cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1633
Views
10
Helpful
13
Replies

DHCP sees all clients with same client ID

Mark30
Level 1
Level 1

I have this very weird problem where my C1111-8P router sees all clients as having the same client-id. i.e. I connect a number of devices one at a time and they all appear as having the same client-id.

When I connect multiple devices at the same time to the router, I get all manner of problems such as IP conflicts. 

 

It's as though the router is ignoring the client-id, certainly isn't using the hardware-address, and goes into melt down.

For the time being I've configured all manual IP addresses on the small network. But this isn't viable long term.

 

Any suggestions what might be causing this?  

13 Replies 13

Richard Burts
Hall of Fame
Hall of Fame

A good starting point in trying to understand your issue would be to post the current running configuration.

HTH

Rick

Mark30
Level 1
Level 1

would you believe it 2 seconds later I spotted it. the port subscriber-id was being used as the client-id. doh

Yes it not allows the MAC is client-id.

Mark30
Level 1
Level 1

I've been messing about a lot so the config is in a bit of a mess. Which I'm now going to fix. However, would be very useful for you to look over the config and suggest some good practices / chnages.

 

version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login useruath local
aaa authorization network groupauth local
!
!
!
!
!
!
aaa session-id common
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
ip name-server 192.168.1.254 8.8.8.8
ip dhcp excluded-address 192.168.13.0 192.168.13.99
ip dhcp excluded-address 192.168.12.0 192.168.12.99
ip dhcp excluded-address 192.168.14.0 192.168.14.99
ip dhcp excluded-address 10.14.0.0
ip dhcp excluded-address 10.11.0.0 10.11.1.0
ip dhcp excluded-address 10.12.0.0 10.12.1.0
ip dhcp excluded-address 10.13.0.0 10.13.1.0
ip dhcp excluded-address 10.14.0.0 10.14.1.0
ip dhcp excluded-address 10.11.0.1 10.11.0.255
!
ip dhcp pool Main
network 10.11.0.0 255.255.0.0
default-router 10.11.0.1
dns-server 8.8.8.8
lease 0 1
address 10.11.255.100 client-id "Gi0/1/0" ascii
address 10.11.255.102 client-id "Gi0/1/2" ascii
address 10.11.255.103 client-id "Gi0/1/3" ascii
address 10.11.255.104 client-id "Gi0/1/4" ascii
address 10.11.255.105 client-id "Gi0/1/5" ascii
address 10.11.255.250 client-id "Gi0/1/6" ascii
address 10.11.255.101 client-id "Gi0/1/1" ascii
!
ip dhcp pool Guest
network 10.12.0.0 255.255.0.0
dns-server 8.8.8.8
default-router 10.12.0.1
lease 0 1
address 10.12.66.66 hardware-address 00e0.4c68.0cbd
!
ip dhcp pool DMZ
network 10.13.0.0 255.255.0.0
dns-server 8.8.8.8
lease 0 1
!
ip dhcp pool VPN
network 10.14.0.0 255.255.0.0
dns-server 8.8.8.8
lease 0 1
!
!
!
login on-success log
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
!
!
!
!
crypto pki trustpoint TP-self-signed-1512562063
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1512562063
revocation-check none
rsakeypair TP-self-signed-1512562063
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1512562063
crypto pki certificate chain SLA-TrustPoint
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
license udi pid C1111-8P sn FCZ2511R650
memory free low-watermark processor 70177
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
username XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii FCZ2511R650
ip address 192.168.1.69 255.255.255.0
ip nat outside
ip access-group NAT out
negotiation auto
ipv6 nd autoconfig default-route
ipv6 dhcp client request vendor
!
interface GigabitEthernet0/0/1
ip address dhcp
negotiation auto
!
interface GigabitEthernet0/1/0
switchport mode trunk
ip dhcp server use hardware-address client-id
ip access-group NAT in
!
interface GigabitEthernet0/1/1
switchport mode access
ip dhcp server use hardware-address client-id
ip access-group NAT in
ip access-group NAT out
spanning-tree portfast disable
!
interface GigabitEthernet0/1/2
switchport mode access
ip dhcp relay information option server-id-override
ip dhcp server use subscriber-id client-id
ip access-group NAT in
!
interface GigabitEthernet0/1/3
switchport mode access
ip dhcp relay information option server-id-override
ip dhcp server use subscriber-id client-id
!
interface GigabitEthernet0/1/4
switchport mode access
ip dhcp relay information option server-id-override
ip dhcp server use subscriber-id client-id
!
interface GigabitEthernet0/1/5
switchport mode access
ip dhcp relay information option server-id-override
ip dhcp server use subscriber-id client-id
!
interface GigabitEthernet0/1/6
switchport mode access
ip dhcp relay information option server-id-override
ip dhcp server use subscriber-id client-id
ip access-group NAT in
ip access-group NAT out
!
interface GigabitEthernet0/1/7
switchport access vlan 2
switchport trunk native vlan 2
ip access-group NAT in
ip access-group NAT out
!
interface Vlan1
description Main
ip address 10.11.0.1 255.255.0.0
ip nat inside
!
interface Vlan2
description Guest
ip address 10.12.0.1 255.255.0.0
ip nat inside
ip access-group NAT in
ip access-group NAT out
!
interface Vlan3
description DMZ
ip address 10.13.0.1 255.255.0.0
ip nat inside
!
interface Vlan4
description VPN
ip address 10.14.0.1 255.255.0.0
ip nat inside
!
iox
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 192.168.1.254 25
!
!
ip access-list extended NAT
10 permit ip 10.11.0.0 0.0.255.255 any
20 permit ip 10.12.0.0 0.0.255.255 any
30 permit ip 10.14.0.0 0.0.255.255 any
40 permit ip 10.13.0.0 0.0.255.255 any
50 permit ip 192.168.0.0 0.0.255.255 any
60 permit ip any any
70 permit icmp any any
80 permit tcp any any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
ip sla schedule 1 life forever start-time now
ip access-list extended 197
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
password XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
length 0
!
!
!
!
!
event manager applet 1663438811449storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 192.168.11.1"
action 003 file open TECHFILE bootflash:1663438811449sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE
!
end

