01-09-2017 01:57 PM - edited 03-08-2019 08:50 AM
We have a number of sites that are using a 3845 as a router and 3750s as access switches. As they are becoming EoS/EoL, we've been replacing them with with a 4451 and some 3850s.
We haven't made any major modifications to the configurations. The 4451 serves as the layer 3 gateway, and the access switches are purely layer 2 devices.
The user interfaces on the router have an ip-helper address which points to a number of centralized DHCP servers, and we typically enable dhcp snooping to make sure the users don't get bitten if they do something stupid like set up a unauthorized DHCP server.
The IOSs in question are 15.4.3 for the 4451, and the 3850s are using 03.07.04E. We use the 3850s at our major campuses as well, and have no issues. We do not use the 4451 on our major campuses, just smaller remote sites.
The issue seems to be that users do not get addresses unless we also place an ip-helper address on the VLAN interfaces on the 3850s. We never placed these statements on the 3750s, and we do not place them on the 3850s on our main campuses, so it appears to be an issue that is affected by the presence of the 4451.
I'm in the process of collecting pcap files, but this just jumps out as we missed something stupid. AnyConnect is also in play, and if we disable AnyConnect/NAM on end-user workstations, they seem to allow traffic. AnyConnect is 4.3.02039.
Anybody else ever seen this?
01-09-2017 03:20 PM
I am not 100% clear on your set up, but are your 3850 and their SVI interface the only layer 3 boundary? in which case, they would need to be set up with and IP helper address.
what else would think would be redirecting DHCP requests?
01-09-2017 04:56 PM
The gateway router has sub-interfaces for the various VLANs, and the SVIs corresponding to the VLANs are defined of the access switches. The ip-helpers have worked just fine being on the GW only, but now with the introduction if the 4451, they also appear to be necessary on the layer 2 devices in the SVIs.
If I compare two 3850 switches, one in a closet here, and one out on the WAN, the major differences I see are:
1) local campus 3850 has only one VLAN, for loopback, and has a default route. It has no helper addresses
2) remote 3850 has multiple VLANs defined as SVI, and has no default route. It doesn;t work w/o helper addresses.
I'm guessing that's part of my issue. Too many cooks. I'm just trying to explain the inconsistencies.
02-02-2017 09:41 AM
We figured it out...
ip dhcp relay information option
is enabled by default. Deleting it fixed our issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide