Question

Locked

3560 & 2 VLANs (DHCP issue)

By devdevil85 ·
I have (1) Cisco 3560 and I am wanting to create (2) port-based VLANs. IP addresses will be obtained via an external Windows 2003 DHCP Server. Port 22 is the only port in VLAN10 at the moment, while the others are in VLAN1.

DHCP Server = 192.168.1.1
Kentrox Router = 192.168.1.15

Here is my configuration thus far:

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Cisco_POE
!
enable secret 5
!
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.7 255.255.254.0
ip helper-address 192.168.1.1
!
interface Vlan10
ip address 192.168.10.1 255.255.254.0
ip helper-address 192.168.1.1
!
router rip
version 2
network 192.168.10.0
!
ip classless
ip default-network 192.168.1.0
ip route 0.0.0.0 0.0.0.0 192.168.1.15
ip http server
!
!
control-plane
!
!
!
end

Devices on VLAN1 are being issued IP addresses correctly, yet when I connect my laptop to port 22 (VLAN10) it is not obtaining an address and I am given an error.

I have created an address range (scope) for VLAN10 on the DHCP server, yet the laptop is unable to obtain an IP address via DHCP on port 22 (VLAN10). I am left unable to test whether I can get communication between the VLANs.

I am able to ping VLAN1 but not VLAN10 (if that helps).

Is there something that I am missing/doing wrong?

This conversation is currently closed to new comments.

79 total posts (Page 1 of 8)   01 | 02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

vlan 1 does not need a helper address

by robo_dev In reply to 3560 & 2 VLANs (DHCP issu ...

you do not need the helper on vlan 1.

does your new scope in your server have the giaddr field?

do 'debug ip dhcp server packets' to see if dhcp requests are getting to the helper ip.

Collapse -

VLAN 1 is the default for all ports on your switch

by CG IT In reply to vlan 1 does not need a he ...

VLAN 1 is also on the same subnet as all other devices connected to the switch [such as your DHCP server. I assume your DHCP server is connected to that switch.]

When you create another VLAN, your seperating those ports assigned to the new VLAN from the default VLAN. They need a access line and a helper address to get to VLAN1.

Collapse -

I'm confused

by devdevil85 In reply to VLAN 1 is the default for ...

interface FastEthernet0/22
switchport access vlan 10
switchport mode access

interface Vlan10
ip address 192.168.10.1 255.255.254.0
ip helper-address 192.168.1.1

There is only 1 port (#22) in VLAN10 so far. I put the access line on the port (22) and I put the ip helper-address on VLAN10 as shown above. The external DHCP server is (like you said) connected to the 3560. Is there something that I'm missing? because it sounds like what you have said is something that I have already done...

Thanks for you help

Collapse -

You need Giaddr in your scope, or the server gets confused

by robo_dev In reply to I'm confused

The dhcp server does not know which subnet to use. DHCP relay is enabled by default in most Cisco devices.

The relay agent sets the gateway address (giaddr field of the DHCP packet) and, if configured, adds the relay agent information option (option82) in the packet and forwards it to the DHCP server. The reply from the server is forwarded back to the client after removing option 82.

Also, you don't need a helper address on your vlan1, but I'm not sure that this is making things fail.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804412bf.html#wp1085170

Collapse -

You kind of lost me

by devdevil85 In reply to You need Giaddr in your s ...

I removed ip helper from VLAN1, but I don't know if what you are saying is that I'm missing something on my DHCP Server or if I'm missing a command on the 3560....

Collapse -

Doing more research....

by robo_dev In reply to You kind of lost me

the cisco DHCP relay agent appends the helper address to the dhcp request packet on dhcp option 82 (GIADDRESS = Gateway interface address) only if DHCP snooping is enabled.

AND

Microsoft DHCP Server does not have default support for option 82, you have to enable it.

While Cisco has DHCP relay enabled by default, option 82 is not enabled without dhcp snooping. It's a security feature for preventing dhcp interactions from 'untrusted' interfaces.

Using Windows DHCP Server Management console (dhcpmgmt.msc) -> <DHCP Server> -> Right Click -> Set Predefined Options..., you can add option 82 as a customized option for DHCP Server.

In order for Cisco to do the option 82 stuff, you need to enable DHCP snooping globally

ip dhcp snooping

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_20_se/configuration/guide/swdhcp82.html#wp1138479
http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB0088R0_ODVA_DHCP_Option_82v2.pdf
https://blogs.technet.com/teamdhcp/archive/2005/09/16/411032.aspx

So the short answer is: enable DHCP snooping globally in the Cisco and enable option 82 support in Microsoft DHCP server.

Collapse -

Ok

by devdevil85 In reply to Doing more research....

Yeah we aren't using the 3560 for DHCP and I don't think we enabled option 82 on the server and I know we didn't enable snooping dhcp snooping on the 3560 either so....I will see if that helps/fixes the problem. If not I will be sure to get back w/ you ASAP.

Thank you for all your help robo!

Collapse -

Option is missing

by devdevil85 In reply to Doing more research....

Option 82 is missing on the Win2003 DHCP Server

Do you know how to manually add it? I read the link you sent me and I didn't find anything on the values needed...such as the Data Type and the Value....that I need to insert in the boxes

Thanks!

Collapse -

well you have to remember that VLAN 1 is a default

by CG IT In reply to I'm confused

in Cisco devices meaning all ports belong to VLAN 1 until you create another VLAN and assign ports to it. That's why VLAN 1 DHCP works. It will work each and every time because the default settings in IOS allow it to work. just like dumb switches always works, a Cisco switch doesn't need an address to work when you first boot it up and load IOS.


When you create a new VLAN, in essence are creating a new subnet. Devices in VLAN 1 can not talk to devices on VLAN 2 unless you have some method of routing packets between VLANs ["router on a stick" method].

So for VLAN 10, you must tell clients on it to go to a particular place to obtain IP addresses which is enabling DHCP relay agent on VLAN 10. Then you must have a way for that traffic to get to the server. Something must "route" the packets there. VLAN 1 will not "route" packets from VLAN 10 to the DHCP server.

ought to diagram it out to get a visual representation of how packets travel using subnets and routing because that's really what your doing when when creating VLANs.

Collapse -

Do you see anything missing?

by devdevil85 In reply to well you have to remember ...

Do you see any mistakes or commands that I missed or used incorrectly that could be causing my problem?

You said, "VLAN 1 will not "route" packets from VLAN 10 to the DHCP server." What will "route" the packets then?

What should the Default Gateway be for devices on VLAN10? because I have the ip helper-address on VLAN10 pointing to the DHCP server? Is this correct? Am I pointing devices to the correct gateway?

Thanks!

Back to Networks Forum
79 total posts (Page 1 of 8)   01 | 02 | 03 | 04 | 05   Next

Hardware Forums