthernet1/0/47
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
!
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
no ip address
no ip route-cache
no ip mroute-cache
!
interface Vlan25
description malaga_MGMT_VLAN
ip address xxxxxx 255.255.255.240
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!
ip default-gateway xxxxxx
ip classless
no ip http server
no ip http secure-server
!
snmp-server community xxxxxx RW
snmp-server community xxxxxx RO
snmp-server location xxxxxx
snmp-server contact IT Department xxxxxxx
snmp-server chassis-id MASW03
snmp-server enable traps config
tacacs-server host xxxxxx
tacacs-server host xxxxxx
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key 7 xxxxxx
!
banner exec ^CC
****************************************************************
* *
* AUTHORIZED ACCESS ONLY *
* *
* This system and all of its components are restricted to *
* authorized users for legitimate business purposes and are *
* subject to audit. Persons who violate this policy will be *
* subject to the disciplinary process. The actual or attempted *
* unauthorized access, use modification or copying of computer *
* systems is a violation of Federal and State laws. *
* *
******************************************************************
******************************************************************
* Welcome to the CGX Switch 03 *
****************************************************************
^C
!
line con 0
exec-timeout 30 0
privilege level 15
password 7 xxxxxx
logging synchronous
login authentication xxxxxx
stopbits 1
line vty 0 4
exec-timeout 30 0
privilege level 15
password 7 xxxxxx
login authentication xxxxxx
transport input ssh
transport output ssh
line vty 5 15
transport input none
!
ntp clock-period 36029565
ntp server xxxxxx
end

andrewswanson · ‎02-10-2017

Hi
If i'm reading you config correctly:

Your router interface gi0/0.1 has "encapsulation dot1Q 1 native" enabled which will tag vlan 1 on the link to the switch. the switch uplink connecting to the router interface has "switchport trunk encapsulation dot1q" enabled which will not tag the native vlan (vlan 1)

hth
andy

View solution in original post

christopherboley · ‎02-10-2017

My upstream switch, the 3650.. I'm wondering if snooping is causing a problem? This is the c3650 snooping output:
MASW01#sh ip dhcp snooping
Switch DHCP snooping is disabled
DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 74a0.2fc3.4f80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------

Julio E. Moisa · ‎02-10-2017

Try to disable the option 82

no ip dhcp snooping information option

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio E. Moisa · ‎02-10-2017

Could you please provide me a diagram, and more details about your question.

The ip helper-address is usually configured on the interface vlan where the gateway of specific subnet is configured. For example:

interface vlan 100
ip add 192.168.100.1 255.255.255.0
ip helper-address <IP address of the DHCP server or IP of router where the DHCP scope is created> This subnet 192.168.100.0/24 should have access to the DHCP server, a ping can be used.
I would like to see your topology to understand your infrastructure.

You can use a vlan 1 to connect users but it not recommended, actually the vlan 1 should be shutdown.

Now if you are using dhcp snooping it should be configured on the access switches only, for example:

Access switch

conf t
ip dhcp snooping
ip dhcp snooping vlan <vlans to be protected>
no ip dhcp snooping information option

Access ports
int fa1/0/2
ip dhcp snooping limit rate <no more than 100, try with 50>

Trunk ports
int g1/0/1
ip dhcp snooping trust (configured only under trunks interfaces)

I'm assuming your DHCP is working properly.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

andrewswanson · ‎02-10-2017

Hi
If i'm reading you config correctly:

Your router interface gi0/0.1 has "encapsulation dot1Q 1 native" enabled which will tag vlan 1 on the link to the switch. the switch uplink connecting to the router interface has "switchport trunk encapsulation dot1q" enabled which will not tag the native vlan (vlan 1)

hth
andy

christopherboley · ‎02-10-2017

First of all.
Thanks to everybody who had input on this post. Everyone had great input!

The problem ended up being What Andy suggested. I set up a dummy dot1q sub-if on my router with vlan tag 33. I set up vlan 33 on my switch running vtp server. I checked each switch to make sure vlan 33 was there and then remote side first set vlan 33 as native on each trunk interface working my way back to the trunk link going up to my router with all the dot1q sub-if's on it. I was logged into the router on the outside MPLS interface so as not to lose it.

I then drilled into that sub interface with dot1q 33 and set dot1q 33 native onto it. This moved the native vlan to 33 everywhere. Once vlan 1 was forcibly being tagged across every link, no more issues were seen. Everything worked as intended.

I will add this bit.. I do this config in other places with ALL 3650's(IOS-XE) / router on a stick topology in several different locations. I've never seen issues like this before.

This is not even the first time I've paired IOS based 3550's and 2960's switches in trunked configurations with 3650's IOS-XE. This is however is the first time I paired up a 3750 IOS based switch with an IOS-XE switch.

I've learned a painful lesson, I will be setting my native vlan to a vlan of non-consequence going forward.

Thank you all for the offers of help. I really truly appreciate it.