Questions

Cisco 851 DHCP binding problem

+
0 Votes
Locked

Cisco 851 DHCP binding problem

thehumi
Hi, I got my company's Cisco 851 wired router running, and now im trying to bind paticular equiptment that we use (such as a printer/scanner/fax machine) with the mac-address in the DHCP server.

Posted below I have my current running config. At first the Binding works, but for some reason it then switches to a different IP sent from the DHCP server.

Any help would be appreciated. Thanks!
-Andrew


Building configuration...

Current configuration : 3427 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname itsrouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password 7 044B0A151C36435C0D
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
!
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool internal-net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name its-control.com
!
ip dhcp pool afiricoprinter
host 192.168.1.210 255.255.255.0
hardware-address 0100.0074.c1c0.55
!
!
ip cef
ip inspect name MYFW udp
ip inspect name MYFW tcp router-traffic
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name its-control.com
ip name-server 192.168.1.1
!
!
!
!
username admin privilege 15 password 7 044B0A151C36435C0D
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
description $ETH-WAN$
ip dhcp client update dns server none
ip ddns update sdm_ddns1
ip address dhcp client-id FastEthernet4
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http port 6000
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.20 5631 interface FastEthernet4 5631
ip nat inside source static udp 192.168.1.20 5632 interface FastEthernet4 5632
ip nat inside source static tcp 192.168.1.20 5800 interface FastEthernet4 5800
ip nat inside source static tcp 192.168.1.20 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.1.21 5633 interface FastEthernet4 5633
ip nat inside source static udp 192.168.1.21 5634 interface FastEthernet4 5634
ip nat inside source static tcp 192.168.1.21 5801 interface FastEthernet4 5801
ip nat inside source static tcp 192.168.1.21 5901 interface FastEthernet4 5901
ip nat inside source static tcp 192.168.1.100 5802 interface FastEthernet4 5802
ip nat inside source static tcp 192.168.1.100 5902 interface FastEthernet4 5902
ip nat inside source static tcp 192.168.1.100 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.100 21 interface FastEthernet4 21
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
!
line con 0
password 7 105E080A16001D1908
no modem enable
line aux 0
line vty 0 4
password 7 051B071C325B411B1D
!
scheduler max-task-time 5000
end
  • +
    0 Votes
    NetMan1958

    I would remove ip dhcp pool afiricoprinter and put these lines:
    host 192.168.1.210 255.255.255.0
    hardware-address 0100.0074.c1c0.55
    under the ip dhcp pool internal-net.
    That said, I always configure an excluded range and hard code my servers and printers to an address from that excluded range.

    +
    0 Votes
    thehumi

    I'll try your suggestion when I get into the office tomorrow and post the results.

    Thanks Netman

    +
    0 Votes
    thehumi

    I get the following error when I attempt to enter the HOST command into the IP DHCP POOL INTERNAL-NET.

    "This command may not be used with network, origin, vrf, or relay pools."

    I have 5 or 6 computers and printers that I need binded, so I?m not even sure the said method would work?

    I now have the following excluded-address range of:
    ip dhcp excluded-address 192.168.1.1 192.168.1.25
    ip dhcp excluded-address 192.168.1.100 192.168.1.110
    ip dhcp excluded-address 192.168.1.200 192.168.1.255
    !
    ip dhcp pool internal-net
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    !
    ip dhcp pool afiricoprinter
    host 192.168.1.210 255.255.255.0
    hardware-address 0100.0074.c1c0.55
    !

    I also still have the same problem of the router assigning the "correct" binded IP address, then after a few seconds, the DHCP server will hand it a new one.

    Any help would be appreciated.
    Thanks
    - Andrew

    +
    0 Votes
    NetMan1958

    You know what, I looked through your original config again and noticed that you are running IOS version 12.4. I did some research and found out that I gave you a bad suggestion. Here is a link to an article on cisco.com that will probably help you.
    http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_svr_cfg.html#wp1155880

    Read that and if you have any questions post back.
    PS: note that the article recommends using
    client-identifier 0100.0074.c1c0.55
    and using
    hardware-address 00.0074.c1c0.55
    only for BOOTP requests.

