DHCP issue in VLAN

I have a router on a stick setup i guess
Multi-WAN doing a load balancing in pfSense
5 Vlans setup on one interface and 1 DMZ setup on another interface
Vlan 1 being used for Management w/o DHCP Server
Vlan 24 for intranet Wifi w DHCP Server
Vlan 30 for intranet w/o DHCP Server
Vlan 50 for Public Wifi w DHCP Server
Vlan 100 for Ubiquiti ToughSwitch and APs, w DHCP Server
Now, the Vlan goes to a Cisco SG500X switch in port 1, trunk mode, Vlan 1UP, 24T, 30T, 50T, 100T
port 35, trunk mode, Vlan 1T, 24T, 30T, 50T, 100UP, goes to Ubiquti ToughSwitch
In Ubiquiti ToughSwitch, Vlan 1, 24, 30, 50 all tagged and 100 untagged
ToughSwitch goes to UAPs with Vlan 24, 30, 50
Now, my problem is, I'm not able to ping any of the APs
I'm not able to SSH to any of the APs
It's like being isolated
In my firewall settings, I allowed all traffics but still no luck
Can anyone give me some lights here please?
THANKS!

PLEASE USE THE IP ADDRESSES AS YOU WANT
########## Config on SG-500 ########################
interface vlan 1
ip address 192.168.5.2 255.255.255.0 (PFsense_FWAL_subnet)
no ip address dhcp
ip dhcp relay enable
bridge multicast forward-all add gi1/1/1,gi1/1/44,gi2/1/36
interface vlan 24
name "Internal Wifi"
ip address 192.168.3.1 255.255.255.0 (Wifi)
ip dhcp relay enable
bridge multicast forward-all add gi1/1/44,gi2/1/36
interface vlan 30
name DMZ
ip address 192.168.4.1 255.255.255.0 (DMZ)
ip dhcp relay enable
bridge multicast forward-all add gi1/1/44,gi2/1/36
interface vlan 50
name All
ip address 192.168.2.10 255.255.255.0 (ALL)
bridge multicast forward-all add gi1/1/44,gi2/1/36
interface vlan 100
name Management
ip address 192.168.6.1 255.255.255.0 (For AP)
ip dhcp relay enable
bridge multicast forward-all add gi1/1/1,gi1/1/44,gi2/1/36
interface vlan 200
name vMotion (Vmotion)
ip address 192.168.7.1 255.255.255.0 (v
bridge multicast forward-all add gi1/1/44,gi2/1/36
interface gigabitethernet1/1/1
switchport mode access
switchport access vlan 1
description (Connect-to-pfsense-FWAL)
interface gigabitethernet1/1/2
switcport mode trunk
switchport trunk allowed vlan add 24,30,100,200
description (Coonect-to-UBI-Switch)
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.5.1 (PF-sense-IP)
############## Config on PFsense ######################
Add routes for all the subnets
192.168.2.0 255.255.255.0 192.168.5.2-->(Switch IP)
192.168.3.0 255.255.255.0 192.168.5.2-->(Switch IP)
192.168.4.0 255.255.255.0 192.168.5.2-->(Switch IP)
192.168.5.0 255.255.255.0 192.168.5.2-->(Switch IP)
192.168.6.0 255.255.255.0 192.168.5.2-->(Switch IP)
192.168.7.0 255.255.255.0 192.168.5.2-->(Switch IP)
############## Config on UBIswitch ####################
interface gigabitethernet x/x/x
switcport mode trunk
switchport trunk allowed vlan add 24,30,100,200
description (Coonect-to-cisco-SG500)
int gi x/x
switchport mode access
switchport access vlan 100
description (Connect-APS)
int gi x/x
switchport mode access
switchport access vlan 100
description (Connect-APS)

Similar Messages

Wrvs4400n vlans/ssid/dhcp issue

Hi all,
it will be great if someone will help me with my problem.
the problem is : our wrvs4400n wifi router configuration.
network description: we need 2 separated wifi networks one for guests and one for internal access, and i configured them on router, and also configured each one of them to different vlan, guests to vlan 200 and internal use default vlan 1.
vlan 1 configured as dhcp relay and its working pritty well.
vlan 200 configured as dhcp and the problem begins here.
somehow on vlan 200 i get dhcp from our externam dhcp server,
wrvs4400n conected as follow> lan port1/vlan 200 connected to firewall port(configured as vlan 200) and lan port 4/vlan1 conected to our main switch wich connected to firewall also.
i guess that my knowlege in networking its not so good......
how can i prevent from our internal dhcp to comunicate with vlan 200 ,
any help will be very appreciated.

