Solved: port based VLAN with Firewall and Microsoft DHCP server

vijaykhapekar · ‎10-24-2013

I configured port based VLAN with 3750 L3 switch and 2960 L2 switch. I configured windows DHCP server on which I defined 3 DHCP scopes for each 3 VLANs. Below is the configuration of

L3 switch:

interface GigabitEthernet1/0/24

switchport trunk encapsulation dot1q

switchport mode trunk

!

----output omitted-------

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip helper-address 192.168.0.2

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

ip helper-address 192.168.0.2

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

ip helper-address 192.168.0.2

!

interface Vlan30

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.0.2

L2 Switch :

interface GigabitEthernet1/0/1

switchport access vlan 10

switchport mode access

!

interface GigabitEthernet1/0/2

switchport access vlan 20

switchport mode access

!

interface GigabitEthernet1/0/3

switchport access vlan 30

switchport mode access

---------------output omitted ---------

interface GigabitEthernet1/0/4

interface GigabitEthernet1/0/48

switchport mode trunk

!

interface Vlan1

ip address 192.168.0.3 255.255.255.0

!

ip http server

DHCP works fine with Gateway 192.168.0.1(VLAN1 interface IP) and gives IP addresses to respective VLAN without any issue. Now I have introduced firewall in VLAN1 for giving internet to these VLANs and changed DHCP gateway to 192.168.0.4 which is firewall's internal IP address. It works fine for VLAN1 but it is not working for other VLANs and DHCP doesnt give IP addresses to other VLANs. Your help is much appreciated.

Steve Krause · ‎10-24-2013

Do you have a default route on the L3 switch pointing to the firewall?

ip route 0.0.0.0 0.0.0.0 192.168.0.4

View solution in original post

Steve Krause · ‎10-25-2013

Do you have routes on the FW telling it how to get to VLANs 10,20,30?

route inside 192.168.10.0 255.255.255.0 192.168.0.1

route inside 192.168.20.0 255.255.255.0 192.168.0.1

route inside 192.168.30.0 255.255.255.0 192.168.0.1

View solution in original post

Carlo Poggiarelli · ‎10-24-2013

Hi Vijay.
Try to change momentarily the default gateway of dhcp server to 192.168.0.2 and see if it works

HTH
Regards

Carlo

Sent from Cisco Technical Support iPhone App

Please rate all helpful posts "The more you help the more you learn"

Steve Krause · ‎10-24-2013

Do you have a default route on the L3 switch pointing to the firewall?

ip route 0.0.0.0 0.0.0.0 192.168.0.4

vijaykhapekar · ‎10-25-2013

After adding zero's route, my VLAN1 is through means getting internet. I also able to get IPs from DHCP to other VLANs.

But internet is not getting on other VLANs except VLAN1.

Steve Krause · ‎10-25-2013

Do you have routes on the FW telling it how to get to VLANs 10,20,30?

route inside 192.168.10.0 255.255.255.0 192.168.0.1

route inside 192.168.20.0 255.255.255.0 192.168.0.1

route inside 192.168.30.0 255.255.255.0 192.168.0.1

Steve Krause · ‎10-25-2013

Also, I think it would be cleaner if you created a separate VLAN just for the FW hanging off the L3 switch. It would make routing in vlan1 simpler. In the DHCP server you just need to configure VLANs 1,10,20,30 to all use the L3 switch as their gateways.

! Firewall

interface

nameif inside

security-level 100

ip address 192.168.40.4

route inside 192.168.1.0 255.255.255.0 192.168.40.1

route inside 192.168.10.0 255.255.255.0 192.168.40.1

route inside 192.168.20.0 255.255.255.0 192.168.40.1

route inside 192.168.30.0 255.255.255.0 192.168.40.1

! L3 Switch

interface Vlan40

ip address 192.168.40.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.40.4

vijaykhapekar · ‎10-28-2013

After adding static routes about all VLAN, my problem is resolved now. I didn't make separate VLAN for firewall since first solution resolved my problem.

Thanks for all your help. I really appreciate that.