03-22-2013 07:14 AM - edited 03-07-2019 12:25 PM
So I'm not quite sure what's wrong here. I have a switch which runs two VLANs, one trusted (50), one untrusted (55) and has ports dedicated to each. Both VLANs use a single DHCP server, homed on the trusted (50) VLAN. On my wireless setup this works seamlessly, however, on some untrusted ports I'm pulling trusted IPs. See relevant code below:
interface GigabitEthernet0/45
description Student_Uplinks
switchport access vlan 55
spanning-tree portfast
!
interface GigabitEthernet0/46
description Student_Uplinks
switchport access vlan 55
!
interface GigabitEthernet0/47
description Student_Uplinks
switchport access vlan 55
spanning-tree portfast
!
interface GigabitEthernet0/48
description Student_Uplinks
switchport access vlan 55
!
interface Vlan1
no ip address
shutdown
!
interface Vlan50
ip address 10.50.50.7 255.255.255.0
!
interface Vlan51
no ip address
!
interface Vlan55
no ip address
ip helper-address 10.50.50.31
!
ip default-gateway 10.50.50.4
So 10.50.50.31 is the (Windows) DHCP server for both VLANs, but for some reason, some of the untrusted (55) ports are pulling trusted (50) addresses and I can't sort it out. The next hop (10.50.50.4) is an ASA which knows 55 is untrusted (security of 50 versus trusted's 100), but doesn't seem to be working properly...
03-22-2013 07:44 AM
Hello
Are you saying you dont wont hosts in vlan 55 to receive dhcp requests? - If so remove the ip helper address from SVI 55 as this is relaying requests too the dhcp server?
interface Vlan55
no ip helper-address 10.50.50.31
Please don't forget to rate any posts that have been helpful.
Thanks.
03-22-2013 07:46 AM
No, I do want them to receive requests, but on VLAN 55, which is where they're sourcing from, so I'd think they'd get a response on that VLAN. The only thing is that the DHCP server is on the trusted vlan (50), so for whatever reason it appears to be giving out VLAN 50 addresses to devices on VLAN 55.
03-22-2013 07:57 AM
Hello,
Have you checked the windows dhcp scopes ranges
res
paul
Please don't forget to rate any posts that have been helpful.
Thanks.
03-22-2013 08:17 AM
Yes, I have checked the DHCP scope ranges-they work fine on wireless...
03-22-2013 08:23 AM
Hello,
What is the subnet range of those scopes you ae showing-
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
03-22-2013 08:24 AM
10.50.50.0/24, 10.50.54.0/23
03-22-2013 08:45 AM
Hello Ryan -
We can setup some debugs to try and capture whats going on
But first Is it possible?
You could a rouge dhcp server.
Do you have a wlc ( wlan controller) could that be be relaying for that subnet?
res
paul
Please don't forget to rate any posts that have been helpful.
Thanks.
03-22-2013 08:52 AM
Setup an SVI for VLAN 55 with an IP address please in that VLAN and leave the ip helper command and retry.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide