Solved: How to use Vlans and DHCP Pools Configured on Another, Directly Connected Switch?

Matthew Martin · ‎02-27-2017

Hello All,

Core Switch: WS-C4510R+E
Secondary Attached Switch: WS-C3560-48PS-S

We have our Core switch, i.e. the 4510, which has all the Vlans already configured on it. Both the 4510 Core Switch and the 3560 switch are both directly connected to one another via Trunk ports, like so:

********** 4510 Trunk Port **********
4510R-HQ# show run int Gi9/22
Building configuration...

Current configuration : 230 bytes
!
interface GigabitEthernet9/22
 description IT Room Switch 
 switchport mode trunk
 auto qos voip cisco-phone 
 service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy
 service-policy output AutoQos-4.0-Output-Policy
end

********** 3560 Trunk Port **********
3560sw1-IT# show run int Fa0/1
Building configuration...

Current configuration : 149 bytes
!
interface FastEthernet0/1
 description uplink to 4510R+E
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
end

*FYI: On the 4510's Trunk port, which now has a switch on it, was previously configured as a regular User workstation port which is why the auto-qos stuff is on there, and I figured since we will probably have cisco ip phones connected to the 3560 so they can be configured, it wouldn't hurt to leave it on there...

Also, the 3560 is now configured so that connected devices can be authenticated via our Cisco ISE server, which is why the 3560's trunk port has the dhcp snooping command configured on it, which is for device Profiling purposes.

On the 4510, the Vlans I need access to are the User Access Vlan, vlan114. As well as the Voice Vlan, vlan124. From one of the guides I found on cisco.com for configuring InterVLAN Routing seemed like you only really needed to include:

3560sw1-SP(config)#vlan 114
3560sw1-SP(config-vlan)#name Access
3560sw1-SP(config-vlan)#exit
3560sw1-SP(config)#
3560sw1-SP(config)#vlan 124   
3560sw1-SP(config-vlan)#name Voice 
3560sw1-SP(config-vlan)#exit

However, PCs and IP Phones connected to the Switchports on the 3560 aren't getting IP Addresses.

Below is an example of how I configured the Switchports on the 3560 that will be used as User Workstation ports (*i.e. for IP Phones and/or PCs). And like I had mentioned earlier, the 3560 switch is already configured to Authenticate devices through the Cisco ISE server, and I can see on the ISE server and on the switch (*via "show auth sess...") that the connected devices are authenticating properly, they just aren't getting IP Addresses.

3560sw1-SP#show run int Fa0/3
Building configuration...

Current configuration : 671 bytes
!
interface FastEthernet0/3
 switchport access vlan 114
 switchport mode access
 switchport voice vlan 124
 authentication event fail action next-method
 authentication event server dead action authorize vlan 114
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
end

I'm sure there is something I am missing to allow devices connected via the 3560 switch to use the Access and Voice Vlans that are already configured on the 4510... So if anyone has ANY thoughts or suggestions, it would be greatly appreciated..! Or if you need anymore info from me just let me know and I'll reply back with that info, Thanks!

Thanks in Advance,
Matt

Matthew Martin · ‎03-01-2017

Sorry for the consecutive posts, but I have some new info...

Ok, so I tried following the guide at the link below, which seems pretty much what I want to achieve. Where you have an Access switch (*the 3560 in my case) connected to a Layer-3 switch (*the 4510). The Layer-3 switch has all of the Vlan interfaces configured on it, and then devices connecting to the Access switch should get IP Addresses via those Vlans on the Layer-3 switch. The guide pretty much states to do exactly what you guys have suggested to do, and which I've done already...

InterVLAN Routing - Layer-3 and Layer-2 Switch Configuration

Basically, the steps were to create trunk ports on both switches for the ports connecting them together, and then enable dot1q encapsulation on those trunk ports.
Then, on the 3560 run these commands to create the matching Vlans on the 3560 by entering the following:

# conf t
(config)# vlan 114
(config-if)# exit
(config)#
(config)# vlan 124
(config-if)# end

Then, assign the "switchport access vlan <vlan-#>" to the switchports for the PCs. After they do that in the guide, they create the actual Vlan Interfaces (*SVIs) on the Layer-3 switch, which for me is the 4510. So, in my case, these SVIs were already created... I'm not positive, but I didn't think this should cause an issue by the order in which these things are created, I assume it doesn't, but just want to make sure...

######################################################

After I did those steps above again and nothing changed, I decided to try a different approach...

On the 3560 I decided to try and create the SVI "interface Vlan114", which I did. Then, I assigned it an IP Address in that subnet that is configured as an excluded address in the DHCP Pool. And the moment I clicked enter after issuing the "ip address 10.20.114.14 255.255.255.0" the DHCP debugging commands that I had enabled started spitting out lots of lines in the terminal monitor, like these below:

Mar  1 13:31:12.438 EST: DHCPD: Reload workspace interface Vlan114 tableid 0.
Mar  1 13:31:12.438 EST: DHCPD: tableid for 10.60.114.14 on Vlan114 is 0
Mar  1 13:31:12.438 EST: DHCPD: client's VPN is .
Mar  1 13:31:12.438 EST: DHCPD: using received relay info.
Mar  1 13:31:14.493 EST: DHCPD: Reload workspace interface Vlan114 tableid 0.
Mar  1 13:31:14.493 EST: DHCPD: tableid for 10.60.114.14 on Vlan114 is 0
Mar  1 13:31:14.493 EST: DHCPD: client's VPN is .
Mar  1 13:31:14.493 EST: DHCPD: Finding a relay for client 0100.249b.1008.53 on interface Vlan114.
Mar  1 13:31:18.100 EST: DHCPD: Reload workspace interface Vlan114 tableid 0.
Mar  1 13:31:18.100 EST: DHCPD: tableid for 10.60.114.14 on Vlan114 is 0
Mar  1 13:31:18.100 EST: DHCPD: client's VPN is .
Mar  1 13:31:18.100 EST: DHCPD: Finding a relay for client 0100.1d09.1382.6e on interface Vlan114.
Mar  1 13:31:22.949 EST: DHCPD: Reload workspace interface Vlan114 tableid 0.
Mar  1 13:31:22.949 EST: DHCPD: tableid for 10.60.114.14 on Vlan114 is 0
Mar  1 13:31:22.949 EST: DHCPD: client's VPN is .
Mar  1 13:31:22.949 EST: DHCPD: using received relay info.

These lines above continued printing over and over for all different mac addresses, which I'm not sure where exactly those mac addresses are coming from...

But, even after that my connected laptop was still NOT getting an IP Address. So I added this line below, which is the same line configured in Vlan114 on the 4510:

ip helper-address [dhcp-server-IP]

to the SVI for Vlan114 on the 3560 and now my laptop can successfully get an IP Address... However, since it sounds like from that guide above and from what you guys stated, this should be working without me needing to create the SVI on the 3560, so is this just basically a hack/workaround for the problem I'm having?

Not sure what else to try since it seems like this "should" be working the way I had it configured before I added the SVI for Vlan114 to the 3560...?

Thanks Again,
Matt

View solution in original post

Reza Sharifi · ‎02-27-2017

Hi Matt,

On the core switch in addition to the layer-2 vlans, you also need to create the layer-3 interfaces or the SVIs for both vlans.

example:

config t

inter vlan 114

ip address 192.168.114.1 255.255.255.0

no sh

inter vlan 124

ip address 192.168.124.1 255.255.255.0

no sh

Try these command and test again.

HTH

Jigar Dave · ‎02-27-2017

Hi Matt,

Reza has given perfect answer, however few additional things are also required because you need Layer 3 switch (4500) to act as DHCP

on 4500 switch

conf t

#enable ip routing

ip routing

#configure dns servers and domain name

ip domain-name duracell.com
ip name-server 208.67.220.220
ip name-server 208.67.222.222
ip name-server 8.8.8.8
ip name-server 4.2.2.2

#create dhcp scope for that vlan

ip dhcp pool 114
utilization mark high 90 log
utilization mark low 50 log
network 192.168.114.0 255.255.255.0
default-router 192.168.114.1
dns-server [private dns server1] [private dns server 2] 8.8.8.8
lease 0 8

#exclude few ip addresses if you want

ip dhcp excluded-address 192.168.114.5 192.168.114.20

Hope this helps you

Thank you

Matthew Martin · ‎02-28-2017

Hi Jigar,

Just wanted to let you know I replied to your post in the comment I made on Reza's post... Thanks for your reply!

Thanks Again,
Matt

Matthew Martin · ‎02-28-2017

Hey Reza and Jigar, thanks for the replies, very much appreciated!

Sorry, I should have included those configuration in my OP I just didn't want the OP question to be super long.

Here is what's already configured on the 4510, and also DHCP for Vlan114 comes from a Linux server, which is configured as an ip helper-address in the Vlan interface. But Vlan124's DHCP (*i.e. the Voice Vlan) is done locally on the 4510...

Here is some of the 4510's Config:

!
ip dhcp pool VOICE
 network 10.20.124.0 255.255.255.0
 default-router 10.20.124.1                          !--> Vlan124s IP Address
 option 150 ip 192.168.11.9 192.168.11.8 10.30.2.9   !--> CallManagers
 dns-server 192.168.5.35 10.30.1.3 
!
!......
!
interface Vlan114
 description End User Desktops
 ip address 10.20.114.1 255.255.255.0
 ip helper-address 192.168.2.25               !--> Main DHCP Server
 ip helper-address 10.30.123.25               !--> Backup DHCP Server
 ip helper-address 192.168.2.49               !--> Main Cisco ISE Server
 ip helper-address 10.30.10.49                !--> Backup Cisco ISE Server
!
interface Vlan124
 description End User Phones
 ip address 10.20.124.1 255.255.255.0
!

Here is the DHCP Configuration for Vlan114 on the Linux Box:

*I know this is a Linux config so I'll just say that this Pool works just fine on the 4510, just so you're aware...

subnet 10.20.114.0 netmask 255.255.255.0 {
    group {
        option routers 10.20.114.1;
        option domain-name-servers 192.168.5.35,10.30.1.3;
    }

    pool {
        failover peer "dhcp-failover";
        deny dynamic bootp clients;
        option routers 10.20.114.1;
        option domain-name-servers 192.168.5.35,10.30.1.3;
        option tftp-server-address 192.168.11.8 10.30.2.9;
        range 10.20.114.24 10.20.114.210;
    }
}

As you might be able to tell from the new info, the 4510 already has ip routing enabled...

So, now with that new info above, is there anything I'm missing from the 3560? And just in case you missed it above, Vlan114's DHCP works just fine when connecting a device directly to a switchport on the 4510.

Thanks again for the replies, very much appreciated!

Thanks,
Matt

Jon Marshall · ‎02-28-2017

Matt

At the moment you don't know which bit is failing. So go back to basics and remove all the authentication configuration off the access port on the 3560 and then see if you can get an IP.

Jon

Matthew Martin · ‎02-28-2017

Hey Jon, thanks for the reply.

I'm pretty sure the Auth config is working just fine. I can see on the switch with the "show auth sessions" command, that the laptop was successfully authenticating via dot1x and the IP Phone was successfully authenticating via mab...

However, I removed the Auth stuff from those 2 switchports anyway, as you suggested, and it still seems as though neither the laptop nor the IP Phone are getting IP Addresses.

The 2 Switchports that have the PC and Phone connected to them, both have the following configuration, see below:

3560sw1-IT# show run int Fa0/31 (*and Fa0/29)
Building configuration...

Current configuration : 137 bytes
!
interface FastEthernet0/31
 switchport access vlan 114
 switchport mode access
 switchport voice vlan 124
 spanning-tree portfast
end

Now, on the laptop, if I run "ipconfig /renew" I eventually get the error message:

"An error occurred while renewing interface Local Area Connection : unable to contact your DHCP server. Request has timed out."

So I tried enabling the following DHCP debugging on the 3560 and I am really only getting the messages you see below:

3560sw1-SP#
3560sw1-SP#show debugg
DHCP server packet debugging is on.

DHCPC:
  DHCP client activity debugging is on (detailed)

3560sw1-SP#
3560sw1-SP#
Feb 28 17:49:47.045 EST: DHCPD: no option 125
Feb 28 17:49:47.112 EST: DHCPD: no option 125
Feb 28 17:49:51.692 EST: DHCPD: no option 125
Feb 28 17:49:53.974 EST: DHCPD: no option 125
Feb 28 17:49:54.016 EST: DHCPD: no option 125

These are the log messages that print to the terminal when I attempt the /renew from the laptop...

Also, I'm wondering if this could be the problem. When this 3560 was given to me as a spare switch for us to use, it was already configured with an "interface Vlan1" on it, which has the IP Address 192.168.3.3.
Now, the 4510 also has an "interface Vlan1" configured on it, which has the IP Address 192.168.3.2 configured.
Then, on the 3560, the default ip route configured is "ip route 0.0.0.0 0.0.0.0 192.168.3.2".... Could this be my problem? I can still ping both Vlan114 and Vlan124 from the 3560, so not too sure what the issue is.?

Thanks again for the replies!

