cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1686
Views
15
Helpful
11
Replies

DHCP Stopped Working C881W

Gene Horr
Level 1
Level 1

DHCP was working both on the wired and AP sides.  This is the only DHCP server on the local network.  I am fairly sure it is an ACL issue but am lost as to what I did wrong.  The following are the DHCP, Interface, and ACL sections of the configuration:

 

!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool ccp-pool
 import all
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 192.168.1.25 8.8.8.8 64.88.192.20 64.88.192.21
 netbios-name-server 192.168.1.25
 lease 0 2
!
!
!
ip domain name pvm.local
ip name-server 8.8.8.8
ip name-server 192.168.1.25
ip name-server 64.88.192.20
ip name-server 64.88.192.21
ip inspect name firewall http
ip inspect name firewall https
ip inspect name firewall tcp
ip inspect name firewall udp
ip cef
no ipv6 cef
<snip>

interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description PrimaryWANDesc_
 ip address 173.209.76.13 255.255.255.0
 ip access-group 100 in
 ip access-group 110 out
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Wlan-GigabitEthernet0
 no ip address
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 110 in
 ip access-group 110 out
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
no ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 110 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 173.209.76.1
!
!
access-list 20 permit 0.0.0.0 255.255.255.0
access-list 100 deny   tcp any any
access-list 100 deny   udp any any
access-list 100 deny   ip any any
access-list 110 permit ip any any
access-list 110 permit tcp any any
access-list 110 permit udp any any
access-list 110 permit icmp any any
!

 

11 Replies 11

Reza Sharifi
Hall of Fame
Hall of Fame

For testing, does it work if you remove acl 100 and 110 from vlan 1?

HTH

Hello

Regards you using CBAC, I am assuming you dont require any traffic initiation from outside of interface fa0/4, So denying any traffic from the outside would be applicable.

 

The acl 100 would be okay however i would clean it ip a little and also the cbac inspect protocols.

 

You also dont need to apply acl 100 on the svi interface as your permit everything any way, and lastly the nat acl 110 need to be more specific other than any any.

 

Please try the following:
no access-list 100
no access-list 110
access-list 100 deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any ( for cbac)
access-list 110 permit ip 192.168.1.0 0.0.0.255 any (for nat)

 

no ip inspect name firewall http
no inspect name firewall https
ip inspect name firewall icmp


int vlan 1

no ip access-group 110 in
no ip access-group 110 out
ip access-group 101 in
ip inspect firewall in

 

int fa0/4
no ip access-group 110 out
no ip inspect firewall out

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks for the tips.  You answered my next question before I even asked it, which was help on cleaning up everything.  

 

DHCP still has a problem.  It appears that it is handing out 10.0.1.X addresses. 

  

Hello

Are you saying your lan hosts are receiving a 10.xxx allocation instead of the 192.168.x.x

Can you post the ipconfg /all form a host that receive such addressing, it should tell the dhcp server ip address.

 

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks.  I mentioned in another post there was a rogue server present.  Now the workstations time out, so still no dhcp.  But I am going to try again later with the router isolated to test whether something else is causing problems.

Rouge DHCP server.  Someone had plugged in an Apple Airport device. 

Hello

Yep that would do it all the time?
if you have switches that support dhcp snooping then suggest your enable it

res

Paul.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Well, it winds up it was "A" problem but not "The" problem.

 

Tested this morning with only network connection a Win10 PC on FE0. No other network connections including the WAN.  DHCP timed out.  Tried a wireless connection with the same PC.  Error not able to configure.

 

Connecting with a fixed IP works fine.  Internet works and can connect to the router GUI interface.

 

As a reminder everything had been working at one time.

 

Here are a few "show" results in case they help

 

C881#sh dhcp server
   DHCP server: ANY (255.255.255.255)
    Leases:   0
    Offers:   0      Requests: 0     Acks : 0     Naks: 0
    Declines: 0      Releases: 0     Query: 0     Bad: 0
    Forcerenews: 0      Failures: 0

 

sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.1.101       0152.4153.2000.1e4f.    Nov 16 2017 09:25 AM    Automatic
                    2668.bd00.0000.0000.
                    00 

 

C881#sh ip dhcp server statistics
Memory usage         40930
Address pools        1
Database agents      0
Automatic bindings   1
Manual bindings      0
Expired bindings     0
Malformed messages   0
Secure arp entries   0

Message              Received
BOOTREQUEST          0
DHCPDISCOVER         2
DHCPREQUEST          282
DHCPDECLINE          0
DHCPRELEASE          2
DHCPINFORM           0

Message              Sent
BOOTREPLY            0
DHCPOFFER            2
DHCPACK              11
DHCPNAK              271

 

 

PS - Also tried deleting the exiting pool and creating a new one using CCP Express.  No default checkboxes were changed.  Still not working.

 

Hello

Okay - I am assuming we are talking about your Lan clients ?
Do you have any switch attach to this rtr and if so how it is connected?

Res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

As mentioned above there are two devices with a single network cable.  The C881 and a PC.  Nothing else.  Network cable plugged into FE0.  Tested with two different PCs.  PCs have no problem getting DHCP info on a different network.

Review Cisco Networking for a $25 gift card