Hi Rich,
You cannot have different L3 VLANs sharing the same subnet.
Each VLAN must have it's own subnet and then you have a routing device routing between both VLANs.
You should have a DHCP pool also for VLAN 111 configured on the DHCP server.
Even if you have ip helper address configured and this should be done on the VLAN111 interface of the switch, you still need a DHCP pool for VLAN 111 because the DHCP discovery is coming on VLAN 111.
Please take a look into this document:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.
Here it explains how to configure 2 ssids on 2 vlans and dhcp pool (on the switch itself) for each vlan.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Cisco sg200 voice vlan dhcp issue

i have cisco sg200 50p connected to cisco 3750 switch. i just wanted to separate voice (vlan2) and data (vlan1) VLANS. I created vlan 2 as my voice VLAN and separate dhcp server for vlan 2 to give ip addresses to phones. however the ip phone connected to my voice vlan (vlan 2) is not receiving ip address from my dhcp server in vlan 2.
the dhcp server is connected to 3750 switch with an access port (vlan2-voice)
two switches are connected via trunk ports and allowed vlan 1&2
ip phone is connected to sg200 via access port (vlan 2) -
note - there is no pc connected to ip phone
I really appreciate if anyone can help me with this issue

Hi Tom
Thank you for the support. The phone is now getting the IP from the DHCP on its own VLAN (vlan2 ) according to your configuration. However i need to configure the auto voice VLAN based on OUI feature which is in SG200 switch.
The problem is, the switch not allowed me to configure auto voice vlan feature when the port connected to IP phone is in ACCESS mode (it has to be a trunk). I know according to cisco catlyst guidelines this is totally incorrect bcz they say "Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed"
I think its not valid for Small business switches . Anyway, when i make the said port TRUNK it works (by assigning 1U & 2T- automatically).But the phone does not get an IP address from my DHCP server then.
Can you help me with this if I am missing some configuration. Thank you once again

Wierd DHCP Issue

Hello All,
I facing a very wierd DHCP issue and would like to know your thoughts on it.
I have my wired clients on vlan 1 and wireless cleints(eap-peap) on VLAN 2.
We are facing an issue where multiple wired clients who were on access port vlan 1 are receiving IP address from wireless subnet(vlan2) -their DHCP server was the WLC virtual gateway IP address(1.1.1.1). This is causing an outage to few wired clients.
The WLC trunk does not have vlan 1 allowed on its ports and all APs are in local mode and all on access vlan.
I'm not entirely sure whats causing this, but only way I think this is possible is that 'A Client' laptop has his network connections bridged - his wired nic on VLAN 1 and wireless NIC on vlan 2, acting like a WGB, which is causing new wired clients(vlan1) DHCP broadcast request forwared through the bidge mode laptop to AP--> WLC. Do you think this is possible??
Havent been able to identify which client is causing this issue yet.
Has anyone faced a similar issue and anyway to block this through WLC/ACS policy?
Thanks
Jino

Hi,
Might we consider to make use of network monitor to take a look at the traffics for the 1.1.1.1 address?
How to use Network Monitor to capture network traffic
Download link here:
Microsoft Network Monitor 3.4
Best regards
Michael Shao
TechNet Community Support

Very weird dhcp issue

We've started 're-vlanning' our main location here, breaking up depts
into their own vlans.
All seems ok so far, aside from a real doozy.
For the IT vlan, we have one address that will not talk to our web
content mgmt appliance. It's the 2nd address in our assignable pool,
and it doesn't matter if it's dhcp or statically assigned, that address
will not talk to that device.
That is the *only* device that cannot be reached from this particular
address in our dept vlan, every other one works fine.
Any ideas on this?
Stevo

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> and it doesn't matter if it's dhcp or statically assigned, that
> address
So.... the title of this thread should actually be 'Very weird non-DHCP
issue', since your own testing confirms this has nothing to do with DHCP?
If you do a LAN trace on this machine as well as your web content
management appliance do you see packets on either side? Both sides? If
not on both sides but you do on the source (workstation) side see
packets going out, then get LAN traces after each network device
(switch, router, firewall, etc.) to see when the packets disappear.
Feel free to post the LAN traces somewhere with descriptions of IPs,
ports, and what you should be seeing, if you want to post them somewhere
for review.
Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJP4jFPAAoJEF+XTK08PnB55aMP/3Rg9u6LX6jFCXGYuex/oXdS
NZ/liqfCgjyIcykWWeKGgdtm2I7JZOcFiG8YW2le55mcltvCL1VJW +1VGng4kZER
0f4hjfyQ3CcQ6HIU3RM6VL5U2Pblb80MsEQe0qo0xgtPXipmjs i7Q0xIv9p0wT7A
7JMkfgM9tfuI5Yro+BDLfSIkFWicKuKs1sKpNugKalPuyyRrzW IiznoalIKFshon
a40ETLJVZmngBYfqfeZL9nPNsFlveFNXrDkdbl2WbaprsHtNnA NwZfVUIlc5kOCT
MknY0GXof4/tk149OVCCLgjEzoRtTIZH0BJTHQwW7ANkWUUNYwi49+Mk46V0o awl
oe1aA+NK9gl2bWXWLCtTro4ERSVMvkcI0OffytrfcBsqdCKg/g3QPMjV3kiVEULI
xnSTsqFgOl2qO8qGaL6FJtk39ZBnCwqDPtmoNt93OK4hAhWBuA Xihc+kiQHrwkpO
O04quZu8qQG6A6qwFDr+r+QqarFR3kielfvi7H6o5iLfZn/sDhvijGOAknJVctH8
j8fezki9PMznkcT+of2Oe4T99K9fChN2WFSgUKdlpkYSjbkmjP fdbWloou+WBjCm
7hHwnAbKPPgoN8aPPfw9rG9E+K/0YW2kt4wRu79BEDvF6eMv0UdDPE1qPuw1ttmm
jg2zzMZDkgIG39A0P3u7
=+fCy
-----END PGP SIGNATURE-----

VRF and DHCP issue

VRF and DHCP issue
We have a 6500 ( 12.2 (33) SXH5 ) that has a VRF running for our guest network. On this 6500 resides the DHCP pool with a range defined for our guest network. We have a stack of 3750's (12.2 (46) SE) connected to the 6500 with a L3 connection. The 3750's have a local guest VLAN with its gateway defined in a VLAN interface. This VLAN on the 3750 has an IP helper address pointing to an IP within the VRF on the 6500. When debugging DHCP on the 6500, a request is received and sent back out. The client never receives this request.
If a static IP is applied, the client is able to communicate anywhere within the VRF successfully (including pinging the IP within the helper-address. As many posts have pointed out - there is no VRF <name> under the ip dhcp pool <name> within the 6500. I am just wondering if anyone else has run into this and what their solution was.
Thanks.

Hi,
I have tested the dhcp server and vrf on Cisco 3640 and it is working without VRF under the ip dhcp pool. Please ensure that you have configured routing for the dhcp-relay agent(VLAN facing dhcp client on 3750 in your case).

4500X L3 MEC + VRF + DHCP issue

Good morning -
I have a pair of 6513 in a VS40 (VSS quad sup) connected via L3 MEC to a VSS pair of 4500X. Active to Active and Standby to Standby connected in a L3 MEC port-channel that is also a vnet trunk:
(Core)
interface Port-channel5
description Distribution Uplink
no switchport
vnet trunk
ip dhcp snooping limit rate 100
ip address 172.20.68.1 255.255.255.252
ip ospf message-digest-key 1 md5 XXX
spanning-tree guard root
(4500 Distribution)
interface Port-channel1
description Core Uplink
vnet trunk
ip arp inspection trust
ip address 172.20.68.2 255.255.255.252
ip ospf message-digest-key 1 md5 XXX
The interfaces are all using LACP mode Active inside the channels
On the 4500 we have a global routing table and a vrf. Both have helper addresses pointing to the DHCP server which is extranet service behind the 6513 Core.
interface Vlan2301
description Global Routing Table
ip address 172.19.68.1 255.255.255.0
ip helper-address 10.4.16.222
interface Vlan2512
description VRF
vrf forwarding RED
ip address 10.217.5.1 255.255.255.0
ip helper-address 10.4.16.222
DHCP for the Global Routing Table subnet works. DHCP for the VRF does not.
What is interesting is if we shut down the link that is connected to the standby 4500 (Te2/1/1) DHCP starts to work for the VRF.
Using <debug ip dhcp server packet detail> at the 4500 here is what I am seeing.
When both links are up and DHCP is failing for the VRF:
Mar 10 20:02:02.419: DHCPD: BOOTREQUEST from 0100.1a6b.3a56.13 forwarded to 10.4.16.222.
Mar 10 20:02:10.473: DHCPD: Reload workspace interface Vlan2512 tableid 3.
Mar 10 20:02:10.473: DHCPD: tableid for 10.217.5.1 on Vlan2512 is 3
Mar 10 20:02:10.474: DHCPD: client's VPN is RED.
Mar 10 20:02:10.474: DHCPD: using received relay info.
When I shut the Te2/1/1 link down in the L3 MEC at the 4500 DHCP starts to work for the VRF RED:
Mar 10 20:04:41.354: DHCPD: BOOTREQUEST from 0100.1a6b.3a56.13 forwarded to 10.4.16.222.
Mar 10 20:04:41.369: DHCPD: Reload workspace interface Port-channel1.2002 tableid 3.
Mar 10 20:04:41.369: DHCPD: tableid for 172.20.68.2 on Port-channel1.2002 is 3
Mar 10 20:04:41.369: DHCPD: client's VPN is .
Mar 10 20:04:41.369: DHCPD: forwarding BOOTREPLY to client 001a.6b3a.5613.
Mar 10 20:04:41.369: DHCPD: no option 125
Mar 10 20:04:41.369: DHCPD: broadcasting BOOTREPLY to client 001a.6b3a.5613.
Mar 10 20:04:41.369: DHCPD: no option 125
Mar 10 20:04:44.808: DHCPD: Reload workspace interface Vlan2512 tableid 3.
Mar 10 20:04:44.808: DHCPD: tableid for 10.217.5.1 on Vlan2512 is 3
Mar 10 20:04:44.808: DHCPD: client's VPN is RED.
It is like there is a bug that is treating the L3 MEC as a L2 MEC when both links are present; or the VNET trunk is not being processed correctly.
Has anyone else used a L3 MEC with a VRF and a DHCP helper with success? Is this a bug?
03.05.01.E is the code we are running on the 4500X-32(SPF+)
This is also with TAC but I thought I would share with the community in case anyone else has a similar environment or if Cisco experts want to comment.

