cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1071
Views
15
Helpful
6
Replies
johnny_5
Beginner

Router not issusing DHCP leases

I am trying to move DHCP away from an old 2003 server to my new router, this server 10.27.131.8 also functions as a DNS server.

I have created the pool LAN, network, default server etc but for some reason when I deactivate the scope on the server for the network none of my clients are getting IP's from the router. I have a test machine set up so when I did the DE-activation of the scope I wanted to renew the lease to see if it grabbed the DHCP lease from the router. I have successfully created a GUEST pool (Cisco AP's)and can get an IP address from that range and can access the internet.

Also when doing a IPCONFIG on the test machine after the change it comes back with an address of 10.1.1.213 which doesn't make any sense. There are no other controllers on the network.

 

Is there something simple I'm missing here?


! Last configuration change at 11:21:41 UTC Fri Dec 12 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
ip dhcp excluded-address 10.26.131.1 10.26.131.127
ip dhcp excluded-address 10.27.131.1 10.27.131.127
ip dhcp excluded-address 10.27.131.160
ip dhcp excluded-address 10.27.131.149
ip dhcp excluded-address 10.27.131.100
ip dhcp excluded-address 10.27.131.151
ip dhcp excluded-address 10.27.131.254
ip dhcp excluded-address 10.27.131.8
!
ip dhcp pool GUEST
 network 10.26.131.0 255.255.255.0
 default-router 10.26.131.1
 dns-server 8.8.8.8 4.4.4.4
!
ip dhcp pool LAN
 network 10.27.131.0 255.255.255.0
 dns-server 10.27.131.8 10.10.0.118
 default-router 10.27.131.254
!
!
!
no ip domain lookup
ip domain name sXXX
no ipv6 cef
!
multilink bundle-name authenticated
!
!
policy-map physical
 class class-default
  police 17825500 conform-action transmit  exceed-action drop
!
!
!
interface Tunnel1
 ip address 172.17.1.2 255.255.255.0
 ip mtu 1400
 ip tcp adjust-mss 1360
 shutdown
 tunnel source 12.xx.xxx.xx
 tunnel destination 12.xxx.xxx.xxx
!
interface Tunnel3
 ip address 172.17.3.2 255.255.255.0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 12.xx.xxx.xxx
 tunnel destination 19.xxx.xxx.xxx
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description WAN_SIDE
 ip address 12.1xx.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 service-policy input physical
 service-policy output physical
!
interface GigabitEthernet0/1
 description CONNECTION TO R_SW3
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.1
 description LAN
 encapsulation dot1Q 1 native
 ip address 10.27.131.254 255.255.255.0
 ip access-group 120 in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.20
 description GUEST NETWORK
 encapsulation dot1Q 20
 ip address 10.26.131.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.200
 description Phone VLAN
 encapsulation dot1Q 200
 ip address 10.5.2.254 255.255.255.0
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 12.xx.xxx.xx
ip route 10.5.5.0 255.255.255.0 10.5.2.1
ip route 10.10.0.0 255.255.255.0 172.17.3.5
ip route 10.10.200.0 255.255.255.0 172.17.3.5
ip route 10.27.129.0 255.255.255.0 172.17.3.5
ip route 10.27.130.0 255.255.255.0 172.17.3.5
ip route 10.28.129.0 255.255.255.0 172.17.3.5
ip route 192.168.2.0 255.255.254.0 172.17.3.5
ip route 192.168.99.0 255.255.255.0 172.17.3.5
!
access-list 2 permit 56.xx.xxx.xx
access-list 2 permit 60.xx.xxx.xx
access-list 2 permit 1xx.xx.xxx.xxx
access-list 2 permit 12x.xxx.xx.xx
access-list 2 permit 20x.xxx.xxx.xxx
access-list 2 permit 10.27.131.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit 10.26.131.0 0.0.0.255
access-list 2 permit 10.27.129.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.1.255
access-list 120 permit ip 10.27.131.0 0.0.0.255 any
access-list 120 permit ip 10.27.129.0 0.0.0.255 any
access-list 120 permit ip 10.27.130.0 0.0.0.255 any
access-list 120 permit ip 10.10.200.0 0.0.0.255 any
access-list 120 permit ip 10.10.0.0 0.0.0.255 any
access-list 120 permit ip 172.17.0.0 0.0.0.255 any
access-list 120 permit ip 172.17.3.0 0.0.0.255 any
!
!
snmp-server community public RO
snmp-server enable traps entity-sensor threshold

!
end

 

 

 

6 REPLIES 6
Jon Marshall
VIP Community Legend

John

You have an acl 120 applied to the LAN interface that is allowing certain IP networks.

But when a client issues a DHCP request it doesn't yet have an IP address so that acl is blocking it.

Try adding this to acl 120 and retest -

access-list 120 permit udp any eq bootpc any eq bootps

Jon

Jon,

After applying that line to the ACL, deactivating the scope on the DHCP server and renewing the lease on the test machine I was not getting an IP address from my network 10.27.131.x.

The machine got a LAN and Wireless address from a 10.1.1.x network.

I noticed on this forum that people use:

access-list 120 permit udp any any eq bootps
access-list 120 permit udp any any eq bootpc

which I'm guessing has the same effect as your command?

Jon Marshall
VIP Community Legend

It's not quite the same but by all means try if you haven't already.

Have you tried doing a debug of DHCP to see what the router thinks is happening ?

Jon

Jon,

The commands I added made an immediate difference - I powered off and on my test machine, it got an IP address from the correct network.

I did a sh ip dhcp bind and I saw the IP address and MAC address of the machine.

Now when I did a ipconfig /release and renew it went back to the 10.1.1.x network. I gotta find out if there's a rogue DHCP machine on my network.

Jon Marshall
VIP Community Legend

John

So it worked when you added those extra lines you mentioned ?

If so glad to hear it worked.

It does sound like you have a rogue DHCP server because your router certainly isn't configured to hand out that range.

Jon

Jon,

had to put this on hold for a while - finally getting back to it.

After inserting the 2 lines:

access-list 120 permit udp any any eq bootps
access-list 120 permit udp any any eq bootpc

everything appeared to be working correctly. That was until the second shift came in, 2 employees and their computer were unable to get an IP. Its like the PC didn't know where to look for a DHCP server. I had to remove the 2 lines and re-activate the scope on the DHCP server again to resolve this.

 

I know we are close~~!