    +
    0 Votes
    thehumi

    Thanks Netman. The DHCP binding seems to be holding now after changing hardware-address to client-identifier. My new problem is that my nat configuration isn't working. I couldn't test this before because I couldn't bind the servers correctly. Perhaps its somthing with the firewall settings.

    Any help would be very much appreciated.
    Thanks,
    Andrew


    Building configuration...

    Current configuration : 3644 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable password 7 044B0A151C36435C0D
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization exec default local
    !
    !
    aaa session-id common
    !
    !
    dot11 syslog
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.100 192.168.1.110
    ip dhcp excluded-address 192.168.1.200 192.168.1.255
    ip dhcp excluded-address 192.168.1.1 192.168.1.25
    !
    ip dhcp pool internal-net
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    !
    ip dhcp pool afiricoprinter
    host 192.168.1.200 255.255.255.0
    client-identifier 0100.0074.c1c0.55
    !
    ip dhcp pool itssystem
    host 192.168.1.100 255.255.255.0
    client-identifier 0100.1d09.8c8b.ad
    !
    !
    ip cef
    ip inspect name MYFW udp
    ip inspect name MYFW tcp router-traffic
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip domain name its-control.com
    ip name-server 192.168.1.1
    ip ddns update method sdm_ddns1
    HTTP
    [deleted]
    !
    !
    !
    !
    username admin privilege 15 password 7 044B0A151C36435C0D
    !
    !
    archive
    log config
    hidekeys
    !
    !
    !
    !
    !
    interface FastEthernet0
    spanning-tree portfast
    !
    interface FastEthernet1
    spanning-tree portfast
    !
    interface FastEthernet2
    spanning-tree portfast
    !
    interface FastEthernet3
    spanning-tree portfast
    !
    interface FastEthernet4
    description $ETH-WAN$
    ip dhcp client update dns server none
    ip ddns update sdm_ddns1
    ip address dhcp client-id FastEthernet4
    ip access-group Internet-inbound-ACL in
    ip inspect MYFW out
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    no cdp enable
    !
    interface Vlan1
    description Internal Network
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 dhcp
    !
    ip http server
    ip http port 6000
    no ip http secure-server
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source static tcp 192.168.1.20 5631 interface FastEthernet4 5631
    ip nat inside source static udp 192.168.1.20 5632 interface FastEthernet4 5632
    ip nat inside source static tcp 192.168.1.20 5800 interface FastEthernet4 5800
    ip nat inside source static tcp 192.168.1.20 5900 interface FastEthernet4 5900
    ip nat inside source static tcp 192.168.1.21 5633 interface FastEthernet4 5633
    ip nat inside source static udp 192.168.1.21 5634 interface FastEthernet4 5634
    ip nat inside source static tcp 192.168.1.21 5801 interface FastEthernet4 5801
    ip nat inside source static tcp 192.168.1.21 5901 interface FastEthernet4 5901
    ip nat inside source static tcp 192.168.1.100 5802 interface FastEthernet4 5802
    ip nat inside source static tcp 192.168.1.100 5902 interface FastEthernet4 5902
    ip nat inside source static tcp 192.168.1.100 80 interface FastEthernet4 80
    ip nat inside source static tcp 192.168.1.100 21 interface FastEthernet4 21
    !
    ip access-list extended Internet-inbound-ACL
    permit udp any eq bootps any eq bootpc
    permit icmp any any echo
    permit icmp any any echo-reply
    permit icmp any any traceroute
    permit gre any any
    permit esp any any
    !
    access-list 1 permit 192.168.1.0 0.0.0.255
    !
    control-plane
    !
    !
    line con 0
    password 7 105E080A16001D1908
    no modem enable
    line aux 0
    line vty 0 4
    password 7 051B071C325B411B1D
    !
    scheduler max-task-time 5000
    end

    +
    0 Votes
    NetMan1958

    Just glancing at it, your NAT configuration looks OK. What are the symptons that lead you to believe it is a NAT issue?

    Netman

    +
    0 Votes
    thehumi

    I too belive the NAT configuration is correct. I have a computer at home that I have tested the NAT on our system behind the Cisco 851, and can't access anything that the NAT is set up for. Which is why it leads me to believe it is a firewall issue?

    Any ideas?
    Thanks,
    - Andrew

    +
    0 Votes
    NetMan1958

    First try removing these 2 lines:
    ip access-group Internet-inbound-ACL in
    ip inspect MYFW out
    and then if you still have an issue open a command prompt on the computer and run
    ipconfig /all
    post back with the results and the output of the ipconfig /all.

    Netman

    +
    0 Votes
    thehumi

    Thanks Netman.

    The access-group was the key.

    Everything works as desired now, thanks again!

    -Andrew

  • +
    0 Votes
    NetMan1958

    I would remove ip dhcp pool afiricoprinter and put these lines:
    host 192.168.1.210 255.255.255.0
    hardware-address 0100.0074.c1c0.55
    under the ip dhcp pool internal-net.
    That said, I always configure an excluded range and hard code my servers and printers to an address from that excluded range.

    +
    0 Votes
    thehumi

    I'll try your suggestion when I get into the office tomorrow and post the results.

    Thanks Netman

    +
    0 Votes
    thehumi

    I get the following error when I attempt to enter the HOST command into the IP DHCP POOL INTERNAL-NET.

    "This command may not be used with network, origin, vrf, or relay pools."

    I have 5 or 6 computers and printers that I need binded, so I?m not even sure the said method would work?

    I now have the following excluded-address range of:
    ip dhcp excluded-address 192.168.1.1 192.168.1.25
    ip dhcp excluded-address 192.168.1.100 192.168.1.110
    ip dhcp excluded-address 192.168.1.200 192.168.1.255
    !
    ip dhcp pool internal-net
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    !
    ip dhcp pool afiricoprinter
    host 192.168.1.210 255.255.255.0
    hardware-address 0100.0074.c1c0.55
    !

    I also still have the same problem of the router assigning the "correct" binded IP address, then after a few seconds, the DHCP server will hand it a new one.

    Any help would be appreciated.
    Thanks
    - Andrew

    +
    0 Votes
    NetMan1958

    You know what, I looked through your original config again and noticed that you are running IOS version 12.4. I did some research and found out that I gave you a bad suggestion. Here is a link to an article on cisco.com that will probably help you.
    http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_svr_cfg.html#wp1155880

    Read that and if you have any questions post back.
    PS: note that the article recommends using
    client-identifier 0100.0074.c1c0.55
    and using
    hardware-address 00.0074.c1c0.55
    only for BOOTP requests.

    +
    0 Votes
    thehumi

    Thanks Netman. The DHCP binding seems to be holding now after changing hardware-address to client-identifier. My new problem is that my nat configuration isn't working. I couldn't test this before because I couldn't bind the servers correctly. Perhaps its somthing with the firewall settings.

    Any help would be very much appreciated.
    Thanks,
    Andrew


    Building configuration...

