Cisco noob, DHCP+vlan not getting along

colinstu

2[H]4U
Joined
Oct 11, 2007
Messages
3,563
Attempting to setup a Cisco 1811 with a basic config that would
1) WAN on fa0, receive IP via DHCP from modem
2) it has 8 switch ports, all automatically configured on vlan1 it seems
3) setup DHCP so any port on vlan1 can get an IP (pool 192.168.1.2-254), and DNS servers

Have followed a few guides and I seem to be most of the way there, the only thing that doesn't work is DHCP it seems. setting an IP manually it will work (on the client pc).

Here's my config:

Code:
Router#show conf
Using 1995 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool vlan192
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8 8.8.4.4
   domain-name Router.Home
   lease 7
!
!
no ip domain lookup
ip inspect name InspectRule icmp
ip inspect name InspectRule tcp
ip inspect name InspectRule udp
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 ip address dhcp
 ip access-group 101 in
 ip nat outside
 ip inspect InspectRule in
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip inspect InspectRule in
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
 shutdown
!
!
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0 overload
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny   any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 deny   ip any any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip any any
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
line aux 0
line vty 0 4
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
 
Don't focus on the vlan portion of it. Vlan1 is a "default/data" on routers/switches that are vlan aware. Is the modem connected to Comcast? If so, unplug the power from the modem for about a minute. The plug the power back in, and let it sync. Then turn on the router. Check your config after that.
 
The modem is connected to TWC, I haven't plugged it into this router yet (still have that plugged into my main router, I wanted to get this configured prior to plugging it in with that).

Why would connecting the router to the modem make the DHCP begin to work and assign IPs? I'd expect that to work beforehand.
 
1) what IP are you getting from the modem? Public or private IP?

2) why on your internal (vlan 1) interface do you have an inbound ACL? Typically the ACL is put on the outside interface. please remove access-list 101 deny ip any any for the default rule of any ACL is deny. I would try making an allow at the bottom to see if DHCP works.

i think the core issue here is
ccess-list 10 deny any
access-list 100 deny ip any any
access-list 101 permit udp any eq bootps any eq bootpc
^ this should be access-list 101 permit udp any eq bootpc any eq bootps

thing to keep in mind with ACL's is each packet is processed in a top down order until a match is given. in this case, all traffic is blocked by rule 10. once you remove that, traffic will be blocked by rule 100. bootps i recall is for secure boot which is not what your looking for. so.. remove all your deny's for the implicit last rule (even though not shown in running config) is deny. I think the command your looking for is permit udp any eq bootpc any eq bootps
 
A few things

1) Your ip inspect rule on Fe0 needs to be changed. If you allow inspect tcp/udp that pretty much means any inbound traffic is going to be accepted in. The inspect rule should be "out" instead of "in".

2) You are going to want to change no ip domain lookup to Ip domain lookup. Without this, you are not going to be able to go to any website by name I.E. Amazon.com (EDIT--If you have the Router running as a DNS server)

3) The ACL 10 of deny any has no affect on rules 100 and 101. It is top down, but only for that particular ACL.

4) ACL 101 is also a big open hole too. It essentially is going to allow anything inbound. If you want to stop unwanted traffic coming in, I have sanitized a bit of my router running on edge for home use. The DHCP from my modem I made specific since my ISP seems to allow some RFC1918 addresses to float on the public network.

5) if you are ever curious if something is getting blocked, put a log at the end of the ACL command. That way when you check the log, you can see if the traffic is being allowed or blocked so you can change it to function properly.

6) If you want to have a Rule that is an inbound rule on your vlan, then it needs to include something along the lines of

access-list 100 permit udp any eq bootpc any eq bootps

That way, any computer that does not have an IP address and it trying to get one, will get one.
Otherwise, you can take the inbound rule off VLAN1 and I bet you it would work without issues.


ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT dns <---Needed for Domain lookup
ip inspect name FWOUT http
ip inspect name FWOUT https
ip inspect name FWOUT time
ip inspect name FWOUT icmp
ip inspect name FWOUT echo
ip inspect name FWOUT isakmp

interface GigabitEthernet0/0
description LAN
ip address 192.168.205.252 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description TWC Connection
ip address dhcp
ip access-group 103 in <---allows only what is permited below
ip nat outside
ip inspect FWOUT out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable

access-list 103 deny icmp any any redirect
access-list 103 deny ip 0.0.0.0 0.255.255.255 any log
access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
access-list 103 deny ip 127.0.0.0 0.255.255.255 any log
access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
access-list 103 deny ip 224.0.0.0 15.255.255.255 any log
access-list 103 deny ip host 255.255.255.255 any log
access-list 103 permit udp any any eq ntp
access-list 103 permit esp host 63.96.X.X any
access-list 103 permit ahp host 63.96.X.X any
access-list 103 permit udp host 63.96.X.X any eq isakmp log
access-list 103 permit udp host 63.96.X.X eq isakmp any eq isakmp log
access-list 103 permit tcp host 63.96.X.X eq 500 any eq 500 log
access-list 103 permit udp 70.122.240.0 0.0.15.255 any eq bootps log <---DHCP From Modem
access-list 103 permit udp 70.122.240.0 0.0.15.255 any eq bootpc log <---DHCP From Modem
access-list 103 permit udp any eq domain any
access-list 103 permit icmp any any echo-reply
access-list 103 permit tcp host 63.96.X.X any eq 9922
access-list 103 deny ip any any log
 
Last edited:
Thanks all, especially you Daedalus0101101!

Getting a LOT closer here...
1) Computers now get IP addresses (as well as gateway, dns, etc) correctly now when plugged in
2) When plugging the router to the modem, I can now both ping outside IP, and resolve hostnames and ping them too.

The only thing not working however is that the computers cannot ping the DNS server I have specified, and also cannot resolve hostnames (due to that).

The computer IS getting the DNS server IP just fine.. and the router itself can ping that dns server and resolve, why is that not making its way to the computers?

Nothing is logged to the console when the computer attempts to ping.

Also Daedalus0101101, what are those 63.96.X.X acl lines for?
 
Unless I'm missing something, there's no route to the outside network from inside. Something like:

Code:
ip route 0.0.0.0 0.0.0.0 fa 0/1
should be added. The router can get to DNS as it already has an IP in the outside interface.
 
Thanks all, especially you Daedalus0101101!
The computer IS getting the DNS server IP just fine.. and the router itself can ping that dns server and resolve, why is that not making its way to the computers?

Nothing is logged to the console when the computer attempts to ping.

Also Daedalus0101101, what are those 63.96.X.X acl lines for?

The 63.96. is a Friends home and not relevant to your configuration . Him and I have a Site-to-site VPN tunnel and we use it to share resources and test things.

What is the Current running configuration on the router now?

Unless I'm missing something, there's no route to the outside network from inside. Something like:

Code:
ip route 0.0.0.0 0.0.0.0 fa 0/1
should be added. The router can get to DNS as it already has an IP in the outside interface.

This shouldn't be needed. By Default, when an interface is assinged a pubic IP address, it will also receive a default router and insert it into the routing table. This is the upper part of my routing table. The Floating Static default route was learned from my ISP

DLC1921LTNTX3020#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 24.27.64.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 24.27.64.1
10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks

You can always tell if its a learned static route or a manual entry by the metrics and administrative distance In this case, its 254 which is almost the bottom of the list. That means everything else can override it unless it doesnt reside on the network.

This one below is a manual static route.

GGR-C3845-05#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.2.5.252 to network 0.0.0.0

10.0.0.0/24 is subnetted, 1 subnets
C 10.2.5.0 is directly connected, GigabitEthernet0/0
S* 0.0.0.0/0 [1/0] via 10.2.5.252

The administrative distance is 1, meaning that it was manually programmed into the router and the router has to obey it above all else.
 
I... didn't know that. Had to go try this out. So, this is a function of the router interface receiving an address via DHCP and having the ISP pass the default-router to it? Am I seeing that right? Looks like I can do the same with private IP's too.

Knew better than to get into this thread but I DID just learn something.
 
