Cisco 300 - VLAN DHCP packets not passing

I am seeing a problem with our Cisco 300 switches. We use these switches as access switches, with a stacked 3750-G at the core, two 2960-S at the distribution layer, and about 10 300 Series switches at the access layer (10 port and 28 ports, all PoE).
We use Voice VLAN (VLAN 14) for our Mitel phones – there is a DHCP server on the Mitel system. Phones come up, get tagged VLAN 14 (LLDP), Traffic flows (including Broadcast for DHCP etc…). The system works, and has worked for months.
One day, suddenly, I find that all the Mitel phones on a particular access switch are not working. I look on the Mitel system and the lease on DHCP has expired, and the phone is stuck on renewing its DHCP IP address. I run port mirroring on the switch for VLAN 14 to see what is happening. The phones are stuck on DHCP discover, and I see the DHCP Discover broadcast packets on the switch but nothing else, no DHCP offer packets – hence the phone stuck at boot cycle.
I then do a port mirror from another access switch (that is currently working) – I can see the broadcast packets from the Mitel phones on the broken switch, but on this switch I can also see the DHCP offer packets from the Mitel system. I run two port mirrors simultaneous from the two switches (one working, one not) and I can see that the DHCP offer packets are not coming through to the broken switch. Panic ensues – I look at the distribution layer and there is no problem what so ever.
For some strange reason, the Cisco 300 28 port has stopped passing DHCP broadcast packets on a particular VLAN, even though they are being sent. I power cycle the switch – and hey presto, DHCP offer packets are coming through, and the phones get an IP address and boot properly.
I wipe the sweat off my brow, note the issue down and carry on my daily duties.
Forward a couple of weeks later, and to today. I have another phone that is showing the same symptoms, luckily it is the only phone on this particular Cisco 300 28 port. The same issue is occurring as described above. I gather as much diagnostic information I can then reboot the switch – but still no joy. I then remember that this switch is not directly attached to the distribution layer and instead gets trunked to another Cisco 300 28 port. I give that a reboot and 5 minutes later, DHCP broadcast offers are passing and the phone boots.
I am listing this problem as not just a ‘one off’ now, and is recurring. It has happened to two of my 300 28 port switches.
All Switches running 1.1.2.0.
No link to up time – first instance of the problem, switch was up for 14 days – second instance (another switch) uptime of 39 days
LLDP is working fine on the switches, as is Voice-VLAN (Port is tagged and broadcasts out DHCP Discover which is seen by other devices throughout network)
Nothing in the log file on the access switch
Nothing on the Dist/Core regarding STP – Spanning tree set up is fine throughout
Has anyone else experienced same? I’m hoping this is a bug that is getting fixed.
Many Thanks
Tim

Hello Tim
Brayton Hackworth had a similar post as yours, found here;
https://supportforums.cisco.com/message/3684179#3684179
Brayton is using the Mitel 5330 phones where the LLDP no longer fed VLAN information to the phone network. But, he reverted to use a DHCP server to provide the VLAN information.
Unfortunately, I (personally) cannot test any Mitel resources (since I don't have them) so my labs usually only consist of either 7900 series or SPA500/900 series phones.
The best thing I can really recommend to you is to make a package of data consisting of;
Topology which consists of;
Modem type
Router including IP
All devices including IP of switches
Servers / relevant workstations
# of attached devices and # of users on the LAN
Switch config file + show tech on a notepad
Syslog output from the switch
Working PCAP
PCAP showing failure
PCAP legend showing what IP address are who (unless topology contains all IP)
Where the PCAP is taken from and method
We then can create a service request for you and pass it for review.
-Tom

Similar Messages

Guest LAN and DHCP Options not passing through

Managed to get the Guest LAN up and running for wired clients and all's working well. Users are sat behind a proxy and if I force the use of a appropriate wpad file I can get the WLC auth to happen and then push off to the proxy.
I'm trying to use option 252 in DHCP to present the WPAD url. Only issue that happens is that while the DHCP server on the egress interface is handing out addresses to clients on the ingress interface correctly, the WLC doesn't appear to be handing through the option 252 I have set in DHCP. I've used network monitor to see what the dhcp request process is dishing out in terms of options, and all look good if I'm not behind the WLC.
Anyone know if theres a limitation on the WLC that prevents DHCP options being passed through to the guest LAN?
TIA

When configured as a DHCP server, some of the firewalls do not support DHCP requests from a relay agent. The WLC is a relay agent for the client. The firewall configured as a DHCP server ignores these requests. Clients must be directly connected to the firewall and cannot send requests through another relay agent or router. The firewall can work as a simple DHCP server for internal hosts that are directly connected to it. This allows the firewall to maintain its table based on the MAC addresses that are directly connected and that it can see. This is why an attempt to assign addresses from a DHCP relay are not available and the packets are discarded. PIX Firewall has this limitation.
For more information please refer to the link-http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml

Vlan traffic is not passing through Wireless Bridge

Hi,
Recently we have placed wireless bridge in our network (Cisco AIR-BR1410A-E-K9 model). Now after installing the bridge we are facing the issue like only the management interface traffic is reachable through bridge, but not able to reach other vlan traffic.
like management range is in vlan 1 (which inlcudes AP' Switch and router) and the bridge IP's are also in Vlan 1.
Switch port is kept in trunk mode both ends of bridge. still other vlan traffic is not reachable, do we have to place any special configuration for this ?
all the business users are in Vlan 3
all the sale team users are in vlan 123.
now problem is other end switches are reachable for me through bridge that is in vlan 1, but vlan 3 and vlan 123 are not reachable for me.users are not getting IP's, when we assigned the static ip address and tested still it is not working.
i am attaching my wireless bridge configuration in the discussion, please help on this issue.
Root Bridge ---- Non--Rootbridge--- Cisco Switch--Cisco Switch..
now i am able to those two switch also, but not able to reach the vlan 3 users who are connected to that switches.

Hi,
infrastructure-ssid has been placed at both end still not able to get IP's to the devices.
I am not able to attach txt files in the reply, could you please let me know your email ID so that i will send the config files to your ID.

VLAN DHCP Release not assigns dhcp ip for the first attempt

Hello,
I have a configured ISE with CWA enabled.
I have a DHCP Server provides auto ip from (vlan-2) to connect to my ISE and access to the Guest-Portal (that is a range from 192.168.2.0)
I have another DHCP Server which provides auto ip from another range (192.168.110.0) which is my Guest-VLAN
The issue we have is, while a guest user first connects to wifi, he gets an ip from my first-dhcp server (vlan-2) and is redirected to the Guest-Portal, but as soon as he enters his user-credintials he is connected to the Guest-VLAN as shown on my ISE and WLC reports,   but the User does not get Guest-VLAN-IP from dhcp server. unless he disconnects from the wifi and reconnect .
What can be the issue, why my users has to connect to the wifi twice to gets the guest vlan ip ?    althrough vlan dhcp replase option on my ise is correctly configured

Hi,
Can u check time and time zones on your switches are correctly configured? Are there any NTP Server?
And pls send "show version" printout...

Cisco 3850 VLANs

I have two Cisco 3850 switches that I cannot get to talk to one another over VLAN routing. I appear to have everything configured correctly but the VLAN traffic is not passing over the trunk. I have included both configurations. I cannotget traffic between VLAN 6 and 7.Any possible assistance is appreciated. =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.07.16 14:23:41 =~=~=~=~=~=~=~=~=~=~=~=
User Access VerificationPassword:
Switchen
Password:
Switch#sho ru w run
Building configuration...Current configuration : 5138 bytes
! Last configuration change at 17:58:01 UTC Thu Jul 16 2015
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
hostname Switch
boot-start-marker
boot-end-marker
vrf definition Mgmt-vrf
address-family ipv4
This topic first appeared in the Spiceworks Community

Hi
You can't register any AP to a 3850 unless those APs are directly connected to your 3850. So you won't able to register remote site's AP to central site 3850.
If you have directly connected APs & having issues with registering them to 3850, please refer below post.
http://mrncciew.com/2013/09/29/getting-started-with-3850/
HTH
Rasika
**** Pls rate all useful responses ****

Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.

I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
              ^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
        quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny   ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
end

Why do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ?

AP 1231G Not Passing DHCP to clients

Hello My company AP 1231G is not passing the DHCP address to the client from the DHCP server can you please advise on my config listed below
basicly the AP is on its own VLAN 10.1.123.1 and the DHCP server is 10.1.10.2 -- trying to use iphelper to pass DHCP to clients and the AP is on static IP 10.1.123.2--
! Last configuration change at 13:15:56 +0800 Fri May 25 2012 by root
! NVRAM config last updated at 13:15:56 +0800 Fri May 25 2012 by root
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname XXXXXXXXXX
clock timezone +0800 8
ip subnet-zero
no ip domain lookup
ip domain name XXXXXXXXXXXXX
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
dot11 syslog
dot11 ssid XXXXXXXXXX
   authentication open
   authentication key-management wpa
   guest-mode
   infrastructure-ssid optional
   wpa-psk ascii XXXXXXXXXXXXXXXXXXXXXXX
dot11 arp-cache optional
username root privilege 15 password XXXXXXXXXXXXXXXXXXXXX
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
ssid XXXXXXXXXXX
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
no preamble-short
channel 2432
station-role root access-point
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.1.123.2 255.255.255.0
ip helper-address 10.1.10.2
ip default-gateway 10.1.123.1
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
access-list 111 permit tcp any any neq telnet
snmp-server view dot11view ieee802dot11 included
snmp-server view ieee802dot11 ieee802dot11 included
snmp-server community public RO
snmp-server community private view undefined RW
bridge 1 route ip
line con 0
terminal-type teletype
line vty 0 4
terminal-type teletype
sntp server 114.80.81.13
sntp broadcast client
end

Roan:
Where is your DHCP server configured (swtich, firewall, 3rd party server..etc)?
Does it work correctly if the AP IP on same subnet and ip-helper is not being utilized?

Vlans dhcp status are not received

Hello,
I am configuring vlan on sg300-20 in dhcp mode.
One vlan that is directed connected to the adsl router get ip address and when I connect host to the ports in this vlan they also receive ip address and can go on internet.
The other four vlans dhcp status are not received.
Kindly help me check this. Thanks
Below is the config log:
switch4ba497#sh running-config
config-file-header
switch4ba497
v1.2.9.44 / R750_NIK_1_2_584_002
CLI v1.0
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
vlan database
vlan 5,10,20,30,40
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp relay address 192.168.3.1
ip dhcp information option
no boot host auto-config
bonjour interface range vlan 1
hostname switch4ba497
line telnet
exec-timeout 0
exit
no passwords complexity enable
username cisco password encrypted 7af78c911d5b48bea1dc2449d9d89513abeb4be5 privilege
15
ip http timeout-policy 0 http-only
ip name-server 192.168.1.1 192.168.3.1
ip telnet server
interface vlan 1
ip address 192.168.2.254 255.255.255.0
no ip address dhcp
interface vlan 5
name WAN
ip address dhcp
interface vlan 10
name Studio
ip address dhcp
interface vlan 20
name Service
ip address dhcp
interface vlan 30
name Admin
ip address dhcp
interface vlan 40
name Data
ip address dhcp
interface gigabitethernet1
switchport mode access
interface gigabitethernet2
switchport mode access
switchport access vlan 10
interface gigabitethernet3
switchport mode access
switchport access vlan 10
interface gigabitethernet4
switchport mode access
switchport access vlan 10
interface gigabitethernet5
switchport mode access
switchport access vlan 10
interface gigabitethernet6
switchport mode access
switchport access vlan 10
interface gigabitethernet7
switchport mode access
switchport access vlan 10
interface gigabitethernet8
switchport mode access
interface gigabitethernet9
switchport mode access
switchport access vlan 20
interface gigabitethernet10
switchport mode access
switchport access vlan 20
interface gigabitethernet11
switchport mode access
switchport access vlan 20
interface gigabitethernet12
switchport mode access
switchport access vlan 20
interface gigabitethernet13
switchport mode access
switchport access vlan 30
interface gigabitethernet14
switchport mode access
switchport access vlan 30
interface gigabitethernet15
switchport mode access
switchport access vlan 30
interface gigabitethernet16
switchport mode access
switchport access vlan 30
interface gigabitethernet17
switchport mode access
interface gigabitethernet18
switchport trunk native vlan 40
interface gigabitethernet19
switchport mode access
switchport access vlan 5
interface gigabitethernet20
switchport trunk native vlan 5
switch4ba497#sh ip int
    IP Address         I/F       Type     Directed   Precedence   Status
                                          Broadcast
0.0.0.0/32          vlan 10   DHCP        disable    No         Not
                                                                received
0.0.0.0/32          vlan 20   DHCP        disable    No         Not
                                                                received
0.0.0.0/32          vlan 30   DHCP        disable    No         Not
                                                                received
0.0.0.0/32          vlan 40   DHCP        disable    No         Not
                                                                received
192.168.2.254/24    vlan 1    Static      disable    No         Valid
192.168.3.102/24    vlan 5    DHCP        disable    No         Valid
switch4ba497#
Also i do not understand why the ip address is 0.0.0.0/32 because the dhcp server ip address is 192.168.3.1

Dear Customer,
Thank you for reaching Small Business Support Community.
In Layer 2 system mode, only the management VLAN can be configured with a static or dynamic IP address. In Layer 3 system mode, all the interface types (ports,LAGs, and/or VLANs) on the device can be configured with a static or dynamic IP. Configuring the device to work in either mode is performed in the Administration >System Settings page
When a DCHP Client starts a discovery process, it assigns a dummy IP address 0.0.0.0 before the real address is obtained. This dummy address has the status of “Not Received”.
Pretty much your problem should be solved by changing to Layer3 system mode. Please let me know if anything comes up and/or if there is any further assistance I may help you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found.

DHCP Server is not passing out DHCP Leases

I can't seem to figure out why DHCP server is not passing out DHCP lease a client?
Also I can't seem to figure out why NVI0 interface is UP? I have setup another box similarly and NVI0 is down on that and the DHCP server is working fine on that too. Strange!
I am working on CISCO 881 VPN Router...Please have a look at it and let me know. Thanks
Here is the configuration in the box...
sh run
Building configuration...
Current configuration : 6543 bytes
! Last configuration change at 17:09:54 CST Fri Sep 14 2012 by XXXXX
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname XXXXX
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone CSTime -6
clock summer-time CST recurring
crypto pki trustpoint TP-self-signed-3079619067
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3079619067
revocation-check none
rsakeypair TP-self-signed-3079619067
crypto pki certificate chain TP-self-signed-3079619067
certificate self-signed 01
30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303739 36313930 3637301E 170D3132 30393134 31393231
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30373936
31393036 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100993C D622004B F3AEA1E5 81106C28 36EC52D0 5435ABC3 8912095F 3641168A
B67D97AF AEB43CF3 00A00EB5 702FA355 9F58EBEF F42294DC 0E32CF40 E17D372A
3BC36401 55EDBA5C 910B7A51 89D709A8 7EAB3FF0 E4C99D34 CBE3F316 069C0E16
BC284055 35E3D762 463DABF6 852C4E7A D2EF45A4 21F08689 4DF17870 9E2A6C27
1BFB0203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603
551D1104 1E301C82 1A506F70 6C617276 696C6C65 2E796F75 72646F6D 61696E2E
636F6D30 1F060355 1D230418 30168014 64EA4CAE 2029E4C2 702584C6 B5732464
5C9DA38A 301D0603 551D0E04 16041464 EA4CAE20 29E4C270 2584C6B5 7324645C
9DA38A30 0D06092A 864886F7 0D010104 05000381 81006C27 96E06B83 04DBDA81
EEB0AF35 84ED370E A8C9694E F9B9326D 69CB1043 9C396D7B 760D252F 4881926D
878E434F 9AFC3E6D A5BF43F2 E619D6EC F45C039A 5FFB478F A99F7EE5 274E37D5
11976FDE 823FD1A9 700203E5 67A329B3 F4CF45F0 245757C8 E2349276 B13414D1
017616FA 38A40BA8 42545AC5 C7676D21 29E4F491 CADB
        quit
ip source-route
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1 192.168.100.101
ip dhcp excluded-address 192.168.1.254
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
ip dhcp pool Internal_Network
   network 192.168.1.0 255.255.255.0
   dns-server 192.168.100.254
   default-router 192.168.1.254
ip cef
ip domain name yourdomain.com
ip name-server 192.168.100.254
no ipv6 cef
license udi pid CISCO881-K9 sn FTX1604828T
username XXXXX privilege 15 secret 5 $1$QEcR$96cmvs/h/.05G6BnorcWG/
username XXXXX secret 5 $1$PQQ1$3.Vin0i/2uZ/KD0xEJ8GC.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group YYYYYYY
key XXXXX_XXXXX_XXXXX
pool VPN-Pool
acl VPN-Access-List
crypto isakmp profile vpn-isakmp-profile-1
   match identity group YYYYYYY
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN_INTERFACE
ip address 192.168.100.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
interface Vlan1
description VLAN1_INTERFACE
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip local pool VPN-Pool 192.168.1.151 192.168.1.200
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.100 21 192.168.100.3 21 extendable
ip nat inside source static tcp 192.168.1.100 80 192.168.100.3 80 extendable
ip route 0.0.0.0 0.0.0.0 192.168.100.254
ip access-list extended VPN-Access-List
permit ip 192.168.1.0 0.0.0.255 any
permit tcp host A.B.C.D host 192.168.1.100 eq ftp
permit tcp host A1.B1.C1.D1 host 192.168.1.100 eq ftp
permit tcp host A2.B2.C2.D2 host 192.168.1.100 eq ftp
permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.100 eq ftp
permit tcp host A3.B3.C3.D3 host 192.168.1.100 eq ftp
permit tcp any host 192.168.1.100 eq XXX
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner motd ^C XXXXX-XXXXX VPN Router ^C
line con 0
exec-timeout 30 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password 7 124A50424A5E5550
transport input telnet ssh
scheduler max-task-time 5000
end

