02-27-2017 04:20 PM - edited 03-08-2019 09:31 AM
Hello All,
Core Switch: WS-C4510R+E
Secondary Attached Switch: WS-C3560-48PS-S
We have our Core switch, i.e. the 4510, which has all the Vlans already configured on it. Both the 4510 Core Switch and the 3560 switch are both directly connected to one another via Trunk ports, like so:
********** 4510 Trunk Port ********** 4510R-HQ# show run int Gi9/22 Building configuration... Current configuration : 230 bytes ! interface GigabitEthernet9/22 description IT Room Switch switchport mode trunk auto qos voip cisco-phone service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy service-policy output AutoQos-4.0-Output-Policy end ********** 3560 Trunk Port ********** 3560sw1-IT# show run int Fa0/1 Building configuration... Current configuration : 149 bytes ! interface FastEthernet0/1 description uplink to 4510R+E switchport trunk encapsulation dot1q switchport mode trunk ip dhcp snooping trust end
*FYI: On the 4510's Trunk port, which now has a switch on it, was previously configured as a regular User workstation port which is why the auto-qos stuff is on there, and I figured since we will probably have cisco ip phones connected to the 3560 so they can be configured, it wouldn't hurt to leave it on there...
Also, the 3560 is now configured so that connected devices can be authenticated via our Cisco ISE server, which is why the 3560's trunk port has the dhcp snooping command configured on it, which is for device Profiling purposes.
On the 4510, the Vlans I need access to are the User Access Vlan, vlan114. As well as the Voice Vlan, vlan124. From one of the guides I found on cisco.com for configuring InterVLAN Routing seemed like you only really needed to include:
3560sw1-SP(config)#vlan 114 3560sw1-SP(config-vlan)#name Access 3560sw1-SP(config-vlan)#exit 3560sw1-SP(config)# 3560sw1-SP(config)#vlan 124 3560sw1-SP(config-vlan)#name Voice 3560sw1-SP(config-vlan)#exit
However, PCs and IP Phones connected to the Switchports on the 3560 aren't getting IP Addresses.
Below is an example of how I configured the Switchports on the 3560 that will be used as User Workstation ports (*i.e. for IP Phones and/or PCs). And like I had mentioned earlier, the 3560 switch is already configured to Authenticate devices through the Cisco ISE server, and I can see on the ISE server and on the switch (*via "show auth sess...") that the connected devices are authenticating properly, they just aren't getting IP Addresses.
3560sw1-SP#show run int Fa0/3
Building configuration...
Current configuration : 671 bytes
!
interface FastEthernet0/3
switchport access vlan 114
switchport mode access
switchport voice vlan 124
authentication event fail action next-method
authentication event server dead action authorize vlan 114
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
I'm sure there is something I am missing to allow devices connected via the 3560 switch to use the Access and Voice Vlans that are already configured on the 4510... So if anyone has ANY thoughts or suggestions, it would be greatly appreciated..! Or if you need anymore info from me just let me know and I'll reply back with that info, Thanks!
Thanks in Advance,
Matt
Solved! Go to Solution.
03-01-2017 12:10 PM
Sorry for the consecutive posts, but I have some new info...
Ok, so I tried following the guide at the link below, which seems pretty much what I want to achieve. Where you have an Access switch (*the 3560 in my case) connected to a Layer-3 switch (*the 4510). The Layer-3 switch has all of the Vlan interfaces configured on it, and then devices connecting to the Access switch should get IP Addresses via those Vlans on the Layer-3 switch. The guide pretty much states to do exactly what you guys have suggested to do, and which I've done already...
InterVLAN Routing - Layer-3 and Layer-2 Switch Configuration
Basically, the steps were to create trunk ports on both switches for the ports connecting them together, and then enable dot1q encapsulation on those trunk ports.
Then, on the 3560 run these commands to create the matching Vlans on the 3560 by entering the following:
# conf t (config)# vlan 114 (config-if)# exit (config)# (config)# vlan 124 (config-if)# end
Then, assign the "switchport access vlan <vlan-#>" to the switchports for the PCs. After they do that in the guide, they create the actual Vlan Interfaces (*SVIs) on the Layer-3 switch, which for me is the 4510. So, in my case, these SVIs were already created... I'm not positive, but I didn't think this should cause an issue by the order in which these things are created, I assume it doesn't, but just want to make sure...
######################################################
After I did those steps above again and nothing changed, I decided to try a different approach...
On the 3560 I decided to try and create the SVI "interface Vlan114", which I did. Then, I assigned it an IP Address in that subnet that is configured as an excluded address in the DHCP Pool. And the moment I clicked enter after issuing the "ip address 10.20.114.14 255.255.255.0" the DHCP debugging commands that I had enabled started spitting out lots of lines in the terminal monitor, like these below:
Mar 1 13:31:12.438 EST: DHCPD: Reload workspace interface Vlan114 tableid 0.
Mar 1 13:31:12.438 EST: DHCPD: tableid for 10.60.114.14 on Vlan114 is 0
Mar 1 13:31:12.438 EST: DHCPD: client's VPN is .
Mar 1 13:31:12.438 EST: DHCPD: using received relay info.
Mar 1 13:31:14.493 EST: DHCPD: Reload workspace interface Vlan114 tableid 0.
Mar 1 13:31:14.493 EST: DHCPD: tableid for 10.60.114.14 on Vlan114 is 0
Mar 1 13:31:14.493 EST: DHCPD: client's VPN is .
Mar 1 13:31:14.493 EST: DHCPD: Finding a relay for client 0100.249b.1008.53 on interface Vlan114.
Mar 1 13:31:18.100 EST: DHCPD: Reload workspace interface Vlan114 tableid 0.
Mar 1 13:31:18.100 EST: DHCPD: tableid for 10.60.114.14 on Vlan114 is 0
Mar 1 13:31:18.100 EST: DHCPD: client's VPN is .
Mar 1 13:31:18.100 EST: DHCPD: Finding a relay for client 0100.1d09.1382.6e on interface Vlan114.
Mar 1 13:31:22.949 EST: DHCPD: Reload workspace interface Vlan114 tableid 0.
Mar 1 13:31:22.949 EST: DHCPD: tableid for 10.60.114.14 on Vlan114 is 0
Mar 1 13:31:22.949 EST: DHCPD: client's VPN is .
Mar 1 13:31:22.949 EST: DHCPD: using received relay info.
These lines above continued printing over and over for all different mac addresses, which I'm not sure where exactly those mac addresses are coming from...
But, even after that my connected laptop was still NOT getting an IP Address. So I added this line below, which is the same line configured in Vlan114 on the 4510:
ip helper-address [dhcp-server-IP]
to the SVI for Vlan114 on the 3560 and now my laptop can successfully get an IP Address... However, since it sounds like from that guide above and from what you guys stated, this should be working without me needing to create the SVI on the 3560, so is this just basically a hack/workaround for the problem I'm having?
Not sure what else to try since it seems like this "should" be working the way I had it configured before I added the SVI for Vlan114 to the 3560...?
Thanks Again,
Matt
02-27-2017 06:01 PM
Hi Matt,
On the core switch in addition to the layer-2 vlans, you also need to create the layer-3 interfaces or the SVIs for both vlans.
example:
config t
inter vlan 114
ip address 192.168.114.1 255.255.255.0
no sh
inter vlan 124
ip address 192.168.124.1 255.255.255.0
no sh
Try these command and test again.
HTH
02-27-2017 08:35 PM
Hi Matt,
Reza has given perfect answer, however few additional things are also required because you need Layer 3 switch (4500) to act as DHCP
on 4500 switch
conf t
#enable ip routing
ip routing
#configure dns servers and domain name
ip domain-name duracell.com
ip name-server 208.67.220.220
ip name-server 208.67.222.222
ip name-server 8.8.8.8
ip name-server 4.2.2.2
#create dhcp scope for that vlan
ip dhcp pool 114
utilization mark high 90 log
utilization mark low 50 log
network 192.168.114.0 255.255.255.0
default-router 192.168.114.1
dns-server [private dns server1] [private dns server 2] 8.8.8.8
lease 0 8
#exclude few ip addresses if you want
ip dhcp excluded-address 192.168.114.5 192.168.114.20
Hope this helps you
Thank you
02-28-2017 10:34 AM
Hi Jigar,
Just wanted to let you know I replied to your post in the comment I made on Reza's post... Thanks for your reply!
Thanks Again,
Matt
02-28-2017 10:31 AM
Hey Reza and Jigar, thanks for the replies, very much appreciated!
Sorry, I should have included those configuration in my OP I just didn't want the OP question to be super long.
Here is what's already configured on the 4510, and also DHCP for Vlan114 comes from a Linux server, which is configured as an ip helper-address in the Vlan interface. But Vlan124's DHCP (*i.e. the Voice Vlan) is done locally on the 4510...
Here is some of the 4510's Config:
!
ip dhcp pool VOICE
network 10.20.124.0 255.255.255.0
default-router 10.20.124.1 !--> Vlan124s IP Address
option 150 ip 192.168.11.9 192.168.11.8 10.30.2.9 !--> CallManagers
dns-server 192.168.5.35 10.30.1.3
!
!......
!
interface Vlan114
description End User Desktops
ip address 10.20.114.1 255.255.255.0
ip helper-address 192.168.2.25 !--> Main DHCP Server
ip helper-address 10.30.123.25 !--> Backup DHCP Server
ip helper-address 192.168.2.49 !--> Main Cisco ISE Server
ip helper-address 10.30.10.49 !--> Backup Cisco ISE Server
!
interface Vlan124
description End User Phones
ip address 10.20.124.1 255.255.255.0
!
Here is the DHCP Configuration for Vlan114 on the Linux Box:
*I know this is a Linux config so I'll just say that this Pool works just fine on the 4510, just so you're aware...
subnet 10.20.114.0 netmask 255.255.255.0 {
group {
option routers 10.20.114.1;
option domain-name-servers 192.168.5.35,10.30.1.3;
}
pool {
failover peer "dhcp-failover";
deny dynamic bootp clients;
option routers 10.20.114.1;
option domain-name-servers 192.168.5.35,10.30.1.3;
option tftp-server-address 192.168.11.8 10.30.2.9;
range 10.20.114.24 10.20.114.210;
}
}
As you might be able to tell from the new info, the 4510 already has ip routing enabled...
So, now with that new info above, is there anything I'm missing from the 3560? And just in case you missed it above, Vlan114's DHCP works just fine when connecting a device directly to a switchport on the 4510.
Thanks again for the replies, very much appreciated!
Thanks,
Matt
02-28-2017 12:46 PM
Matt
At the moment you don't know which bit is failing. So go back to basics and remove all the authentication configuration off the access port on the 3560 and then see if you can get an IP.
Jon
02-28-2017 03:07 PM
Hey Jon, thanks for the reply.
I'm pretty sure the Auth config is working just fine. I can see on the switch with the "show auth sessions" command, that the laptop was successfully authenticating via dot1x and the IP Phone was successfully authenticating via mab...
However, I removed the Auth stuff from those 2 switchports anyway, as you suggested, and it still seems as though neither the laptop nor the IP Phone are getting IP Addresses.
The 2 Switchports that have the PC and Phone connected to them, both have the following configuration, see below:
3560sw1-IT# show run int Fa0/31 (*and Fa0/29) Building configuration... Current configuration : 137 bytes ! interface FastEthernet0/31 switchport access vlan 114 switchport mode access switchport voice vlan 124 spanning-tree portfast end
Now, on the laptop, if I run "ipconfig /renew" I eventually get the error message:
"An error occurred while renewing interface Local Area Connection : unable to contact your DHCP server. Request has timed out."
So I tried enabling the following DHCP debugging on the 3560 and I am really only getting the messages you see below:
3560sw1-SP# 3560sw1-SP#show debugg DHCP server packet debugging is on. DHCPC: DHCP client activity debugging is on (detailed) 3560sw1-SP# 3560sw1-SP# Feb 28 17:49:47.045 EST: DHCPD: no option 125 Feb 28 17:49:47.112 EST: DHCPD: no option 125 Feb 28 17:49:51.692 EST: DHCPD: no option 125 Feb 28 17:49:53.974 EST: DHCPD: no option 125 Feb 28 17:49:54.016 EST: DHCPD: no option 125
These are the log messages that print to the terminal when I attempt the /renew from the laptop...
Also, I'm wondering if this could be the problem. When this 3560 was given to me as a spare switch for us to use, it was already configured with an "interface Vlan1" on it, which has the IP Address 192.168.3.3.
Now, the 4510 also has an "interface Vlan1" configured on it, which has the IP Address 192.168.3.2 configured.