You got it!
On most if not all "Consumer" grade routers, you will not be able to see all this information without ripping the pleasant bubbly firmware off it. One of the more common routers that this occurred on was Linksys's older WRT line. There were a lot of custom firmwares that you can load to it to actually make it a pretty decent device. A few that I remember are DD-WRT, OpenWRT(Works on a lot of consumer routers), Tomato(something), and quite a few more. In money terms, it turned a $50 router into about a $400 router based off of capabilities and features.
On "Enterprise" grade ( Notice I didnt say Business Class) routers, this a feature that is necessary. Its used mainly for traffic management, redundant links or routers, or fail-over. You can actually have 2+ public internet sources plugged into your router, and based off what you tell it to do, route traffic out each interface accordingly for bandwidth shaping or terms of service with the ISP. One that I use at my company on a day-to-day operation is we have Primary T-3 lines. If for some reason that goes down, we have a Cellular LTE connection that takes over the internet responsibilities. Otherwise, it just sits waiting for a failure and it is also a back way into our routers for management purposes.
 
Your not getting DHCP because you do not have a helper specified...
You need to enter your vlan ....

conf t
int vlan 2 --- or whatever it is
ip helper-address xxx.xxx.xxx.xxx

That way the VLAN knows where the DHCP server is located.

It really is that simple in most cases. Wow how people overblow Cisco stuff on the forums.

Also I notice that you do not have an active ethernet interface other than your outside line.

You need to have at least one fa port ( no shut) in order to allow vlan traffic to pass in and out of that port.

so you need the following:

interface fa1
no ip address
switchport access vlan 1 (or whatever it is)

Basically the switchport is just a open switchport with no adress assigned but it will pass off all traffic to the vlan that does have an address. If you want to make a single switchport allow traffic to various vlans you need to make it a trunk port and use the switchport trunk allow vlan 1-3,4,5-10 or whatever combination you want.



Now if you want more than one vlan on a single ethernet port you need to route on a stick or assign other eth ports to specific vlans and each will have their own unique rulesets - another story another day.


here is an example from my 1921 ...

interface GigabitEthernet0/1/1
switchport access vlan 1 <--------- Notice no ( SHUT ) command here! And its assigned to a vlan
no ip address <------ the port doesn't need to have an ip because the vlan has one
spanning-tree portfast <------ just makes ports activate faster --- disregard this jargon

interface Vlan2
description internal-vlan FW_INSIDE
ip address 10.1.1.1 255.255.255.0 <-------------- the overall VLAN Ip address )Called an SVI
ip helper-address 10.1.1.1 <---------This is my DHCP server, which is also my router!
ip nat inside <------This is the inside of the firewall zone for natting
ip virtual-reassembly in
zone-member security in-zone <----------This is just Cisco IOS Zone Firewall jargon - disregard it


Im not going to analyze your access-lists / groups or other security parameters. Until you get your networking fixed its a moot point.
 
Last edited:
Your not getting DHCP because you do not have a helper specified...
You need to enter your vlan ....

conf t
int vlan 2 --- or whatever it is
ip helper-address xxx.xxx.xxx.xxx

That way the VLAN knows where the DHCP server is located.

Not needed. He has only 1 VLAN and its running on the Default VLAN. By default, all DHCP packets will be untagged and picked up by the DHCP server on the router. He also said his computers are getting IP addresses now so its a moot point. Also, all his FA ( layer 2) ports are in the 'no shut' state already.

interface fa1
no ip address
switchport access vlan 1 (or whatever it is)

Also not needed. By default any Layer 2 swtichports ( which for the 1811 is ports fe0/2-9) are automatically assigned to VLAN 1 (unless modified) on a Cisco Router and will not take an IP address even if you tried. If he was using a different VLAN, I would have brought this point up so I was trying not to overload him.

Wow how people overblow Cisco stuff on the forums.

Yeah, no kidding.
 
Not needed. He has only 1 VLAN and its running on the Default VLAN. By default, all DHCP packets will be untagged and picked up by the DHCP server on the router. He also said his computers are getting IP addresses now so its a moot point. Also, all his FA ( layer 2) ports are in the 'no shut' state already.



Also not needed. By default any Layer 2 swtichports ( which for the 1811 is ports fe0/2-9) are automatically assigned to VLAN 1 (unless modified) on a Cisco Router and will not take an IP address even if you tried. If he was using a different VLAN, I would have brought this point up so I was trying not to overload him.



Yeah, no kidding.


Cool no worries. I am usually a dollar short and a day late.

ha ha
 
Back
Top