Re:DHCP propagation

Matthew Lucas · ‎03-29-2013

Guys,

I'm sorry if this seems a real basic question. I can get it working on Packet Tracer, but don't seem to be able to get it working in real life. Sanity check, please?

I'm trying to get clients to pick up a DHCP address from my server. Physical config is as follows:

4-switch stack of 3750X-48P-S (x 2) and 3750X-24S-S (x 2). 48's are physical switch 1 & 2. Data stack is working fine. That's the Core Switch

Mix of 2960S-48TS-L and -24TS-L, 2960CG-8TC-L and 3560CG-8PC-S Access switches.

physical switch 1 in Core Switch, all ports are VLAN 4. No DHCP required - VLAN 4 is infrastructure only. All switches have:

Switch#(config)int vlan 4

Switch#(config-if)ip address 10.0.4.x 255.255.252.0 (Core switch is 10.0.4.10)

Switch#ip default-gateway 10.0.4.10

Physical switch 2 in Core Switch, all ports are VLAN 8 (client access, main corporate office site)

Physical switch 3&4 in Core Switch, all ports (SFP) are trunk

All other switches, SFP ports are trunk, copper ports are access on a variety of VLANs depending on intended site. VLANs interface IP's are:

VLAN 1 (legacy eqpt - intended to be turned off): 10.0.0.x /24 (Core switch is .10)

VLAN 4 (infrastructure - no DHCP required): 10.0.4.x /22 (Core switch is .10)

VLAN 8 (primary site where core switch is located): 10.0.8.x /22 (Core switch is .10)

VLAN 16 (site 2) (vlan 12 missed intentionally for growth): 10.0.16.x /22 (Core switch is .10)

etc etc to:

VLAN 36 (site 7): 10.0.36.x /22 (Core switch is .10)

VLAN 248: (guest wifi) 192.168.4.x /23 (Core switch is .10)

DHCP server has all the relevant scopes configured, with a default gateway for each of 10.0.##.10 (where ## corresponds to the VLAN number) and a range starting ##.11

Core switch for each VLAN interface has:

Switch#(config)int vlan 8

Switch#(config-if)ip helper-address 10.0.4.129 (the address of my DHCP server)

All trunk ports are linked via fibre in a loop (from core switch to access switch, then out of access switch and directly back to core switch) so each access is on a separate loop. Core switch is vtp server, access switches are vtp client and picking up the VLANs from the core. Spanning tree is rapid-pvst on all, with the core swtich the root primary.

IP routing is on via the command:

Switch#(config)ip routing

Switch#ip route 0.0.0.0 0.0.0.0 10.0.4.1 (this is the gateway security device for the network)

So in that slightly spooky, obscure way that they have, the clients ought to be picking up a DHCP address from the relevant VLAN, depending on which VLAN the access port they're connected to is in. But they don't pick up anything. Connectivity is there - everything can ping everything, including clients if I set static IPs, and including DHCP server.

Should ip helper-addresses be set on the access switch VLAN interfaces too? Or have I missed something else obvious/critical? Please help because I need to have this out and on the ground and tested within 3 weeks - this is the first hurdle and I've fallen over. Like I said at the beginning, this config (or the equivalent) works fine on Packet Tracer for distributing IP addresses.

Thanks in advance,

Matt

cadet alain · ‎03-29-2013

Hi,

is service dhcp enabled on the relay-agent( the one with the helper-address) ?

does the server have a route for the ip address of the Vlan interface where the ip helper-address is configured ?

Regards

Alain

Don't forget to rate helpful posts.

paul driver · ‎03-29-2013

Hello
could you post the.config of the core switch?

res
Paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Matthew Lucas · ‎03-30-2013

Alain,

DHCP service is enabled, yes, and the Core Switch has a route between all VLANs (with the exception of the ACL blocking VLAN 248 accessing anything other than the internet).

Paul, see below.

CSW01#sh run

Building configuration...

Current configuration : 20866 bytes

!

! Last configuration change at 08:57:30 UTC Wed Mar 30 2011 by mlucas

! NVRAM config last updated at 03:52:46 UTC Wed Mar 30 2011 by mlucas

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname CSW01

!

boot-start-marker

boot-end-marker

!

enable secret 4 5fpDlu4LdCozFYxrLimWlqRSZLorgqR1LnuU34XhHaE

!

username xxxx password 7 041158280870421D5A2B43

username xxxx password 7 083B43430B1000

username xxxx password 7 013B07165F59015C351D405B

username xxxx password 7 000A120F17530A265D711D1F

username xxxx password 7 15382B5D557A686569

no aaa new-model

!

switch 1 provision ws-c3750x-48p

switch 2 provision ws-c3750x-48p

switch 3 provision ws-c3750x-24s

switch 4 provision ws-c3750x-24s

system mtu routing 1500

ip routing

!

ip domain-name sierra-rutile.local

!

stack-power stack RUTILE

mode redundant

!