Hi Jennifer,
I have gotten it resolved. Per your suggestion, I have turned on debug ip dhcp events and found that POOL EMPTY message. After little research, I found out that I have made a mistake in my excluded-address range.
I have had it as
ip dhcp excluded-address 192.168.1.1 192.168.100.101
It should have been
ip dhcp excluded-address 192.168.1.1 192.168.1.101.
It was a typo.
Thank you for the suggestion.
Srini

VLAN between two Cisco 300 switches

Is it possible to share a VLAN between two Cisco 300 series switches?

Make sure that your port 27 is NOT configured as an access port - it should be a trunk (that's the default). I believe the setting is under VLAN Management > Interface settings.
Also ensure you are setup to tag frames (under the "Port to VLAN" settings).

Cisco sg200 voice vlan dhcp issue

i have cisco sg200 50p connected to cisco 3750 switch. i just wanted to separate voice (vlan2) and data (vlan1) VLANS. I created vlan 2 as my voice VLAN and separate dhcp server for vlan 2 to give ip addresses to phones. however the ip phone connected to my voice vlan (vlan 2) is not receiving ip address from my dhcp server in vlan 2.
the dhcp server is connected to 3750 switch with an access port (vlan2-voice)
two switches are connected via trunk ports and allowed vlan 1&2
ip phone is connected to sg200 via access port (vlan 2) -
note - there is no pc connected to ip phone
I really appreciate if anyone can help me with this issue

Hi Tom
Thank you for the support. The phone is now getting the IP from the DHCP on its own VLAN (vlan2 ) according to your configuration. However i need to configure the auto voice VLAN based on OUI feature which is in SG200 switch.
The problem is, the switch not allowed me to configure auto voice vlan feature when the port connected to IP phone is in ACCESS mode (it has to be a trunk). I know according to cisco catlyst guidelines this is totally incorrect bcz they say "Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed"
I think its not valid for Small business switches . Anyway, when i make the said port TRUNK it works (by assigning 1U & 2T- automatically).But the phone does not get an IP address from my DHCP server then.
Can you help me with this if I am missing some configuration. Thank you once again

Creating VLAN on our Cisco 300 series router

I am wanting to create separate VLANs on our Cisco 300 series switches, but I am struggling to find any decent examples out there.
Our basic infrastructure is
Router with
192.168.1.1 VLAN1
192.168.2.1 VLAN2
The switch is set up on ports 2345 for VLAN2
Port 1 is attached to the router on VLAN1 and VLAN2 assigned.
My problems seem to be that I really not sure what settings I should be using for each the ports to get this to work correctly

Hi,
Hope below link will have the information which you are looking for.
https://supportforums.cisco.com/document/140341/vlan-configuration-articles-sx200300-series-managed-switches
If you are looking for only vlan creation then below link will help.
http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=80
According to your above description you have connected the router to port 1 of switch and you have configured it as vlan 1...Should this port be trunk???
Regards
Najaf

Cat3750-Metro-Not Pass Last Fragment Packet

Hello,
I have a cat 3750 metro on a customer, although the customer is not using any metro feature I am having a problem with passing packets grater than 4,9K, the switch is not passing the last fragment of the packet when the packet is routed, if the packet is switched no problem .
I have made an upgrade to the last (12.2.25.SEE) version and did not resolve.
Thus any one has a clue.
I will try to change the SVI to the physical interfaces (no switchport) to see if something changes?
Thanks

@prabodh:
SQL> declare
2 TYPE tab_person_id is of table of number(15) index by pls_integer;
3 begin
4 null;
5 end;
6 /
TYPE tab_person_id is of table of number(15) index by pls_integer;
ERROR at line 2:
ORA-06550: line 2, column 23:
PLS-00103: Encountered the symbol "OF" when expecting one of the following:
( array limited new private range record VARRAY_ char_base
number_base decimal date_base clob_base blob_base bfile_base
table ref object fixed varying opaque sparse
The symbol "OF" was ignored.Check What you are posting.
@ qwestion: What is your Database Version? It is a implementation restriction.

SGE2010P - DHCP Relay - offer packet not reaching host

I have an SGE2010P in L3 mode. I set up 2 vlans, 1 & 5. Vlan 1 has an interface of 10.0.3.252; Vlan 5 is at 10.0.10.9. I have defined the DHCP at 10.0.3.4 (on vlan 1) and enabled DHCP Interface for vlan 5. Put switch port g28 in access mode on vlan 5 and connected client machine. Set up wireshark on both DHCP a server and client. DHCP server is receiving the DHCP discovery packet with the correct relay agent address (10.0.10.9), and it sends back an offer packet to that address, but it is never received by the host machine. What am I missing?

Hello,
DHCP server typically is on subnet of one of the switch IP interface. Thus there si no need to indicate where the server is however you have to indicate from which VLAN DHCP requests are relayed. For example:
VLAN 1 - switch IP 192.168.1.25/24
DHCP server is on VLAN 1 with IP 192.168.1.1/24
Other VLANs:
VLAN 5 IP address 192.168.5.254/24
VLAN 10 IP address 192.168.10.254/24
enabling DHP relay from VLAN 5 and VLAN 10 is required.
Please check IF you have IP addresses on the switch of other VLANs 5 and 10
Regards,
Aleksandra

Stop DHCP traffic from passing across interfaces

I'm having an issue with dhcp traffic passing across my cisco ASA 5510 interfaces.
Example of setup
Company 1 connected to interface 1 has its own dhcp server
Company 2 connected to interface 2 has its own dhcp server.
Some users are getting there ip address from the other companys dhcp server. The 2 companys should pass traffic to each other but not dhcp.
Is there anyway to stop dhcp traffic from crossing interfaces
Shane

usually have to permit DHCP traffic explicitly. Specification of the DHCP client-server protocol describes several cases when packets must have the source address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP servers require special consideration and further complicate configuration.
To allow DHCP, network administrators need to allow several types of packets through the server-side firewall. All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side firewall should allow the following types of packets:
* Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip
* Incoming packets from any address to 255.255.255.255
* Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255
where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients
An example in an ASA would similar to the following.
For blocking client:
access-list TEST extended deny udp any any eq bootpc
For blocking server:
or access-list TEST extended deny udp any any eq bootps
Hope that helps.

Cisco 300 - VLAN DHCP packets not passing

Similar Messages

Maybe you are looking for