where is the config of virtual-template ?

Mark30
Level 1
Level 1

I'm very new to cisco ios so don't know what this is or where to get it from. Sorry I'm a newbie

You posted your config, and then apparently removed that post. Here are the comments about what I saw

Congratulations on finding the source of the original problem. Here are some comments about your config.
- you have both enable password and enable secret. Only one of them is used. When enable secret is configured (and it is the more secure of the 2 alternatives) then enable password is ignored. So remote the enable password.
- you do not need this line since this address is included in a range that you configure.
- you have exclude addresses for 192.168.12, 192.168.13, and 192.1468.14 but there are no pools that use those addresses. Remove these.
- your access list NAT includes the statement permit ip any any. Since everything is permitted all the other statements are extraneous and might as well be removed. You do need an access list used for address translation. I have seen problems when nat was configured with an access list that used permit any any. So I suggest that you revise the acl used for nat. In its current form there is no use in using the acl on the interfaces. If you really want to filter something then use an acl. Otherwise just remove the access-group from the interfaces.
- your route map uses acl 197 but that acl has no content.

HTH

Rick

Mark30
Level 1
Level 1

Thanks. I'm going to work on the config tomorrow and will repost the updated config. Would be great to get your view on the final config. Cheers.

Mark30
Level 1
Level 1

Updated config. Still working on this

version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login useruath local
aaa authorization network groupauth local
!
!
!
!
!
!
aaa session-id common
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
ip host emby 10.11.16.1
ip host emby.x.local 10.11.16.1
ip name-server 8.8.8.8 192.168.1.254 10.11.0.1
ip domain name x.local
ip dhcp excluded-address 10.12.0.0 10.12.1.0
ip dhcp excluded-address 10.13.0.0 10.13.1.0
ip dhcp excluded-address 10.14.0.0 10.14.1.0
ip dhcp excluded-address 10.11.0.16 10.11.0.255
ip dhcp excluded-address 10.11.20.8 10.11.20.255
ip dhcp excluded-address 10.11.19.4 10.11.19.255
ip dhcp excluded-address 10.11.3.5 10.11.3.255
ip dhcp excluded-address 10.11.13.9 10.11.13.255
ip dhcp excluded-address 10.11.16.2 10.11.16.255
ip dhcp excluded-address 10.11.15.7 10.11.15.255
ip dhcp excluded-address 10.11.14.0 10.11.14.255
ip dhcp excluded-address 10.11.4.0 10.11.12.255
ip dhcp excluded-address 10.11.17.0 10.11.18.255
ip dhcp excluded-address 10.11.21.0 10.11.99.255
ip dhcp excluded-address 10.11.1.0 10.11.2.255
ip dhcp excluded-address 10.11.0.1
ip dhcp excluded-address 10.11.0.3 10.11.0.4
ip dhcp excluded-address 10.11.0.13 10.11.0.14
ip dhcp excluded-address 10.11.20.0
ip dhcp excluded-address 10.14.1.0
ip dhcp excluded-address 10.14.255.255 255.255.255.255
!
ip dhcp pool Main
network 10.11.0.0 255.255.0.0
default-router 10.11.0.1
dns-server 10.11.0.1 8.8.8.8 8.8.4.4
lease 0 1
address 10.11.255.100 client-id "Gi0/1/0" ascii
address 10.11.255.102 client-id "Gi0/1/2" ascii
address 10.11.255.103 client-id "Gi0/1/3" ascii
address 10.11.255.104 client-id "Gi0/1/4" ascii
address 10.11.255.105 client-id "Gi0/1/5" ascii
address 10.11.255.250 client-id "Gi0/1/6" ascii
address 10.11.255.101 client-id "Gi0/1/1" ascii
!
ip dhcp pool Guest
network 10.12.0.0 255.255.0.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.12.0.1
lease 0 1
address 10.12.66.66 hardware-address 00e0.4c68.0cbd
!
ip dhcp pool DMZ
network 10.13.0.0 255.255.0.0
dns-server 8.8.8.8
lease 0 1
!
ip dhcp pool VPN
network 10.14.0.0 255.255.0.0
dns-server 8.8.8.8
lease 0 1
!
XXXXXXXXXXXXXXXXXXXXXXXXXXX Pools removed from here XXXXXXXXXXXXXXXXXXXXX
!
!
login on-success log
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
!
!
!
!
crypto pki trustpoint TP-self-signed-1512562063
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1512562063
revocation-check none
rsakeypair TP-self-signed-1512562063
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1512562063
crypto pki certificate chain SLA-TrustPoint
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
license udi pid C1111-8P sn FCZ2511R650
memory free low-watermark processor 70177
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 9 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
username mark password 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii FCZ2511R650
ip address 192.168.1.69 255.255.255.0
ip nat outside
ip access-group NAT out
negotiation auto
ipv6 nd autoconfig default-route
ipv6 dhcp client request vendor
!
interface GigabitEthernet0/0/1
ip address dhcp
negotiation auto
!
interface GigabitEthernet0/1/0
switchport mode trunk
ip dhcp server use hardware-address client-id
ip access-group NAT in
!
interface GigabitEthernet0/1/1
switchport mode access
ip dhcp server use hardware-address client-id
ip access-group NAT in
ip access-group NAT out
spanning-tree portfast disable
!
interface GigabitEthernet0/1/2
switchport mode access
ip dhcp relay information option server-id-override
ip dhcp server use subscriber-id client-id
ip access-group NAT in
!
interface GigabitEthernet0/1/3
switchport mode access
ip dhcp relay information option server-id-override
ip dhcp server use subscriber-id client-id
!
interface GigabitEthernet0/1/4
switchport mode access
ip dhcp relay information option server-id-override
ip dhcp server use subscriber-id client-id
!
interface GigabitEthernet0/1/5
switchport mode access
ip dhcp relay information option server-id-override
ip dhcp server use subscriber-id client-id
!
interface GigabitEthernet0/1/6
switchport mode access
ip dhcp relay information option server-id-override
ip dhcp server use subscriber-id client-id
ip access-group NAT in
ip access-group NAT out
!
interface GigabitEthernet0/1/7
switchport access vlan 2
switchport trunk native vlan 2
ip access-group NAT in
ip access-group NAT out
!
interface Vlan1
description Main
ip address 10.11.0.1 255.255.0.0
ip nat inside
!
interface Vlan2
description Guest
ip address 10.12.0.1 255.255.0.0
ip nat inside
ip access-group NAT in
ip access-group NAT out
!
interface Vlan3
description DMZ
ip address 10.13.0.1 255.255.0.0
ip nat inside
!
interface Vlan4
description VPN
ip address 10.14.0.1 255.255.0.0
ip nat inside
!
iox
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip dns server
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 192.168.1.254 25
!
!
ip access-list extended NAT
10 permit ip 10.11.0.0 0.0.255.255 any
20 permit ip 10.12.0.0 0.0.255.255 any
30 permit ip 10.14.0.0 0.0.255.255 any
40 permit ip 10.13.0.0 0.0.255.255 any
50 permit ip 192.168.0.0 0.0.255.255 any
60 permit ip any any
70 permit icmp any any
80 permit tcp any any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
ip sla schedule 1 life forever start-time now
ip access-list extended 197
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
password XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
length 0
!
!
!
!
!
event manager applet 1663438811449storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 192.168.11.1"
action 003 file open TECHFILE bootflash:1663438811449sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE
!
end

Here are comments about the config posted today:

- you still have both enable password and enable secret. see the explanation in my previous response.

- the dhcp pools for DMZ and VPN do not specify a default router.

- the acl NAT still has the issues discussed in my previous response. When used for address translation it is a best practice to avoid permit any any. And applying the acl to interfaces using access-group makes no sense to me.

- I am not sure why you have one of the nat inside commands using a route map. And the syntax of that route map no sense in the context of nat.

HTH

Rick

Mark30
Level 1
Level 1

One last question. I've been playing with the DNS server. But find either I can resolve hosts on the local domain, or I can resolve hosts on the WAN. Not both at the same time. 1

Will do a bit of reading but it seems the DNS server on the router doesn't then refer to the WAN DNS to try to resolve.

Not a DNS guru so suspect it's something simple that I'm missing. 

I now read split DNS, I think you need this solution. 
https://haxcess.wordpress.com/2013/04/22/cisco-split-dns-on-a-router/

Mark30
Level 1
Level 1

That seemed like the way to go and tried to do that. Saliant part below Doesn't seem to do anything different. It's like the split tunnelling is not splitting for the local host mypc.x.local.

 

Any help welcome.

ip dns view default
domain resolver source-interface Vlan1
dns forwarder 8.8.8.8
dns forwarder 8.8.4.4
dns forwarding source-interface Vlan1
ip dns view Internal
domain name-server 10.11.0.1
domain resolver source-interface Vlan1
domain list x.local
domain round-robin
dns forwarder 10.11.0.1
dns forwarding source-interface Vlan1
ip dns view-list Internal
view Internal 10
restrict name-group 1
view default 99
ip dns name-list 1 permit .*.X.LOCAL
ip dns name-list 1 permit 10\.IN-ADDR
ip dns server view-group Internal
ip dns server

Review Cisco Networking for a $25 gift card