    Current configuration : 3644 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable password 7 044B0A151C36435C0D
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization exec default local
    !
    !
    aaa session-id common
    !
    !
    dot11 syslog
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.100 192.168.1.110
    ip dhcp excluded-address 192.168.1.200 192.168.1.255
    ip dhcp excluded-address 192.168.1.1 192.168.1.25
    !
    ip dhcp pool internal-net
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    !
    ip dhcp pool afiricoprinter
    host 192.168.1.200 255.255.255.0
    client-identifier 0100.0074.c1c0.55
    !
    ip dhcp pool itssystem
    host 192.168.1.100 255.255.255.0
    client-identifier 0100.1d09.8c8b.ad
    !
    !
    ip cef
    ip inspect name MYFW udp
    ip inspect name MYFW tcp router-traffic
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip domain name its-control.com
    ip name-server 192.168.1.1
    ip ddns update method sdm_ddns1
    HTTP
    [deleted]
    !
    !
    !
    !
    username admin privilege 15 password 7 044B0A151C36435C0D
    !
    !
    archive
    log config
    hidekeys
    !
    !
    !
    !
    !
    interface FastEthernet0
    spanning-tree portfast
    !
    interface FastEthernet1
    spanning-tree portfast
    !
    interface FastEthernet2
    spanning-tree portfast
    !
    interface FastEthernet3
    spanning-tree portfast
    !
    interface FastEthernet4
    description $ETH-WAN$
    ip dhcp client update dns server none
    ip ddns update sdm_ddns1
    ip address dhcp client-id FastEthernet4
    ip access-group Internet-inbound-ACL in
    ip inspect MYFW out
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    no cdp enable
    !
    interface Vlan1
    description Internal Network
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 dhcp
    !
    ip http server
    ip http port 6000
    no ip http secure-server
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source static tcp 192.168.1.20 5631 interface FastEthernet4 5631
    ip nat inside source static udp 192.168.1.20 5632 interface FastEthernet4 5632
    ip nat inside source static tcp 192.168.1.20 5800 interface FastEthernet4 5800
    ip nat inside source static tcp 192.168.1.20 5900 interface FastEthernet4 5900
    ip nat inside source static tcp 192.168.1.21 5633 interface FastEthernet4 5633
    ip nat inside source static udp 192.168.1.21 5634 interface FastEthernet4 5634
    ip nat inside source static tcp 192.168.1.21 5801 interface FastEthernet4 5801
    ip nat inside source static tcp 192.168.1.21 5901 interface FastEthernet4 5901
    ip nat inside source static tcp 192.168.1.100 5802 interface FastEthernet4 5802
    ip nat inside source static tcp 192.168.1.100 5902 interface FastEthernet4 5902
    ip nat inside source static tcp 192.168.1.100 80 interface FastEthernet4 80
    ip nat inside source static tcp 192.168.1.100 21 interface FastEthernet4 21
    !
    ip access-list extended Internet-inbound-ACL
    permit udp any eq bootps any eq bootpc
    permit icmp any any echo
    permit icmp any any echo-reply
    permit icmp any any traceroute
    permit gre any any
    permit esp any any
    !
    access-list 1 permit 192.168.1.0 0.0.0.255
    !
    control-plane
    !
    !
    line con 0
    password 7 105E080A16001D1908
    no modem enable
    line aux 0
    line vty 0 4
    password 7 051B071C325B411B1D
    !
    scheduler max-task-time 5000
    end

    +
    0 Votes
    NetMan1958

    Just glancing at it, your NAT configuration looks OK. What are the symptons that lead you to believe it is a NAT issue?

    Netman

    +
    0 Votes
    thehumi

    I too belive the NAT configuration is correct. I have a computer at home that I have tested the NAT on our system behind the Cisco 851, and can't access anything that the NAT is set up for. Which is why it leads me to believe it is a firewall issue?

    Any ideas?
    Thanks,
    - Andrew

    +
    0 Votes
    NetMan1958

    First try removing these 2 lines:
    ip access-group Internet-inbound-ACL in
    ip inspect MYFW out
    and then if you still have an issue open a command prompt on the computer and run
    ipconfig /all
    post back with the results and the output of the ipconfig /all.

    Netman

    +
    0 Votes
    thehumi

    Thanks Netman.

    The access-group was the key.

    Everything works as desired now, thanks again!

    -Andrew