Solved: Problem with DHCP server and VLAN (Cisco 876)

martin.grugel · ‎06-18-2013

Hello,

i use a Cisco 876 as an internet gateway over broadband (Telekom DSL in germany). I think i did sth wrong with the dhcp-configuration. I only want to use the dhcp-server of the Cisco 876 for VLAN3 (guest VLAN with wireless access point Aironet LAP1142N). The other VLANs get their IPs from an Windows Server 2012 which works well. But when i connect a wireless device or directly with ethernet cable the device won't get any IP in the 192.168.14.0 subnet. When I set the IP manually (for ex. 192.168.14.123 and 192.168.14.1 als gw and dns) i can connect to the internet without problems. This tells me, that there is no problem with the VLAN config but perhaps a misconfigured DHCP-server on the Cisco 876.

Here's my config:

!

! Last configuration change at 14:10:01 UTC Thu Nov 18 2010 by root

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname cisco876-adh11

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

dot11 syslog

ip source-route

!

ip dhcp excluded-address 192.168.14.1 192.168.14.19

ip dhcp excluded-address 192.168.14.150 192.168.14.254

ip dhcp excluded-address 192.168.12.0

ip dhcp excluded-address 192.168.13.0

!

ip dhcp pool DHCPGuestWLAN

network 192.168.14.0 255.255.255.0

default-router 192.168.14.1

dns-server 192.168.14.1

lease 3

!

ip cef

ip domain name adh11.local

ip name-server 194.25.2.129

no ipv6 cef

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group 1

!

archive

log config

hidekeys

username root privilege 15 secret 4 xxxxx

!

interface BRI0

no ip address

ip access-group 102 in

ip nat inside

ip virtual-reassembly in

encapsulation hdlc

ip tcp adjust-mss 1452

shutdown

!

interface ATM0

no ip address

no ip route-cache

no atm ilmi-keepalive

pvc 1/32

pppoe-client dial-pool-number 1

!

interface FastEthernet0

switchport mode trunk

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

description ADH11 - Internes LAN

ip address 192.168.12.1 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan2

description DMZ

ip address 192.168.13.1 255.255.255.0

ip access-group 120 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan3

description Cisco-GuestWLAN

ip address 192.168.14.1 255.255.255.0

ip access-group 130 in

ip nat inside

ip virtual-reassembly in

!

interface Vlan4

description reserved4VOIP

ip address 192.168.15.1 255.255.255.0

!

interface Dialer1

description PPPoE Dialin T-Online

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname XXXXX

ppp chap password 0 XXXXX

ppp pap sent-username XXXXX password 0 XXXXX

ppp ipcp dns request accept

ppp ipcp route default

no cdp enable

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

ip dns server

ip nat inside source list 101 interface Dialer1 overload

ip nat inside source static tcp 192.168.12.234 22 interface Dialer1 22

ip nat inside source static tcp 192.168.12.211 80 interface Dialer1 80

ip nat inside source list 120 interface Dialer1 overload

ip nat inside source list 130 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

!

access-list 101 permit ip 192.168.12.0 0.0.0.255 any

access-list 102 remark ### internes LAN (ADH11) ###

access-list 102 deny ip 192.168.12.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 102 deny ip 192.168.12.0 0.0.0.255 192.168.14.0 0.0.0.255

access-list 102 deny udp any range netbios-ns netbios-ss any

access-list 102 deny tcp any eq 139 any

access-list 102 permit ip any any

access-list 120 remark ### DMZ ###

access-list 120 deny tcp 192.168.13.0 0.0.0.255 host 192.168.13.1 eq www

access-list 120 deny tcp 192.168.13.0 0.0.0.255 host 192.168.13.1 eq 443

access-list 120 deny tcp 192.168.13.0 0.0.0.255 host 192.168.13.1 eq 22

access-list 120 deny ip 192.168.13.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 120 deny ip 192.168.13.0 0.0.0.255 192.168.14.0 0.0.0.255

access-list 120 permit ip 192.168.13.0 0.0.0.255 any

access-list 130 deny tcp 192.168.14.0 0.0.0.255 host 192.168.14.1 eq www

access-list 130 deny tcp 192.168.14.0 0.0.0.255 host 192.168.14.1 eq 443

access-list 130 deny tcp 192.168.14.0 0.0.0.255 host 192.168.14.1 eq 22

access-list 130 remark ### GuestWLAN ###

access-list 130 deny ip 192.168.14.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 130 deny ip 192.168.14.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 130 permit ip 192.168.14.0 0.0.0.255 any

no cdp run

!

control-plane

!

line con 0

privilege level 15

login local

no modem enable

line aux 0

privilege level 15

login local

line vty 0 4

access-class 1 in

privilege level 15

login local

transport preferred ssh

transport input ssh

!

scheduler max-task-time 5000

end

Thanks for any help.

Bye

Martin

cadet alain · ‎06-18-2013

Hi,

ip access-list extended 130

10 permit udp any eq bootpc any eq bootps

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎06-18-2013

Hi,

ip access-list extended 130

10 permit udp any eq bootpc any eq bootps

Regards

Alain

Don't forget to rate helpful posts.

martin.grugel · ‎06-18-2013

Hey Alain,

thank you, you solved it!

cadet alain · ‎06-18-2013

Hi Martin,

Can you mark the thread as solved and rate the helpful answers accordingly.

Regards

Alain

Don't forget to rate helpful posts.