stack-power switch 1

stack RUTILE

switch mode: standalone

stack-power switch 2

stack RUTILE

switch mode: standalone

stack-power switch 3

stack RUTILE

switch mode: standalone

stack-power switch 4

stack RUTILE

switch mode: standalone

!

crypto pki trustpoint TP-self-signed-2811275648

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2811275648

revocation-check none

rsakeypair TP-self-signed-2811275648

!

crypto pki certificate chain TP-self-signed-2811275648

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32383131 32373536 3438301E 170D3131 30333330 30313332

32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38313132

37353634 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

810091BF D55B206B 2ED83C32 F1B0B97D 3FFEE5BE F15F64BD 08D4CAFF 02BBEB57

82D4EBDB 212EED5A A7904B01 2BD2F12B 0E285E27 E833BCA1 AB762E26 845B0C31

148FA85E 72E4ED35 B644A4D6 31C49654 823FD036 9BA2D68D 7F089049 D3D0A7F2

2E939D11 2C88A1AC 15C1BED9 403B6470 48AD92BE 3E7DB911 F152C6F3 CFE913A7

4DFD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14315F38 70E5F759 FBFF17EC C5307B18 0ACE9ED7 0D301D06

03551D0E 04160414 315F3870 E5F759FB FF17ECC5 307B180A CE9ED70D 300D0609

2A864886 F70D0101 05050003 81810012 7A89EEC5 1DC1C480 1B49982E 45C48261

28D82235 8AFE6CF6 218C6F61 6CF35D00 6FA84538 B67C4CBD 1F3C76CB 50E45664

D5CA35BC 407C2FC5 F7E49938 037A4C5B 97AFDE5E E0E1DD23 32043BE1 DD3D9E66

1CA6C49C 2ED6DE4F 38AA2EF8 6821FF7F EC2C6F67 DF616DDF 4F05FC66 2A8BF096

3C19DBF5 DFE1F2E5 33BCDF86 5684BF

quit

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

spanning-tree vlan 1-1024 priority 24576

!

vlan internal allocation policy ascending

!

interface FastEthernet0

ip address 10.10.10.1 255.255.255.0

no ip route-cache

!

interface GigabitEthernet1/0/1

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet1/0/2

switchport access vlan 4

switchport mode access

!

Redacted

!

interface GigabitEthernet1/0/48

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet1/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1/3

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1/4

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet1/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet1/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet2/0/1

switchport access vlan 8

switchport mode access

power inline auto max 15400

!

Redacted

!

interface GigabitEthernet2/0/48

switchport access vlan 8

switchport mode access

power inline auto max 15400

!

interface GigabitEthernet2/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

Redacted

!

interface GigabitEthernet3/1/4

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet3/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet3/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

Redacted

!

interface GigabitEthernet4/0/24

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/1/3

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/1/4

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet4/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet4/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Vlan1

ip address 10.0.0.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan4

ip address 10.0.4.10 255.255.252.0

!

interface Vlan8

ip address 10.0.8.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan16

ip address 10.0.16.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan20

ip address 10.0.20.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan24

ip address 10.0.24.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan28

ip address 10.0.28.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan32

ip address 10.0.32.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan36

ip address 10.0.36.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan244

ip address 192.168.0.254 255.255.255.0

ip access-group 101 in

!

interface Vlan248

ip address 192.168.10.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan252

ip address 10.0.252.10 255.255.252.0

!

ip default-gateway 10.0.4.1

no ip http server

no ip http secure-server

!

access-list 101 deny ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

!

line con 0

login local

line vty 0 1

login local

transport input ssh

line vty 2 4

login

transport input none

line vty 5 15

login

transport input none

!

end

paul driver · ‎03-30-2013

Hello Mathew
regards your core switch config - I can see a default-gateway but not a default route on the core switch
Also Does your access switches have ip routing disabled and have a default-gateway

And can you confirm where the dhcp server resides?

Res
Paul

Sent from Cisco Technical Support iPad App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Matthew Lucas · ‎03-30-2013

Well, that's odd. I did have an ip route of 0.0.0.0 0.0.0.0 10.0.4.1 but it seems to have disappeared. Re-added now - thank you for pointing that out.

All my access switches are layer 2 - 2960's, so no ip routing on them, but they all have a default gateway of 10.0.4.10 (the core switch).

Thanks

paul driver · ‎03-30-2013

hello
just to confim all your access switches need to have a d/g. Of the SVI from the core - so if An Access switch. has a management ip of vlan4 then it needs to have the d/g of the svi of the core for vlan4 etc .etc

Res
Paul
Please don't forget to rate any post that may have been helpful

Sent from Cisco Technical Support iPad App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Matthew Lucas · ‎03-30-2013

Sorry - SVI?

All access switches have a default gateway of 10.0.4.10 which is the VLAN 4 interface ip of the core switch. All access switches have mgmt ip's within vlan 4 also, and no ip's for the remaining vlans.

Rolf Fischer · ‎03-30-2013

Hi Matt,

you have already found out that IP unicast connectivity between clients and dhcp server works.

Your're not running dhcp snooping, are you?

