Solved: post-mortem: Native Vlan and DHCP Server

dscottb103 · ‎04-05-2018

Strange issue, hoping to understand before implementing solution in production. ASA 5505 in use for years, customer changed ISP and their ASA 5505 was not modified to reflect new provider IP address beforehand, leading to internet issue. What remained an issue was that with the old ISP provider's circuit shut off, the ASA stopped providing DHCP to the internal network. Short-term fix was to take ASA off network and use new ISP's modem as temporary gw and fw.

My investigation showed that the Native VLAN was set to VLAN 2, which was associated with the Outside interface, and DHCP not enabled on that interface (int, VLAN, and DHCP configs below):

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,10
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/2
...
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 179.49.90.178 255.255.255.0

DHCP:

dhcpd address 192.168.30.100-192.168.30.200 inside
dhcpd dns [x.x.x.x] [x.x.x.x] interface inside
dhcpd lease 691200 interface inside
dhcpd ping_timeout 750 interface inside
dhcpd domain [xxxx]
dhcpd update dns both interface inside
dhcpd enable inside

Once I changed the inside interface to Native VLAN 1, the ASA provided a DHCP address to a client. New config:

interface Ethernet0/1
switchport trunk allowed vlan 1,10
switchport trunk native vlan 1
switchport mode trunk

Curious as to how it worked before (ISP circuit relayed back DHCP requests? or should I look for an ACL/translation?), and whether the Native VLAN change will have any adverse effects once ASA is placed back into production. Thanks for any help you can provide -

Richard Burts · ‎04-05-2018

The partial config and the description of changes that you post seem quite strange. Was the change of ISP just a simple move the connection of Ether0/0 from one ISP device to another and change the addressing of the interface? Or was there more to it.

In trying to understand what was happening I am tempted to ask about what is connected to the ASA on the inside. But when you say that things started to work when you changed the native vlan of the trunk then I think I know what we would find if you did provide details about what connects to the ASA on the inside. It is some kind of switch that has configured 2 vlans and trunks them to the ASA. And on the switch side of the connection the native vlan was vlan 1.

The configuration of the trunk in the config that you posted is quite unusual. It specifies a trunk connection carrying 2 vlans and specifies a third vlan as the native vlan. But that third vlan is not carried on the trunk. It is hard to understand how this config could have worked while connected to the original ISP. Is it possible that in the process of changing ISP that someone altered the config of the trunk?

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎04-05-2018

The partial config and the description of changes that you post seem quite strange. Was the change of ISP just a simple move the connection of Ether0/0 from one ISP device to another and change the addressing of the interface? Or was there more to it.

In trying to understand what was happening I am tempted to ask about what is connected to the ASA on the inside. But when you say that things started to work when you changed the native vlan of the trunk then I think I know what we would find if you did provide details about what connects to the ASA on the inside. It is some kind of switch that has configured 2 vlans and trunks them to the ASA. And on the switch side of the connection the native vlan was vlan 1.

The configuration of the trunk in the config that you posted is quite unusual. It specifies a trunk connection carrying 2 vlans and specifies a third vlan as the native vlan. But that third vlan is not carried on the trunk. It is hard to understand how this config could have worked while connected to the original ISP. Is it possible that in the process of changing ISP that someone altered the config of the trunk?

HTH

Rick

HTH

Rick

dscottb103 · ‎04-05-2018

Thanks Rick for your time - your observation about the switches having vlan 1 as the native could be part of it, as I was directly connecting to the ASA (i.e., no switch between) to troubleshoot the issue. I'll try to answer your questions:

Was the change of ISP just a simple move the connection of Ether0/0 from one ISP device to another and change the addressing of the interface? Or was there more to it.

No ISP/WAN ip address config was tried - since its DHCP was not working (and couldn't even ping it as a gateway), the ASA was considered hosed and taken offline.

It specifies a trunk connection carrying 2 vlans and specifies a third vlan as the native vlan. But that third vlan is not carried on the trunk.

My apologies, I didn't include that VLAN in the config I selected:

interface Vlan10
nameif Guest
security-level 90
ip address 192.168.10.1 255.255.255.0

I'll research/work on the idea that the switches were trunking up to the ASA on VLAN 1, and the old config VLAN 2 Native was not really utilized because it was associated with the outside int, and my change shouldn't have an effect once the ASA is re-installed.

Thanks again Rick -