Thanks,
Matt

Jon Marshall · ‎02-28-2017

Matt

Strictly speaking if the 3560 is acting only as L2 and the L3 switch is the 4510 then you should not have that default route nor should "ip routing" be enabled on the 3560. However it doesn't matter because the switches are connected via a trunk link so it shouldn't matter although you may want to tidy it up all up once it is working.

Can you post from the 3560 -

"sh vlan" and "sh int trunk"

and from the 4500 -

"sh int trunk"

in addition presumably you have the PC connected to the phone connected to the switch. If at all possible could you temporarily take the phone out of it and just use the PC.

Finally do you have this setup ie. PC DHCP pool in Linux and voice vlan on switch working elsewhere ?

Jon

Matthew Martin · ‎02-28-2017

Hey Jon,

Right, however I believe I needed IP Routing enabled to have the switch work with ISE, I believe... That might be incorrect, but I thought that was the case... Either way I was using one of the FastEthernet ports as an IP Routed port for testing that I was doing with some other Cisco devices. And IP Routing was already enabled when I was handed the 3560 switch.

To answer your questions at the end of you comment first: The Phone is connected to it's own port (*Fa0/29) and the PC is on its own port as well (*Fa0/31). Besides those 2 devices and the trunk port connecting to the 4510 (*Fa0/1) that's all that is currently connected to the 3560.

Sorry, wasn't 100% sure exactly what you meant by your very last question. But, if you mean are other devices getting DHCP addresses on Vlan 114 and 124, then yes... If I were to walk into the server room right now and plug my laptop directly into the 4510 (*of course on a switchport configured for Users Workstations) then I would get an address in the 10.20.114.x network automatically via DHCP. Same goes for IP Phones, if I were to plug an IP Phone into a port configured for Users, then it would get a DHCP address in the Pool 10.20.124.x scope, without issue.

And yes, you are correct in that the Voice Vlan124's DHCP Pool is configured directly on the 4510, and the Access/User Vlan (*Vlan114) is configured on the Linux box. And both DHCP Pools are working just fine when connecting directly to the 4510, these are our 2 main Vlans for mostly ALL users and ip phones in our HQ.

Here are the Commands you Requested from the 3560:

3560sw1-IT# show vlan 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Gi0/1, Gi0/2
                                                Gi0/3, Gi0/4
2    VLAN0002                         active    
3    VLAN0003                         active    
4    VLAN0004                         active    
5    VLAN0005                         active    
6    VLAN0006                         active    
8    PRINTERS8                        active    
10   VLAN0010                         active    
11   VLAN0011                         active    
12   VLAN0012                         active    
31   VLAN0031                         active    
54   VLAN0054                         active    
61   UNTRUSTED                        active    
100  EXTSRV100                        active    
112  desktops                         active    
114  Access                           active    Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/25, Fa0/26, Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31
                                                Fa0/32, Fa0/33, Fa0/34, Fa0/35, Fa0/36, Fa0/37, Fa0/38, Fa0/39, Fa0/40, Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46
                                                Fa0/47, Fa0/48
118  PRINTER118                       active    
124  Voice                            active    Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/25, Fa0/26, Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31
                                                Fa0/32, Fa0/33, Fa0/34, Fa0/35, Fa0/36, Fa0/37, Fa0/38, Fa0/39, Fa0/40, Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46
                                                Fa0/47, Fa0/48
125  VLAN0125                         active    
200  network                          active    
201  VLAN0201                         active    
205  MobileWifi                       active    
206  a2-wlan                          active    
207  guest-wlan                       active    
208  mobile-wlan                      active    
555  VLAN0555                         active    
601  VLAN0601                         active    
602  VLAN0602                         active    
603  VLAN0603                         active    
900  VLAN0900                         active    
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0   
2    enet  100002     1500  -      -      -        -    -        0      0   
3    enet  100003     1500  -      -      -        -    -        0      0   
4    enet  100004     1500  -      -      -        -    -        0      0   
5    enet  100005     1500  -      -      -        -    -        0      0   
6    enet  100006     1500  -      -      -        -    -        0      0   
8    enet  100008     1500  -      -      -        -    -        0      0   
10   enet  100010     1500  -      -      -        -    -        0      0   
11   enet  100011     1500  -      -      -        -    -        0      0   
12   enet  100012     1500  -      -      -        -    -        0      0   
31   enet  100031     1500  -      -      -        -    -        0      0   
54   enet  100054     1500  -      -      -        -    -        0      0   
61   enet  100061     1500  -      -      -        -    -        0      0   
100  enet  100100     1500  -      -      -        -    -        0      0   
112  enet  100112     1500  -      -      -        -    -        0      0   
114  enet  100114     1500  -      -      -        -    -        0      0   
118  enet  100118     1500  -      -      -        -    -        0      0   
124  enet  100124     1500  -      -      -        -    -        0      0   
125  enet  100125     1500  -      -      -        -    -        0      0   
200  enet  100200     1500  -      -      -        -    -        0      0   
201  enet  100201     1500  -      -      -        -    -        0      0   
205  enet  100205     1500  -      -      -        -    -        0      0   
206  enet  100206     1500  -      -      -        -    -        0      0   
207  enet  100207     1500  -      -      -        -    -        0      0   
208  enet  100208     1500  -      -      -        -    -        0      0   
555  enet  100555     1500  -      -      -        -    -        0      0   
601  enet  100601     1500  -      -      -        -    -        0      0   
602  enet  100602     1500  -      -      -        -    -        0      0   
603  enet  100603     1500  -      -      -        -    -        0      0   
900  enet  100900     1500  -      -      -        -    -        0      0   
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 trcrf 101003     4472  1005   3276   -        -    srb      0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trbrf 101005     4472  -      -      15       ibm  -        0      0   


VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
1003 7       7       off

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

3560sw1-IT#
3560sw1-IT#
3560sw1-IT# show int trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/1       1-4094

Port        Vlans allowed and active in management domain
Fa0/1       1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900

3560sw1-IT#
3560sw1-IT#

And here are the Commands you Requested from the 4510:
*The 3560 is connected to the 4510 on Port Gi9/22, I included its cdp entry from the 4510...

4510R-HQ#show cdp nei | inc 3560
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
3560sw1-IT.mydomain.com
                 Gig 9/22          135             R S I  WS-C3560- Fas 0/1

4510R-HQ#
4510R-HQ#
4510R-HQ#show int trunk 

Port        Mode             Encapsulation  Status        Native vlan
Gi1/46      on               802.1q         trunking      1
Gi3/43      on               802.1q         trunking      200
Gi3/44      on               802.1q         trunking      200
Gi3/45      on               802.1q         trunking      200
Gi3/46      on               802.1q         trunking      200
Gi3/47      on               802.1q         trunking      200
Gi3/48      on               802.1q         trunking      200
Gi7/30      on               802.1q         trunking      1
Gi9/22      on               802.1q         trunking      1
Gi9/44      on               802.1q         trunking      1
Gi10/13     on               802.1q         trunking      200
Po3         on               802.1q         trunking      2
Po6         on               802.1q         trunking      1
Po7         on               802.1q         trunking      1
Po8         on               802.1q         trunking      1
Po9         on               802.1q         trunking      1
Po18        on               802.1q         trunking      1
Po19        on               802.1q         trunking      1
Po44        on               802.1q         trunking      1
Po45        on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/46      8,124,205-208
Gi3/43      6,200,205-207
Gi3/44      6,200,205-207
Gi3/45      6,200,205-207
Gi3/46      6,200,205-207
Gi3/47      6,200,205-207
Gi3/48      6,200,205-207
Gi7/30      1-4094
Gi9/22      1-4094
Gi9/44      1-3,5-200
Gi10/13     6,200,205-207
Po3         1-4094
Po6         1-4094
Po7         1-4094
Po8         1-4094
Po9         1-4094
Po18        1-4094
Po19        1-4094
Po44        1,4,207,900
Po45        1,4,207,900

Port        Vlans allowed and active in management domain
Gi1/46      8,124,205-208
Gi3/43      6,200,205-207
Gi3/44      6,200,205-207
Gi3/45      6,200,205-207
Gi3/46      6,200,205-207
Gi3/47      6,200,205-207
Gi3/48      6,200,205-207
Gi7/30      1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Gi9/22      1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Gi9/44      1-3,5-6,8,10-12,31,54,61,100,112,114,118,124-125,200
Gi10/13     6,200,205-207
Po3         1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po6         1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po7         1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po8         1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po9         1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po18        1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po19        1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po44        1,4,207,900
Po45        1,4,207,900

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/46      8,124,205-208
Gi3/43      6,200,205-207
Gi3/44      6,200,205-207
Gi3/45      6,200,205-207
Gi3/46      6,200,205-207
Gi3/47      6,200,205-207
Gi3/48      6,200,205-207
Gi7/30      1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Gi9/22      1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Gi9/44      1-3,5-6,8,10-12,31,54,61,100,112,114,118,124-125,200
Gi10/13     6,200,205-207
Po3         1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po6         1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po7         1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po8         1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po9         1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po18        1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po19        1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Po44        1,4,207,900
Po45        1,4,207,900
4510R-HQ#
4510R-HQ#

Thanks again for the help and the quick replies, much appreciated!

Thanks,
Matt

Jon Marshall · ‎02-28-2017

Matt

Not worked with ISE so if you need routing on the switch then you know better than me. As I say it should not be the problem.

Thanks for the outputs and everything looks fine. So couple more things -

what happens if you manually assign an IP to your PC, can you then ping the 4510 SVI IP address and other IPs from different vlans ?

If you can then can you remove the "ip dhcp snooping trust" command from the trunk port on the 3560 temporarily and retest with DHCP on the PC.

Apologies for keep removing configuration but sometimes it is the best way to find out which bit is stopping it working.

Jon

Matthew Martin · ‎02-28-2017

Hey, no worries Jon... I'm willing to try whatever on the 3560, no problem at all!

You read my mind... I did the static IP test right after I submitted my last reply. I set my laptop IP to 10.20.114.251 and I was able get connected to the network, and I could ping a device on just about every Vlan I could think of, including the 114 and 124... Removing dhcp snooping now, and resetting NIC back to Auto/DHCP...

Ok, so I removed the snooping command and then removed the static IP from the laptop and set it back to automatic. Then used the "Network Repair" option on the AnyConnect Network Access Manager, which to my knowledge basically just simulates disabling and re-enabling the NIC on the laptop, and after about 60 seconds or so I get the Limited or no Connectivity message and my IP gets set to that auto one that WIndows does when it cannot get a DHCP address, *i.e. 169.254.37.39...

I'm about to head out of the office for today. So if you reply I might not see it until tomorrow morning... Thanks again for the assistance, very much appreciated.!

Thanks Again,
Matt

Jon Marshall · ‎02-28-2017

Matt

No problem we can pick this up tomorrow.

Jon

Matthew Martin · ‎03-01-2017

Hey Jon,

Was wondering if there are any debug commands, or similar, that can be enabled to see if DHCP messages are being sent to the 4510? Don't think I can enable anything like that on the 4510 just because I don't want to hike up the CPU or anything along those lines, so was hoping there might be something on the 3560 that can be turned on..?

I tried enabling the debug commands:

3560sw1-SP#show debugg
DHCP server packet debugging is on.

DHCPC:
  DHCP client activity debugging is on (detailed)

But, it seems like maybe those are for the machine that's actually acting as the DHCP server, well atleast that one debug command probably is... The only output I'm seeing from those commands are:

Feb 28 18:49:59.193 EST: DHCPD: no option 125
Feb 28 18:58:28.534 EST: DHCPD: no option 125
Feb 28 18:58:28.601 EST: DHCPD: no option 125
Mar  1 08:50:23.052 EST: DHCPD: option 24 is malformed (option length 0).
Mar  1 09:31:24.706 EST: DHCPD: option 74 is malformed (option length 87).
Mar  1 09:47:46.999 EST: DHCPD: option 74 is malformed (option length 87).

Also, I am now seeing these messages below in the 3560's logging buffer. Must be from removing that dhcp snooping trust command.

Mar  1 10:52:34.612 EST: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPACK, MAC sa: 4c00.829d.xxxx
Mar  1 11:01:48.077 EST: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPOFFER, MAC sa: 4c00.829d.xxxx
Mar  1 11:07:36.508 EST: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPACK, MAC sa: 4c00.829d.xxxx

Any other ideas?

Thanks in Advance,
Matt

Matthew Martin · ‎03-01-2017

To add to my previous comment...

I just came across this page below. On that page they said they were not receiving any IP Addresses on a specific subnet. But, once they set one of the Gi ports to have an IP Address on the same subnet, it then started dishing out IP Addresses for that subnet...

I'm wondering if I should set an IP Address on the switch to be on Vlan114, or if I could just set any Fa port on the 3560 to have an address in Vlan114?

Do you think there needs to be a layer 3 interface with an IP Address configured in the 114 Vlan?

http://www.embeddedsystemtesting.com/2013/07/no-option-125-error-from-cisco-dhcp.html

Thanks,
Matt

Jon Marshall · ‎03-01-2017

Matt

You should not need to do that because you have an SVI on the 4500 with an IP for that vlan.

What you are trying to do should be very straightforward, done it many times myself as have many others.

Do you have any acls in use on the 4500 ?

Jon