Then, on the 3560, the default ip route configured is "ip route 0.0.0.0 0.0.0.0 192.168.3.2".... Could this be my problem? I can still ping both Vlan114 and Vlan124 from the 3560, so not too sure what the issue is.?
Thanks again for the replies!
Thanks,
Matt
02-28-2017 03:15 PM
Matt
Strictly speaking if the 3560 is acting only as L2 and the L3 switch is the 4510 then you should not have that default route nor should "ip routing" be enabled on the 3560. However it doesn't matter because the switches are connected via a trunk link so it shouldn't matter although you may want to tidy it up all up once it is working.
Can you post from the 3560 -
"sh vlan" and "sh int trunk"
and from the 4500 -
"sh int trunk"
in addition presumably you have the PC connected to the phone connected to the switch. If at all possible could you temporarily take the phone out of it and just use the PC.
Finally do you have this setup ie. PC DHCP pool in Linux and voice vlan on switch working elsewhere ?
Jon
02-28-2017 03:54 PM
Hey Jon,
Right, however I believe I needed IP Routing enabled to have the switch work with ISE, I believe... That might be incorrect, but I thought that was the case... Either way I was using one of the FastEthernet ports as an IP Routed port for testing that I was doing with some other Cisco devices. And IP Routing was already enabled when I was handed the 3560 switch.
To answer your questions at the end of you comment first: The Phone is connected to it's own port (*Fa0/29) and the PC is on its own port as well (*Fa0/31). Besides those 2 devices and the trunk port connecting to the 4510 (*Fa0/1) that's all that is currently connected to the 3560.
Sorry, wasn't 100% sure exactly what you meant by your very last question. But, if you mean are other devices getting DHCP addresses on Vlan 114 and 124, then yes... If I were to walk into the server room right now and plug my laptop directly into the 4510 (*of course on a switchport configured for Users Workstations) then I would get an address in the 10.20.114.x network automatically via DHCP. Same goes for IP Phones, if I were to plug an IP Phone into a port configured for Users, then it would get a DHCP address in the Pool 10.20.124.x scope, without issue.
And yes, you are correct in that the Voice Vlan124's DHCP Pool is configured directly on the 4510, and the Access/User Vlan (*Vlan114) is configured on the Linux box. And both DHCP Pools are working just fine when connecting directly to the 4510, these are our 2 main Vlans for mostly ALL users and ip phones in our HQ.
Here are the Commands you Requested from the 3560:
3560sw1-IT# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Gi0/1, Gi0/2
Gi0/3, Gi0/4
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
6 VLAN0006 active
8 PRINTERS8 active
10 VLAN0010 active
11 VLAN0011 active
12 VLAN0012 active
31 VLAN0031 active
54 VLAN0054 active
61 UNTRUSTED active
100 EXTSRV100 active
112 desktops active
114 Access active Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/25, Fa0/26, Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31
Fa0/32, Fa0/33, Fa0/34, Fa0/35, Fa0/36, Fa0/37, Fa0/38, Fa0/39, Fa0/40, Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46
Fa0/47, Fa0/48
118 PRINTER118 active
124 Voice active Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/25, Fa0/26, Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31
Fa0/32, Fa0/33, Fa0/34, Fa0/35, Fa0/36, Fa0/37, Fa0/38, Fa0/39, Fa0/40, Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46
Fa0/47, Fa0/48
125 VLAN0125 active
200 network active
201 VLAN0201 active
205 MobileWifi active
206 a2-wlan active
207 guest-wlan active
208 mobile-wlan active
555 VLAN0555 active
601 VLAN0601 active
602 VLAN0602 active
603 VLAN0603 active
900 VLAN0900 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0
6 enet 100006 1500 - - - - - 0 0
8 enet 100008 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
11 enet 100011 1500 - - - - - 0 0
12 enet 100012 1500 - - - - - 0 0
31 enet 100031 1500 - - - - - 0 0
54 enet 100054 1500 - - - - - 0 0
61 enet 100061 1500 - - - - - 0 0
100 enet 100100 1500 - - - - - 0 0
112 enet 100112 1500 - - - - - 0 0
114 enet 100114 1500 - - - - - 0 0
118 enet 100118 1500 - - - - - 0 0
124 enet 100124 1500 - - - - - 0 0
125 enet 100125 1500 - - - - - 0 0
200 enet 100200 1500 - - - - - 0 0
201 enet 100201 1500 - - - - - 0 0
205 enet 100205 1500 - - - - - 0 0
206 enet 100206 1500 - - - - - 0 0
207 enet 100207 1500 - - - - - 0 0
208 enet 100208 1500 - - - - - 0 0
555 enet 100555 1500 - - - - - 0 0
601 enet 100601 1500 - - - - - 0 0
602 enet 100602 1500 - - - - - 0 0
603 enet 100603 1500 - - - - - 0 0
900 enet 100900 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 trcrf 101003 4472 1005 3276 - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trbrf 101005 4472 - - 15 ibm - 0 0
VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
1003 7 7 off
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
3560sw1-IT#
3560sw1-IT#
3560sw1-IT# show int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-4094
Port Vlans allowed and active in management domain
Fa0/1 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900
3560sw1-IT#
3560sw1-IT#
And here are the Commands you Requested from the 4510:
*The 3560 is connected to the 4510 on Port Gi9/22, I included its cdp entry from the 4510...