Hi,
I have tested the dhcp server and vrf on Cisco 3640 and it is working without VRF under the ip dhcp pool. Please ensure that you have configured routing for the dhcp-relay agent(VLAN facing dhcp client on 3750 in your case).

Ip dhcp snooping on vlan

hi
i have following configuration in my switch
ALS1(config)# ip dhcp snooping
ALS1(config)# interface range fastethernet 0/7 - 12
ALS1(config-if-range)# ip dhcp snooping trust
ALS1(config-if-range)# exit
ALS1(config)# interface range fastethernet 0/15 - 24
ALS1(config-if-range)# ip dhcp snooping limit rate 20
ALS1(config-if-range)# exit
ALS1(config)# ip dhcp snooping vlan 100,200
my question is why do we have to configure dhcp snooping on vlan if we already configured on port??
Thanks
vish

I think it just gives you more flexibility ie. you may want to enable DHCP snooping but only for some vlans.
If you are asking why you need to enable it globally and then per vlan when you could just enable it per vlan I agree with what you are saying.
There are a number of other commands etc. that follow this line ie. enable it globally and then per vlan or per interface etc.
I suspect it may be to do with enabling it globally sets up certain things needed on a system wide and not a per vlan or per interface basis but I have wondered that myself sometimes :-)
Jon

6500 DHCP ISSUE

Hello All,
I am having an issue do DHCP from the 6500, and was hoping someone cant help. So, I tried to setup DHCP from the FWSM to the clients and this worked fine with giving out the IP, however the gateway for devices on the inside is supposed to be the 6500, not the FWSM, which is why the clinets wouldn't get out to the internet. Do I need to set up DHCP relay on the FWSM or does anyone know the way I can setup DHCP on the 6500 to give out IP's to the clients. Again just to reiterate, when I setup DHCP on the FWSM the clinets get the IP's but do not get out to the internet and when I setup DHCP on the 6500 the clients do not get an IP. Also I know tghis is a dhcp issue becasue when I assign a static address on the network the clients get out fine. Thanks in advance for the help!
6500 Config
ip dhcp pool TEST
   network 1.1.1.0 255.255.255.0
   default-router 1.1.1.1
   dns-server x.x.x.x y.y.y.y
FWSM Config
FWSM/TEST# show run
interface Vlan3
nameif outside9
bridge-group 1
security-level 0
interface Vlan203
nameif inside9
bridge-group 1
security-level 100
interface BVI1
ip address 1.1.1.4 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
access-list INSIDE1_IN extended permit ip any any
global (outside1) 1 x.x.x.x
nat (inside1) 1 1.1.1.0 255.255.255.0
access-group INSIDE1_IN in interface inside1
route outside1 0.0.0.0 0.0.0.0 1.1.1.1 1
FWSM/TEST#

Hello Alain,
Thanks for your quick response. I attached a Diagram of the layout. Just to let you know this is an FWSM with many virtual contexts and most including this one that are Transparent. I understand that I need an access-list on both ends to specifiy so the FWSM opens it, I am just having issue because the FWSM sees this as unsual traffic and the access-list needs to be on-point to work. Thank you for the response and I'll look forward to hearing back from you.

Assign DHCP Pools to VLAN on SG500

Hello,
I want to use the internal DHCP Server of a SG500-Stack (Layer3-Mode) to assign addresses to several VLANs.
I was able to create several Pools, but I didn't find any option to assign these pools to VLANs or Ports.
For Example:
Addresses from Pool 192.168.0.0/24 are assigned to VLAN10
Addresses from Pool 10.0.0.0/24 are assigned to VLAN20
Addresses from Pool 10.128.128.0/24 are assigned to VLAN30
Is this possible with a SG500?
If it is, please give me a hint where I can set this up as I didn't find anything about this.
Thanks in advance,
Christoph

This is an example to create Vlan and DHCP per vlan and how to assign the port to vlan
but before please change the mode of the router to layer 3 and ensure you have the latest firmware
1. Create a vlan
#configure terminal
#vlan database
#vlan 10
#vlan 20
#vlan 30
#exit
2. Create interface of the Vlan's
#interface vlan 10
#ip address 192.168.0.254 255.255.255.0
#interface vlan 20
#ip address 10.0.0.254 255.255.255.0
#interface vlan 30
#ip address 10.128.128.254 255.255.255.0
#exit
3. Enable DHCP server on vlan's in this example the range is from 100 to 200 hosts
#address low 192.168.0.100 high 192.168.0.200 /24
#address low 10.0.0.100 high 10.0.0.200 /24
#address low 10.128.128.100 high 10.128.128.200 /24
#exit
4. Assign the port to Vlan 10 and 20 and 30 in my example I assign port 1 to vlan 10 , port 2 to vlan 20 and port 3 to vlan 30
#interface gigabitethernet 1/1
#switchport mode access
#switchport access vlan 10
#exit
#interface gigabitethernet 1/2
#switchport mode access
#switchport access vlan 20
#exit
#interface gigabitethernet 1/3
#switchport mode access
#switchport access vlan 30
#exit
So now connect pc with on port 1,2,3 to make a test
Please lets me know and please rate the post and mark answered to help other customers
Thanks
Mehdi

DHCP issue on Cisco IOS router

Hi experts,
I recently got complaints that some clients can't get IP address through the DHCP server configured on a Cisco IOS router. I turned on debugging on DHCP events and packets and I see the following logs.
Mar 22 15:33:41: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
Mar 22 15:33:41: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
Mar 22 15:33:41: DHCPD: Seeing if there is an internally specified pool class:
Mar 22 15:33:41:   DHCPD: htype 1 chaddr 001b.63f2.468c
Mar 22 15:33:41:   DHCPD: remote id 020a0000cf6050011000000a
Mar 22 15:33:41:   DHCPD: circuit id 00000000
Mar 22 15:34:02: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
Mar 22 15:34:02: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
Mar 22 15:34:02: DHCPD: Seeing if there is an internally specified pool class:
Mar 22 15:34:02:   DHCPD: htype 1 chaddr 001b.63f2.468c
Mar 22 15:34:02:   DHCPD: remote id 020a0000cf6050011000000a
Mar 22 15:34:02:   DHCPD: circuit id 00000000
Then it will repeat and repeat for this MAC. Any reason why the router is not assigning an IP to it? It actually happens to some other MACs as well... They are from different vendors and located on different switches... I can't really find a pattern for this problem... The DHCP pool hasn't run out and it still has available IPs in it.
Thanks

Hi Alain, thanks for quick reply. The followings contain the output that you required. I hided the prefix of the IP with a.b.c. Thanks!
interface FastEthernet1/0.10
description : DHCP for EXHIBITION VLAN
encapsulation dot1Q 10
ip address a.b.c.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
end
r#sh ip dhcp pool
Pool EXHIBIT :
Utilization mark (high/low)    : 100 / 0
Subnet size (first/next)       : 0 / 0
Total addresses                : 126
Leased addresses               : 47
Pending event                  : none
1 subnet is currently in the pool :
Current index        IP address range                    Leased addresses
a.b.c.118        a.b.c.1      - a.b.c.126     47
#sh run | in/be dhcp
no ip dhcp use vrf connected
ip dhcp excluded-address a.b.c.1 a.b.c.11
ip dhcp excluded-address a.b.c.126
ip dhcp excluded-address a.b.c.100 a.b.c.101
ip dhcp excluded-address a.b.c.51
ip dhcp pool EXHIBIT
   network a.b.c.0 255.255.255.128
   default-router a.b.c.1
   dns-server 207.172.3.8 207.172.3.9
   domain-name xyz.com
#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
a.b.c.19        0168.7f74.6260.9b       Mar 23 2011 01:56 PM    Automatic
a.b.c.52        0100.4854.897d.17       Mar 23 2011 12:53 PM    Automatic
a.b.c.56        0100.4063.e7b5.b2       Mar 23 2011 03:33 PM    Automatic
a.b.c.57        0100.1b63.f246.8c       Mar 23 2011 03:34 PM    Automatic
a.b.c.68        015c.5948.0b97.d6       Mar 22 2011 05:59 PM    Automatic
a.b.c.69        0168.7f74.626d.67       Mar 23 2011 07:07 AM    Automatic
a.b.c.70        0198.fc11.5027.1d       Mar 22 2011 07:04 PM    Automatic
a.b.c.71        01dc.2b61.04ba.af       Mar 22 2011 10:26 PM    Automatic
a.b.c.72        017c.c537.58e6.64       Mar 22 2011 08:37 PM    Automatic
a.b.c.73        017c.6d62.3303.57       Mar 23 2011 03:54 AM    Automatic
a.b.c.74        0124.ab81.cda4.68       Mar 23 2011 05:01 AM    Automatic
a.b.c.75        0100.1e52.8f11.a5       Mar 23 2011 02:47 PM    Automatic
a.b.c.76        0100.264a.5fc8.e3       Mar 23 2011 07:13 AM    Automatic
a.b.c.77        017c.6d62.38cd.40       Mar 23 2011 02:06 PM    Automatic
a.b.c.78        0100.1d4f.f647.79       Mar 23 2011 02:37 PM    Automatic
a.b.c.79        0100.26b0.8637.3d       Mar 23 2011 01:16 PM    Automatic
a.b.c.81        0130.694b.e9de.82       Mar 23 2011 03:19 PM    Automatic
a.b.c.82        0100.21e9.6864.80       Mar 23 2011 12:04 PM    Automatic
a.b.c.83        0124.ab81.63e6.b5       Mar 23 2011 09:38 AM    Automatic
a.b.c.84        0100.16b6.0455.c2       Mar 23 2011 09:42 AM    Automatic
a.b.c.85        0100.1302.4c96.9e       Mar 23 2011 09:49 AM    Automatic
a.b.c.86        0140.a6d9.741c.e0       Mar 23 2011 12:12 PM    Automatic
a.b.c.87        0100.264a.b8e9.50       Mar 23 2011 10:16 AM    Automatic
a.b.c.88        0140.a6d9.4911.67       Mar 23 2011 03:19 PM    Automatic
a.b.c.89        013c.7437.1e32.96       Mar 23 2011 10:27 AM    Automatic
a.b.c.90        01d8.3062.689c.4b       Mar 23 2011 11:55 AM    Automatic
a.b.c.91        0158.946b.4df8.bc       Mar 23 2011 10:49 AM    Automatic
a.b.c.92        0100.2215.7368.26       Mar 23 2011 10:23 AM    Automatic
a.b.c.93        0100.23df.76ea.90       Mar 23 2011 02:33 PM    Automatic
a.b.c.94        0124.ab81.708d.83       Mar 23 2011 03:58 PM    Automatic
a.b.c.95        0100.1cb3.163d.5a       Mar 23 2011 03:13 PM    Automatic
a.b.c.96        01cc.08e0.2aeb.96       Mar 23 2011 01:27 PM    Automatic
a.b.c.97        0188.c663.d0d0.55       Mar 23 2011 01:57 PM    Automatic
a.b.c.98        0100.1b77.08bb.89       Mar 23 2011 01:15 PM    Automatic
a.b.c.99        0100.1ec2.47d7.19       Mar 23 2011 12:43 PM    Automatic
a.b.c.102       0100.1310.8e74.78       Mar 23 2011 12:41 PM    Automatic
a.b.c.103       0100.24d6.58b0.82       Mar 23 2011 01:44 PM    Automatic
a.b.c.104       0100.2608.7df2.68       Mar 23 2011 03:23 PM    Automatic
a.b.c.106       01c8.bcc8.1a86.41       Mar 23 2011 03:56 PM    Automatic
a.b.c.107       01a4.6706.1e54.94       Mar 23 2011 04:08 PM    Automatic
a.b.c.108       017c.c537.46ac.0e       Mar 23 2011 02:41 PM    Automatic
a.b.c.111       0100.037f.0ea2.19       Mar 23 2011 02:47 PM    Automatic
a.b.c.112       01d8.3062.75c5.9c       Mar 23 2011 03:33 PM    Automatic
a.b.c.113       0021.9116.449e          Mar 23 2011 03:36 PM    Automatic
a.b.c.114       0100.1ff3.46d9.a9       Mar 23 2011 03:40 PM    Automatic
a.b.c.116       0104.1e64.4a0d.a3       Mar 23 2011 04:21 PM    Automatic
a.b.c.117       0190.27e4.4ae8.94       Mar 23 2011 04:24 PM    Automatic
Thanks!

802.1X dyanmic VLAN assignment DHCP issue (Vista client)

I am labbing dynamic VLAN assignment and have run into a small problem. The switchport is succesfully changing to the new VLAN, but my test PC seems to get an IP address in the native data VLAN before being moved to the new dynamic assigned VLAN. So when the switch changes the VLAN the PC keeps its old IP address and nothing talks any more.
Is this a Vista issue? I thought all of these problems were just issues in XP? Do I need to tweak any interface dot1x timers?
(Cat3750 with 12.2.55 / ACS5.1. Everything else is running fine by the way.)

if i do a show run on the switchport the config hasnt changed, but i dont expect it to, as its not a permanent config change that you would want to be saved by a different admin user saving the config. You can see the debug report it is changing the VLAN:
Apr 19 09:22:56.263: %AUTHMGR-5-START: Starting 'dot1x' for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
Apr 19 09:22:58.604: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/19, changed state to up
Apr 19 09:22:59.560: %DOT1X-5-SUCCESS: Authentication successful for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID
Apr 19 09:22:59.568: %AUTHMGR-5-VLANASSIGN: VLAN 12 assigned to Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
Apr 19 09:22:59.585: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan12, changed state to up
Apr 19 09:23:00.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/19, changed state to up
Apr 19 09:23:00.315: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
as well as checking with the show int switchport command and it is in v12 which is the dynamically assigned vlan
DHCP server is the cat3750 for all local VLANs

Heads Up: Private VLAN Sticky-ARP DHCP Issues

Here is the scenario:
Private VLANs are configured on a 6500 Sup720 with SVIs routing for the PVLANs.
DHCP Snooping and IP ARP Inspection are also configured for the PVLAN subnets.
A DHCP Server is offering 3 day leases.
A laptop connects to the network and receives a 3-day lease. The user leaves the office and returns 4 days later. The DHCP server offers a new lease with a different IP address. Furthermore, the previous IP address leased to the laptop has been handed out in a new lease to another host. Both systems receive their DHCP lease but have no network connectivity.
The problem occurs because, by default, PVLAN SVIs use Sticky-ARP and never age out their ARP cache. Since the laptop has a different IP address to MAC address mapping than recorded in the Sticky-ARP cache, a violation occurs and the switch prevents the new IP address from populating the ARP table on the switch.
Sticky-ARP is a security feature that prevents one system from stealing another systems IP address.
Log messages show the following:
%IP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry
The 6500 PVLAN configuration guide Restrictions and Guidlines section suggests that Sticky-ARP is fundamental to Private-VLANs, and the only work-around for this problem is to create manual arp entries for the new IP address. This is clearly not a viable workaround for this scenario.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979
However, the 6500 Command Reference shows that Sticky ARP can be disabled, but makes no reference to PVLANs
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/i1.htm#wp1091738
There appears to be two sensible solutions to this problem:
1) Disable Stick-ARP on the 6500 for the PVLANs. Since DHCP Snooping and IP ARP Inspection are configured, sticky-arp can be disabled without relaxing network security. This is assuming the 6500 will accept the command and will not break the existing PVLAN functionality.
2) Extend the DHCP lease longer, to 45 or 90 days perhaps. This will catch most transient activity and keep the IP address to MAC address relationships the same, wherever possible. The downside here is that DHCP address pools could collect stale entires that would take the lease time to flush, thus reducing the overall available IPs in the pool.
Has anyone else run into this problem? If so, what was your solution? Did you attempt either option above? I am planning on using solution #1 above, but I wanted to ping the NetPro community with this as I am sure we are not the first customer to run into this. Or are we??
Regards,
Brad

Excellent question.
Sticky-ARP is NOT intended to be a pain-in-the-butt that should disabled right away, rather, it is a security mechanism that prevents a system from stealing an active IP address on the subnet and causing a lot of problems. Sticky-ARP works best on subnets that have all static IP addressing where there is no expectation that a host would frequently change its IP address.
Yes, I would recommend keeping Sticky-ARP on subnets with all static IP addresses.
In DHCP subnets with no static IP addressing, DHCP Snooping and IP ARP Inspection provide the same security coverage that Sticky-ARP does, they prevent a system from claiming an illegitimate IP and MAC address. Furthermore, in DHCP subnets, it is reasonable to expect that a host would change its IP address from time to time when its lease expires.
Sticky-ARP does not provide any addtional securtity benefits when DHCP Snooping and IP ARP Inspection are active and it only causes problems when a lease expires.
When Cisco made Stick-ARP the default behavior for Private VLANs, they certain did not have DHCP in mind.
In Summary, it should be known as a Best Practice that when using Private VLANs on user segments with DHCP that DHCP Snooping and IP ARP Inspection should be enabled and Sticky-ARP be disabled.
Brad

RV220W second vlan DHCP issue

Hi all,
I have a Cisco RV220W router (firmware version 1.0.4.17).
I would like to have two separate networks with the following specifications:
Netwrork1: address range for the network is 192.168.0.1-254. All devices should be able to reach eachother within this network and connect to the internet either on LAN or through Wifi. From this network I should also be able to reach the device management page of the router. Also the devices should get the ip addresses throgh DHCP.
Network2: address range for the network is 192.168.5.1-254. All devices within this network should not be able to reach the devices in network1. All devices on this network should reach the internet through Wifi only. Device management page should not be available on this network.
I have configured the router as shown in the attached screenshots but the problem is that in Network2, devices get IPs from the 192.168.0.1-254 range and not from the 192.168.5.1-254 range. Also there is no internet on these either.
Any help would be greatly appreciated.

Good morning
Thanks for using our forum
Hi mate, my name is Johnnatan and I am part of the Small business Support community. To add to Tom´s post you could “Isolate”, your networks enabling this feature, and disabling the Broadcast SSID of your Network1.
I hope you find this answer useful, *Please mark the question as Answered or rate the answer so other will know when an answer has been found.
Greetings,
Johnnatan Rodriguez Miranda.
Cisco network support engineer.

2100 wireless LAN controller intermittant DHCP issue does not respond to clients

Hi everyone,
I have been struggling with a difficult problem for some time now:
The cisco 2100 wlan controller I have is configured with a dhcp scope in the same ip address range as its WLAN. The configuration works and on a good day I have up to 200 clients connecting with out issue. In the web interface they display as associated and authenticated
On a bad day I find I will begin seeing about 50-80% of all new devices that attempt to join the WLAN show up as associated but not authenticated. These clients end up self assigning themselves a 169.254.0.0/16 (APIPA) address
When my controller / WLAN enters into this state: if clients leave the WLAN they typically fail to get back on and successfully authenticate. By the end of a day around 80-90% of all devices are essentially without Internet access due to this issue.
Rebooting the controller and or APs typically makes no difference or makes things worse – although sometimes it appears to resolve the issue. The same holds for disabling the entire wlan for about 10 minutes and then re enabling it.
Im using 1130 cisco aironet APs with the controller. I have checked extensively for interference and congestion – I think I have congestion – some APs typically host 40 to 90 devices. However as mentioned on a good day the wlan will host 200 devices all day without any issue and some APs will host 50 to 70 devices without major issue.
I can provide more specifics if anyone should need – eg firmware, IP addresses, exact model numbers etc.
Please let me know if anyone has seen something like this before ?
I believe the 2100 is rated to handle up to 350 devices and its recommended not to load a 1130 AP with more than 25 devices ??
Regards
Matthew

Hi Amijad, Hi George:
Thank you both for your time in considering my situation.
I will think about implementing an independant DHCP server; im really wondering if the equipment is just overloaded
- What software versoin the WLC uses?
Product Version.................................. 6.0.199.4
RTOS Version..................................... 6.0.199.4
Bootloader Version............................... 4.0.191.0
Emergency Image Version.......................... 6.0.199.4
PID: AIR-WLC2106-K9, VID: V05
- What ports of the WLC are connected to the neighbor swtich? one or more?
2 ports connect to the neighbor switch on separate vlans
- port 1 is vlan 0 and hosts the management and ap-management IPs for the wlan controller
- port 2 is vlan 1 and hosts the wlan
- the controller has one dhcp scope defined on port 2 for the WLAN
- What is the security of your WLAN?
WPA+WPA2
AES
PSK
- Do you have "DHCP required" enabled on the WLAN?
yes DHCP required is enabled in the WLAN
please let me know if you have any additional advice.
regards
Matthew

DHCP issue in VLAN

Similar Messages

Maybe you are looking for