If not, we can assume that the dhcp broadcast packets can be received by the dhcp relay agent.

If there's a problem with the relay-agent, you could check

service dhcp enabled?

#show ip sockets | i ^P|_17_.+_67_

Proto Remote Port Local Port In Out Stat TTY OutputIF

17 192.168.9.100 68 192.168.4.10 67 0 0 2211 0

relay-agent's forwarding for dhcp traffic not disabled?

 show running | i ip forward-protocol udp

ACLs on SVIs, if existing, allow dhcp traffic?

You can inspect the dhcp relay agent by "debug ip server packet":

DHCPD: Finding a relay for client 0102.004c.4f4f.50 on interface Vlan9.

DHCPD: setting giaddr to 192.168.9.1.

DHCPD: BOOTREQUEST from 0102.004c.4f4f.50 forwarded to 192.168.4.10.

DHCPD: forwarding BOOTREPLY to client 0200.4c4f.4f50.

DHCPD: broadcasting BOOTREPLY to client 0200.4c4f.4f50.

As is the rule, you have to be careful with debug commands. Depending on the number of dhcp clients and lease times this one can produce a large amount of output.

Hope that helps

Rolf

Matthew Lucas · ‎03-30-2013

Rolf,

Ok, that was WAY above my level, haha. Not running dhcp snooping, no. And yes, we have full IP connectivity between clients and server.

So, couldn't run the specific command in the first line due to limitations of my keyboard, however running #show ip sockets and picking the relevant line gave:

Proto Remote Port Local Port In Out Stat TTY OutputIF

17 10.0.4.130 67 10.0.4.10 67 0 0 2211 0

"#show running | i ip forward-protocol udp" didn't return anything at all, just a return to the # prompt.

The debug command returned a LOT, as you say, however right now the dhcp server isn't connected (because I'm slightly suspicious of the DHCP server itself and am having it rebuilt and will re-test), nor are the clients, so I suspect it's not going to return anything of value right now, but will try again once I have the server back online.

Rolf Fischer · ‎03-30-2013

Matt,
I'd say everything looks as expected so far. One more question about your access port configs: Do you have you spanning-tree portfast enabled?

Best regards
Rolf

Sent from Cisco Technical Support Android App

Matthew Lucas · ‎03-30-2013

Rolf, not at the minute, no. The reason being that I'm trying to keep the config as simple as possible because I'm only a contractor here, and when my role finishes in a few months, I'm effectively going to be handing over to the local guys, most of whom have never touched Cisco kit until the last couple of weeks - so I'm training them up (blind leading the blind, haha), and since portfast only effectively saves a few seconds whilst adding troubleshooting complexity if ever switches need to be added, I figured better to leave it out.

So if the switch config looks good to everyone, it could potentially be the DHCP server itself. I'll re-test shortly and update. Thanks all for your help so far.

Matthew Lucas · ‎03-30-2013

Oh, one thing I did want to know - do the ASW's need ip helper-address commands for each VLAN, or should that only be on the CSW?

Bilal Nawaz · ‎03-30-2013

Hello Matthew, have we proved at all that the DHCP server is working? What happens when you put for example your PC in the same vlan (vlan 4) as the DHCP server, no doubt you should then get an IP address! And if you dont, then imho we should take a look at the server itself.

Then one should assume that there is connectivity between vlans and DHCP servers? i.e. if you have static IP in a vlan, and you ping the dhcp server - should be successful... Which you have confirmed

You only need the ip helper command on the SVI's (vlan interfaces) on the core switch (where the gateway for client is) not he actual access switches. I'd also test spanning-tree portfast as a last resort, because in some cases spanning-tree forwarding state may take too long.

You have configured 2 ip helper commands which is fine, just curious - are they holding the same scopes? What kind of DHCP server is it?

You could even set up your own vlan and configure dhcp on the core switch temporarily to test that DHCP works on your network. e.g.

On your core switch:

vlan 100

name TEST

!

interface vlan 100

ip address 100.0.0.10 255.255.255.0

!

ip dhcp pool TEST

network 100.0.0.0 255.255.255.0

default-router 100.0.0.10

Access switch:

int fa0/1

switchport

switchport access vlan 100

no shut

Then put your PC in this vlan on the access switch and see if you get an IP.

You can verify if a lease has been given out with the 'show ip dhcp binding' command on the core switch.

Wireshark is quite useful when it comes to this type of thing - gives you more of an insight to whats happening on the wire

Hope this helps.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Matthew Lucas · ‎03-30-2013

Bilal,

I managed to get it working after all (I thought I'd put up a reply saying so, but obviously I was imagining things, haha). The issue WAS with the DHCP server. I'm just running through the switches and testing 6 at a time. Now when I plug into the ASW I get an IP from the relevant scope - and if I wipe the config, I get an IP from VLAN 1, so it's all good. I can also ping and browse SMB shares between VLANs, so it's all good. Ooh - do need to confirm the ACL is working too... I'll do that now.

Thanks for your help, Bilal, and thanks everyone else too. Apologies for wasting your time, but it was very much appreciated.

Matt