DHCP for VLAN on 4507; IP Conflicts too often

Similar Messages

• Dhcp for vlans

  hi all
  Can anyone tell me how come my switch knows only to issue my dhcp pool to the relevant vlan, the vlan and dhcp pool are are the same subnet, but what if I didnt have a vlan in that subnet, would it not issue them ?

  Hi Carl,
  I'm not entirely sure on what you mean, however I'll explain a bit on how I see your question.
  Basically a PC on a subnet will send a Layer2 Broadcast requesting an IP address and various other details. Therefore, you will find that in most cases the DHCP server should be on the same subnet to receive the broadcast frame.
  All your switch does is forward frames (unicast, broadcast and multicast) across the same Vlans that are configured. Generally speaking switches do not forward to different vlans unless you have configured a multilayer switch.
  The exception in the dhcp case is where you use a dhcp relay agent to forward dhcp requests across different subnets to a central dhcp server.
  Please let me know if this makes sense or not. I'm not quite sure what you mean if you didn't have a vlan in that subnet.
  Cheers
  Michael.

• Using ACS for VLAN assignment

  Hi Guys, I have been looking at the use of Cisco ACS server for VLAN assignment. So far I have searched through a number of threads and no found what I am looking for specifically so here it goes.
  1) When the RADIUS attributes have been configured in ACS (64, 65 + 81), and in my case I have them in the group configuration. For the VLANs to be assigned to the various users at their ports will every VLAN name in the RADIUS settings have to in the switches which are used for access?
  2) Is there a limit to the number of VLANs that can be assigned by the RADIUS(IETF) portion of ACS or would it be better to use RADIUS(IOS/PIX)? I am thinking of about 15 VLANS.
  I am using a Catalyst 4500 (IOS supervisor) and 2950s and 2970s at the closets.
  Thanks for any help...
  Kelvin

  Access Control Lists..I am thinking it is better to apply the ACLs at the closet (access) switches where I can specify the servers that should be reached by the hosts my test VLAN and deny those which they should not.
  I used a named extended ACL for my tests however, it did not go well. With the ACL below applied I cannot reach anything including the server I actually want to reach. My intention was to allow the hosts in the test VLAN 172.16.12.0/24 to reach 2 particular servers and their gateway however with the list applied I cannot reach anything at all. The setup is one 2950 connected to a 4507 the 2 VLANs I am working with are trunked to the 2950 and dhcp is running. I have IP routing enable on the 4507 and it is the server for the VTP domain.
  ip access-list extended guest
  permit ip 172.16.12.0 255.255.255.0 host 172.16.12.1
  permit ip 172.16.12.0 255.255.255.0 host 172.16.2.254
  permit udp 172.16.12.0 255.255.255.0 host 172.16.2.245 eq 53
  deny ip any any
  Any advice on how I can restrict the hosts which will be on this VLAN from accessing the rest of the network?

• SGE2010P - DHCP Snooping - VLANs - Web GUI

  Model: SGE2010P
  FW: 3.0.0.18
  In the web GUI:
  Under DHCP Snooping ---> VLAN Settings
  It does not allow you to enter a VLAN higher than 4092
  I configured it to listen on VLAN 4094 via the CLI just fine.
  I believe this should be fixed in the web GUI.

  Yeah, I don't think I want to do that because of all the little troubleshooting steps they usually make me go through.
  I buy high-end equipment so I can skip the simple stuff...they usually don't understand that.
  I know it's a bug because I've already done the troubleshooting, I don't feel I should have to do the same stuff again.
  I only make a call when absolutely necessary because I find the phone support for this product line very un-supportative.
  At this level, I think I should get to skip the simple stuff.
  If you can't submit a bug report thats fine, I'll just leave it at this.
  It's no big deal, I just thought I'd let some one else know.

• SG300-20 - Configure DHCP on VLAN interface

  I have been reading the various related discussions on the SG300 and SG500 switches regarding setting up VLAN's and DHCP on those VLAN's.  For whatever reason I have been unable to even get this simple task to work.
  First thing I did was to update my firmware and boot version as follows:
  SW version    1.3.7.18 ( date  12-Jan-2014 time  18:02:59 )
  Boot version    1.3.5.06 ( date  21-Jul-2013 time  15:12:10 )
  HW version    V02
  When I reloaded the SG300 after the SW/Boot updates the startup config was wiped out and I had to setup my switch from scratch.  The intent is to have two VLAN's:
  VLAN 1: all devices, servers, etc.
  VLAN 2: basic subnet that hands out DHCP addresses
  The SG300-20 is connected to an Asus RT-AC66U router on the 192.168.1.x subnet and provides internal network access and WiFi access (router IP address is 192.168.1.1 and is default gateway).  All that works with no issues.  So my task is simply to create VLAN 2 on 192.168.2.x subnet and use DHCP to allocate addresses.  I have spent many hours on this and I still can't get it to work.  When I connect a laptop to the port (GI8) assigned to VLAN 2, I end up getting some wonky 169.254.x.x address.  I certainly thought something this "easy" wouldn't be that hard to setup, but apparently I was wrong.
  The SG300 is running in L3 mode as shown in my running-config below.
  Does anyone happen to see something that might be preventing my laptop client from recieving IP addresses from the VLAN 2 DHCP interface that are not in the 192.168.2.x subnet?
  Any ideas / suggestions would be greatly appreciated!
  Here's my running-config:
  config-file-header
  MYSTICSW1
  v1.3.7.18 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode router
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
  vlan database
  vlan 2
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  bonjour interface range vlan 1
  hostname MYSTICSW1
  logging host 192.168.1.15
  logging origin-id hostname
  username cisco password encrypted b4a0fcf20b2cd9d80a55b06ab8f83277f9733904 privilege 15
  snmp-server location Office
  clock timezone " " -5
  clock summer-time web recurring usa
  clock source sntp
  sntp unicast client enable
  sntp unicast client poll
  sntp server 192.168.1.10 poll
  interface vlan 1
  ip address 192.168.1.254 255.255.255.0
  no ip address dhcp
  interface vlan 2
  name MysticWAN
  ip address 192.168.2.254 255.255.255.0
  interface gigabitethernet8
  switchport mode access
  switchport access vlan 2
  exit
  ip default-gateway 192.168.1.1
  Thanks in advance!
  Clint Lambert

  Tom,
  Thanks ... I followed the steps you outlined and it worked!  The only difference being that I have an Asus RT-AC66U router and the there is no "enable multiple subnet" option.  So, I just followed your instructions on creating the static routes in the RT-AC66U and everything worked.  The DHCP addresses were correct and I had internet connectivity when I plugged a laptop into the gi8 port.
  I did make one tweak to the Network Pools screen as follows:
  My DHCP configuration for gi8 on VLAN 2 now looks like:
  ip dhcp server
  ip dhcp pool network InternalWAN
  address low 192.168.2.1 high 192.168.2.99 255.255.255.0
  lease infinite
  domain-name MYSTIC
  default-router 192.168.2.254
  dns-server 8.8.8.8
  Previously I had followed your advice in the article "Need help configuring SG300-10 switch" and had setup everything using CLI.  However, I didn't think about needing the static routes.  So, I think it was probably setup correctly beforehand but had no chance to work because the routes were not setup.
  Thanks very much for your help!
  Clint

• Configuring autonomous 1141 to do DHCP for Guest WiFi

  I have an existing setup consisting of:
  Windows Server - doing DHCP for private wired/wireless
  Cisco 1141 Autonomous WAP with only private wireless access.
  ASA 5505 (with very basic licensing)
  HP switch
  The customer wants to have guest WiFi.
  The guest WiFi is going out to the internet via a seperate VLAN/interface on the ASA.
  Can the 1141 do DHCP for the guest WiFi?   Or do I need to do it via the ASA?

  It could but you would have to relay it from the ASA. So might as well just use the ASA for the scope.
  Steve
  Sent from Cisco Technical Support iPhone App

• DHCP and Vlan

  i've got a 1700 router with subinterface fast ethernet 2 assigned to vlan 2 with dot1q trunking.i want to setup dhcp on the router.the native vlan is not used.i'm only using vlan 2.will the hosts receive ip addresses automatically for vlan 2 or do i need to setup helper addresses ?

  Hi,
  You can indeed set up the router to be a DHCP server, which means that you will not need to configure any helper addresses.
  If a DHCPDISCOVER message comes in over your fastethernet sub-interface, the router will respond with an address.
  Here's a sample config:
  service dhcp
  ip dhcp pool DCHPPool1
  network ! network and mask you want to assign
  default-router ! ip address of router
  dns-server
  ip dhcp excluded-address
  (since you don't want it handing out addresses such as the router's address)
  Hope that helps - pls rate the post if it does.
  Regards,
  Paresh

• Dhcp with Vlan AP 1240 AG

  HI, I'm with problem to get IP by dhcp in my network wireless on AP 1240ag.
  I wish that my AP has two VLANs and each VLAN issue IP by DHCP.My DHCP server is a Windows Server 2008 for VLAN 1 and a Linux for VLAN 12.
  The AP it's connected by Trunk to a Switch that has the two DHCP Server each one on port Vlan.
  but my clients it isn't able get IP address by any each one DHCP server. it's work only with  static IP. there is more anything to do in my configuration?

  1) Are you saying that clients can get a full network connectivity with a static ip on both vlan on your AP ? If that's the case then it looks like the AP is configured fine.
  2) What happens if you plug a wired laptop to the switch and configure the port to be in one vlan then the other. Would the PC get an ip address ? If not, then it's a swicthing issue.

• Is there a reliable method for detecting that a query is too large?

  I am writing some code (that uses OCI) to properly detect when a query string is too long for OCI and/or the Oracle database server. I can't find any specific error code information in the docs, so I just started firing off large queries to see what would happen.
  The queries I am sending are >2MB in size, up to 16MB. If the queries are above ~10MB, I get the error "ORA-03113 'End-of-file on communications channel'" after a fairly short amount of time (i.e. not enough for a timeout to expire). If the queries are below ~10MB, but above ~2.5MB, it either just sits there and does not do anything (for more than 15 hours). So watching for ORA-03113 when executing large queries does not seem like a very reliable method for detecting the queries that are too large.
  Does anyone know of a reliable way of detecting that a query is too large for the OCI client and/or the Oracle database server?
  I am using version 10.2.0.1 for both the OCI client and the Oracle database server, but I'm getting similar errors for combinations of 10.2.0.1 and 9.2.0.7 for both the OCI client and the Oracle database server.
  These large queries need to be handled properly (i.e. distinguished from some generic failure) because the server handles requests from users, which could be programs that generate SQL queries (and have constructed huge ones in the past).
  Thanks for any information!

  The ORA-03113 means that the Oracle server process has died trying to satisfy your request. In almost all cases it is strictly correct to call that a bug, and we shouldn't easily forgive the server process when it happens. But in the case of multimegabyte statements my anger and disapointment turns to sympathy, for in my heart I can't bring myself to blame it. Can you?

• 2008 r2 pdc emulator switched to DHCP for a week

  I have an issue I wanted to run by you guys. The quicker the response the better as I'm trying to figure the best course of action.
  I have a 2008 r2 DC in my Data Center that holds the FSMO role of PDC emulator. An admin mistakenly swapped its network cable to another NIC card on the server that was set to DHCP so the server has been on DHCP for just short of a week.
  My question is, should I switch it back now and get it back on the right IP or by doing that will that cause a USN roll back or something like that.
  How are the other DC's viewing this DC right now? Are they even communicating with it or are they viewing the server with the right name but wrong IP as an mistake and not communicating with it. That's what I'm thinking right now looking at the other DCs
  but since this is the PDC emulator I wanted to run by others...
  Thanks
  RS

  I have a 2008 r2 DC in my Data Center that holds the FSMO role of PDC emulator. An admin mistakenly
  swapped its network cable to another NIC card on the server that was set to DHCP so the server has been on DHCP for just short of a week.
  Multi-Homing a DC is not recommended. It is recommended that a DC has a single IP address and enabled NIC.
  My question is, should I switch it back now and get it back on the right IP or by doing that will
  that cause a USN roll back or something like that.
  No USN rollback is caused by changing IP settings. Just run ipconfig /registerdns
  and restart netlogon on your DC to force it to update its DNS records.
  How are the other DC's viewing this DC right now? Are they even communicating with it or are they
  viewing the server with the right name but wrong IP as an mistake and not communicating with it. That's what I'm thinking right now looking at the other DCs but since this is the PDC emulator I wanted to run by others...
  To get a visibility of your DCs and AD replication status, you can use
  dcdiag and repadmin commands.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• I was charged for a movie that never was downloaded, i asked for it but the conection was too slow and I never was able to have the movie that i asked for...how can i get it without being charged again, who could remove the chage from my Crecit card?

  i was charged for a movie that never was downloaded, i asked for it but the conection was too slow and I never was able to have the movie that i asked for...how can i get it without being charged again, who could remove the chage from my Crecit card?

  You may not be able to get a refund, since the terms of sale for the iTunes Store state that all sales are final. You can contact the iTunes Store, explain the reason for your request, and ask, though:
  http://www.apple.com/support/itunes/contact.html
  It's possible they'll make an exception for you, particularly if the problem was on their end preventing the movie from downloading in a reasonable time.
  Good luck.

• Server 2012 NPS NAP DHCP for VPN

  I have setup a server with DHCP and NPS and configured NAP DHCP.
  DHCP has 1 scope and the default scope options 003 router, 005 DNS server and 015 Domain Name (domain.com). 
  Further In DHCP i created a DHCP policy so it assigns a different 005 DNS server and 015 Domain Name (restricted.domain.com) to non-compliant clients. NPS/NAP DHCP is working (all is setup health, shv, gpo etc.. Health Validator is only checking if firewall
  is runnning) so when i connect a client with firewall i get a normal IP from the scopt with the scope options and domain suffix domain.com. When i disable the firewall i get an IP from the DHCP scope, no gateway, subnet 255.255.255.255 and domain suffix restricted.domain.com
  so all works well and as NAP DHCP should work.
  Now i have an seperate RRAS server configured as VPN server and configured my DHCP/NPS server as an Radius Authentication Provider. Also a DHCP relay agent is configured in RRAS
  On my DHCP/NPS server i configured my RRAS server as a Radius Client (nap-capable).
  My questions:
  Q1. can i use NAP DHCP for vpn clients, as VPN clients get IP address from my DHCP server? i know there is a NAP VPN option but i want to use NAP DHCP cause NAP DHCP and NAP VPN don;t work together and i want NAP DHCP for internal clients.
  My problem:
  P1. with setup above i cannot setup a VPN connection from an external client i get an error "Error 812:The connection was prevented because of a policy configured on your RAS/VPN server.specfically ,the authentication method used by the server to verify
  your usename and password may not match the auithentication method configured in your connection profile .Please contact the Administrator of the RAS server and notify them of this error"
  I can resolve my problem P1 by running "configure VPN for Dial-Up" with the option "Radius server for Dial-Up or VPN connections." This creates 1 Connection Request Policy and 1 Network Policy, in the policy i set authtorized to windows
  group domain admins
  But then I have an issue with NAP DHCP...
  When i have a non-domain joined external client, where i have enabled NAP client in services.msc and DHCP Enforcement in local policy i can setup a VPN connection but from the DHCP server i get an IP addres from the subnet/scope and domain suffix domain.com,
  so this is working OK. But when i disconnnect the VPN client and disable and stopthe firewall and connect the VPN again its not getting restricted running ipconfig /all shows its not restricted and also Netsh nap client show state > shows its not restricted
  BUT it SHOULD be restricted as the firewall is off.
  What could be wrong?

  Hi,
  After discussed with so many people, I think this will not work.
  First we need know how DHCP enforcement works.
  1. The DHCP client sends a DHCP request message to the DHCP server.
  If the DHCP client has an SoH, the DHCP request message includes it. The SoH contains information about the health of the client. The DHCP server passes the SoH to
  the NPS server. The NPS server communicates with the policy server to determine whether the SoH is valid.
  2. If the SoH is valid, the DHCP server assigns the DHCP client a complete IP address configuration. The DHCP client has unlimited access to the network, as defined
  by policy.
  3. If the SoH is not valid, the DHCP server limits the access of the DHCP client to the restricted network and assigns it a limited access subnet mask and static
  routes, as defined by policy.
  But VPN clients get IPs in a different way. It uses the IP Control Protocol (IPCP) as part of the Point-to-Point Protocol (PPP) connection setup. Everything is done
  in VPN tunnel.
  Hope this helps.

• HT1349 I for get security question help my too rest , send to my mail :

  I send email for serves and send to my by email ling I tray eat not help my to rest my security question .
  No we to send security question to my email or what I down I tray from many days
  The serves send that and it,s not help : read it
  Hello,
  The following information for your Apple ID *********** was updated on 02/03/2013:
  Phone number(s)
  If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.
  To review and update your security settings, sign in to appleid.apple.com.
  This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.
  Thanks,
  Apple Customer Support
  Tel my what I do I need my program and my many in my account and wan I need to seal program he asking security question , what I do
  I for get security question help my too rest , send to my mail : ***********
  <E-mail Edited by Host>

  Do not post your email adress here.
  Open your browser and go to iforgot.apple.com and follow the instructions there.

• No dhcp for airport with parallels

  hi,
  i have a macbook and installed parallels yesterday. since i rebooted the mac, my airport can not get an address from dhcp. it only has a self assigned ip address. when i first ran paralles i chose bridged network. but now it makes no difference which network option i choose in parallels. there is no ip from dhcp for airport anymore. the ethernet card still works fine. but i`m afraid that once i use it with parallels the same thing will happen to it. anyone got an idea what to do about that?
  greetz,
  mike

  Hi, Mike / James Hetfield.
  I don't mean to send you somewhere else, but this is a question you need to address with Parallels Support. I presume you've reviewed the Parallels User Guide concerning DHCP.
  You might also want to search the AirPort & AirPort Express Discussions in case it has been addressed there, where AirPort-related questions are answered.
  Good luck!
  Dr. Smoke
  Author: Troubleshooting Mac® OS X

• Root bridge for VLAN 1

  If I have 2 core Layer 3 switches that are in an HSRP config, each of the active router vlans are setup already as the root bridge for those particular vlans, who should I designate as the root bridge for VLAN 1 ?

  Root bridge and the active router in hsrp are not really related.
  Root bridge selection is only used to control which paths are blocked if any. The actual path of the traffic does not have to pass via the root bridge. It will always take the most direct path between the machines.
  It is much more important to see where the blocked link is if you have any.
  As a example you have a distribution switch connected to your 2 core switches and the 2 core switches connected to each other. You design you spanning tree to block the link between the 2 core switches by setting the cost very high. In this case any machine on the distribution switch can directly access either core switch. Since only the core switch that is the active HSRP router for a vlan will advertise the common mac address the distribution switch will only see the mac address on one of the two links. Either core switch can be set as the root but the traffic will alway directly flow to the active HSRP device.
  Of course you don't want to block the line between the switches because the HSRP keepalive message will be layer 2 routed via the distribution switch. In a very simple design it is common to have the root bridge be the HSRP active device just because its easier to configure but the concepts are not really related. Root bridge placement is more related to traffic volumes than anything else it just tends to be true that the switch has the gateway is also the highest volume of traffic