4510R-HQ#show cdp nei | inc 3560
Device ID Local Intrfce Holdtme Capability Platform Port ID
3560sw1-IT.mydomain.com
Gig 9/22 135 R S I WS-C3560- Fas 0/1
4510R-HQ#
4510R-HQ#
4510R-HQ#show int trunk Port Mode Encapsulation Status Native vlan Gi1/46 on 802.1q trunking 1 Gi3/43 on 802.1q trunking 200 Gi3/44 on 802.1q trunking 200 Gi3/45 on 802.1q trunking 200 Gi3/46 on 802.1q trunking 200 Gi3/47 on 802.1q trunking 200 Gi3/48 on 802.1q trunking 200 Gi7/30 on 802.1q trunking 1 Gi9/22 on 802.1q trunking 1 Gi9/44 on 802.1q trunking 1 Gi10/13 on 802.1q trunking 200 Po3 on 802.1q trunking 2 Po6 on 802.1q trunking 1 Po7 on 802.1q trunking 1 Po8 on 802.1q trunking 1 Po9 on 802.1q trunking 1 Po18 on 802.1q trunking 1 Po19 on 802.1q trunking 1 Po44 on 802.1q trunking 1 Po45 on 802.1q trunking 1 Port Vlans allowed on trunk Gi1/46 8,124,205-208 Gi3/43 6,200,205-207 Gi3/44 6,200,205-207 Gi3/45 6,200,205-207 Gi3/46 6,200,205-207 Gi3/47 6,200,205-207 Gi3/48 6,200,205-207 Gi7/30 1-4094 Gi9/22 1-4094 Gi9/44 1-3,5-200 Gi10/13 6,200,205-207 Po3 1-4094 Po6 1-4094 Po7 1-4094 Po8 1-4094 Po9 1-4094 Po18 1-4094 Po19 1-4094 Po44 1,4,207,900 Po45 1,4,207,900 Port Vlans allowed and active in management domain Gi1/46 8,124,205-208 Gi3/43 6,200,205-207 Gi3/44 6,200,205-207 Gi3/45 6,200,205-207 Gi3/46 6,200,205-207 Gi3/47 6,200,205-207 Gi3/48 6,200,205-207 Gi7/30 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Gi9/22 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Gi9/44 1-3,5-6,8,10-12,31,54,61,100,112,114,118,124-125,200 Gi10/13 6,200,205-207 Po3 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po6 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po7 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po8 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po9 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po18 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po19 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po44 1,4,207,900 Po45 1,4,207,900 Port Vlans in spanning tree forwarding state and not pruned Gi1/46 8,124,205-208 Gi3/43 6,200,205-207 Gi3/44 6,200,205-207 Gi3/45 6,200,205-207 Gi3/46 6,200,205-207 Gi3/47 6,200,205-207 Gi3/48 6,200,205-207 Gi7/30 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Gi9/22 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Gi9/44 1-3,5-6,8,10-12,31,54,61,100,112,114,118,124-125,200 Gi10/13 6,200,205-207 Po3 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po6 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po7 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po8 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po9 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po18 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po19 1-6,8,10-12,31,54,61,100,112,114,118,124-125,200-201,205-208,555,601-603,900 Po44 1,4,207,900 Po45 1,4,207,900 4510R-HQ# 4510R-HQ#
Thanks again for the help and the quick replies, much appreciated!
Thanks,
Matt
02-28-2017 04:01 PM
Matt
Not worked with ISE so if you need routing on the switch then you know better than me. As I say it should not be the problem.
Thanks for the outputs and everything looks fine. So couple more things -
what happens if you manually assign an IP to your PC, can you then ping the 4510 SVI IP address and other IPs from different vlans ?
If you can then can you remove the "ip dhcp snooping trust" command from the trunk port on the 3560 temporarily and retest with DHCP on the PC.
Apologies for keep removing configuration but sometimes it is the best way to find out which bit is stopping it working.
Jon
02-28-2017 04:15 PM
Hey, no worries Jon... I'm willing to try whatever on the 3560, no problem at all!
You read my mind... I did the static IP test right after I submitted my last reply. I set my laptop IP to 10.20.114.251 and I was able get connected to the network, and I could ping a device on just about every Vlan I could think of, including the 114 and 124... Removing dhcp snooping now, and resetting NIC back to Auto/DHCP...
Ok, so I removed the snooping command and then removed the static IP from the laptop and set it back to automatic. Then used the "Network Repair" option on the AnyConnect Network Access Manager, which to my knowledge basically just simulates disabling and re-enabling the NIC on the laptop, and after about 60 seconds or so I get the Limited or no Connectivity message and my IP gets set to that auto one that WIndows does when it cannot get a DHCP address, *i.e. 169.254.37.39...
I'm about to head out of the office for today. So if you reply I might not see it until tomorrow morning... Thanks again for the assistance, very much appreciated.!
Thanks Again,
Matt
02-28-2017 04:23 PM
Matt
No problem we can pick this up tomorrow.
Jon
03-01-2017 08:11 AM
Hey Jon,
Was wondering if there are any debug commands, or similar, that can be enabled to see if DHCP messages are being sent to the 4510? Don't think I can enable anything like that on the 4510 just because I don't want to hike up the CPU or anything along those lines, so was hoping there might be something on the 3560 that can be turned on..?
I tried enabling the debug commands:
3560sw1-SP#show debugg DHCP server packet debugging is on. DHCPC: DHCP client activity debugging is on (detailed)
But, it seems like maybe those are for the machine that's actually acting as the DHCP server, well atleast that one debug command probably is... The only output I'm seeing from those commands are:
Feb 28 18:49:59.193 EST: DHCPD: no option 125 Feb 28 18:58:28.534 EST: DHCPD: no option 125 Feb 28 18:58:28.601 EST: DHCPD: no option 125 Mar 1 08:50:23.052 EST: DHCPD: option 24 is malformed (option length 0). Mar 1 09:31:24.706 EST: DHCPD: option 74 is malformed (option length 87). Mar 1 09:47:46.999 EST: DHCPD: option 74 is malformed (option length 87).
Also, I am now seeing these messages below in the 3560's logging buffer. Must be from removing that dhcp snooping trust command.
Mar 1 10:52:34.612 EST: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPACK, MAC sa: 4c00.829d.xxxx Mar 1 11:01:48.077 EST: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPOFFER, MAC sa: 4c00.829d.xxxx Mar 1 11:07:36.508 EST: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPACK, MAC sa: 4c00.829d.xxxx
Any other ideas?
Thanks in Advance,
Matt
03-01-2017 08:20 AM
To add to my previous comment...
I just came across this page below. On that page they said they were not receiving any IP Addresses on a specific subnet. But, once they set one of the Gi ports to have an IP Address on the same subnet, it then started dishing out IP Addresses for that subnet...
I'm wondering if I should set an IP Address on the switch to be on Vlan114, or if I could just set any Fa port on the 3560 to have an address in Vlan114?
Do you think there needs to be a layer 3 interface with an IP Address configured in the 114 Vlan?
http://www.embeddedsystemtesting.com/2013/07/no-option-125-error-from-cisco-dhcp.html
Thanks,
Matt
03-01-2017 11:56 AM
Matt
You should not need to do that because you have an SVI on the 4500 with an IP for that vlan.
What you are trying to do should be very straightforward, done it many times myself as have many others.
Do you have any acls in use on the 4500 ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide