Re: SG300 - DHCP Pools not working after firewall connected

nickreid90 · ‎10-28-2018

Afternoon All,

I was wondering if someone can give me a hand with troubleshooting an issue I have on my Cisco SG300-10 switch.

Setup

Cisco SG300-10 switch in L3 mode

WatchGuard Firewall with x1 interface on 10.0.1.1 DHCP is turned off on WatchGuard trusted interface

VLAN's configured

VLAN 1 - Management 192.168.1.254

VLAN10 - Guest 192.168.10.254

VLAN 20 - Home 192.168.20.254

VLAN 30 - Testing purposes 192.168.30.254

Assigned to Ports

GE1 - 1,10,20 & 30

GE2 - VLAN 1

GE3 - VLAN 10

GE4 - VLAN 20

GE5 - VLAN 30

GE8 - VLAN 10,20 & 30

PORTS CONFIG

GE1 - Trunk - interface IP 10.0.1.2

GE2 - Trunk

GE3 - Access

GE4 - Access

GE5 - Access

GE8 - Trunk

Other ports are access or trunk, no VLAN's assigned to them.

DHCP

The switch has x3 DHCP pools created these are for VLAN's

Pool Name	Network Mask	Address Pool Start	Address Pool End	Lease Duration	Number of Leased Addresses
TEST	255.255.255.0	192.168.30.30	192.168.30.80	1d 0h 0m	3
GUEST	255.255.255.0	192.168.10.10	192.168.10.60	1d 0h 0m	2
HOME	255.255.255.0	192.168.20.20	192.168.20.70	1d 0h 0m	2

INTERFACE

Port 1 on the switch is setup as an interface with IP address of 10.0.1.2 and is connected to interface 1 on the WatchGuard 10.0.1.1 both have been configured with the same subnet mask

Routes

I have created a route of 0.0.0.0 0.0.0.0 to 10.0.1.1 (Watchguard IP)

Other routes created by default on Cisco

IPv4 Static Routing Table
Destination IP Prefix	Prefix Length	Route Type	Next Hop Router IP Address	Route Owner	Metric	Administrative Distance	Outgoing Interface
192.168.1.0	24	Local		Directly Connected			VLAN 1
192.168.10.0	24	Local		Directly Connected			VLAN 10
192.168.20.0	24	Local		Directly Connected			VLAN 20
192.168.30.0	24	Local		Directly Connected			VLAN 30

The Problem I have

When I have clients connected to the switch without the Watchguard connected, they receive an IP address from the pools I created on the switch.

After I connect the WatchGuard to GE1 on the Cisco, the clients still retain their IP address but when connecting new ones they don't receive an address, they get an apipa ip address 169.x.x.x

I hope to hear from someone soon.

Thanks,

Nick

marce1000 · ‎10-28-2018

(getting a local address 169.x simply means that there was no response from the DHCP server)

- But if the Watchguard starts receiving all traffic you may need to use dhcp relays in your configuration ; check this thread :

https://community.cisco.com/t5/switching/network-setup-sg300-10/td-p/2782737

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Georg Pauwen · ‎10-28-2018

Hello,

if 10.0.1.1 is the IP address of the Watchguard, what is the corresponding L3 interface (and IP address) on the SG300 ?

nickreid90 · ‎10-28-2018

Hi there,

the interface ace on the Cisco for the watchguard is interface GE1 and the IP address is 10.0.1.2

thanks,

nick