Configuring dhcp on cisco 3750

- A
- Asif
  
  Contact options for registered users
posted
16 years ago

Tue, Oct 2, 2007 10:48 PM

I've been trying to configure a simple dhcp setup with the following topology:

Cisco3750[Port:1] dhcp server 192.168.2.100 Cisco3750[Port:3-5] dhcp clients

I am using tetheral on the dhcp server 192.168.2.100 interface to look for dhcp requests and the proceeding dhcp traffic. This is not working! I connected one of the clients to the dhcp server back-2-back to verify that dhcp works. Am I missing something? I want this to be really simple! Can anyone help, please?

Here is my cisco3750 running config:

Current configuration : 2208 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! enable secret 5 $1$iC8.$yNpSaeY3mfGX16BA7mS5d/ enable password qlogic ! no aaa new-model switch 1 provision ws-c3750g-24ts vtp mode transparent ip subnet-zero ! ip dhcp snooping vlan 2 ! ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 2 name vlan-dhcp ! ! interface GigabitEthernet1/0/1 switchport access vlan 2 switchport mode access ip dhcp snooping trust ! interface GigabitEthernet1/0/2 switchport access vlan 2 switchport mode access ip dhcp snooping trust ! interface GigabitEthernet1/0/3 switchport access vlan 2 switchport mode access ip dhcp snooping trust ! interface GigabitEthernet1/0/4 switchport access vlan 2 switchport mode access ip dhcp snooping trust ! interface GigabitEthernet1/0/5 switchport access vlan 2 switchport mode access ip dhcp snooping trust ! interface GigabitEthernet1/0/6 ! interface GigabitEthernet1/0/7 ! interface GigabitEthernet1/0/8 ! interface GigabitEthernet1/0/9 ! interface GigabitEthernet1/0/10 ! interface GigabitEthernet1/0/11 ! interface GigabitEthernet1/0/12 ! interface GigabitEthernet1/0/13 ! interface GigabitEthernet1/0/14 ! interface GigabitEthernet1/0/15 ! interface GigabitEthernet1/0/16 ! interface GigabitEthernet1/0/17 ! interface GigabitEthernet1/0/18 ! interface GigabitEthernet1/0/19 ! interface GigabitEthernet1/0/20 ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 ! interface GigabitEthernet1/0/23 ! interface GigabitEthernet1/0/24 ! interface GigabitEthernet1/0/25 ! interface GigabitEthernet1/0/26 ! interface GigabitEthernet1/0/27 ! interface GigabitEthernet1/0/28 ! interface Vlan1 ip address 172.17.141.150 255.255.254.0 no ip route-cache no ip mroute-cache shutdown ! interface Vlan2 ip address 192.168.2.150 255.255.255.0 ip helper-address 192.168.2.100 ! ip default-gateway 172.17.140.1 no ip classless no ip route static inter-vrf no ip http server ! ! ! control-plane ! ! line con 0 line vty 0 4 password qlogic login line vty 5 15 password qlogic login ! ! end

Switch#show vlan

VLAN Name Status Ports

---- -------------------------------- ---------

-------------------------------

1 default active Gi1/0/6, Gi1/0/7, Gi1/0/8 Gi1/0/9, Gi1/0/10, Gi1/0/11 Gi1/0/12, Gi1/0/13, Gi1/0/14 Gi1/0/15, Gi1/0/16, Gi1/0/17 Gi1/0/18, Gi1/0/19, Gi1/0/20 Gi1/0/21, Gi1/0/22, Gi1/0/23 Gi1/0/24, Gi1/0/25, Gi1/0/26 Gi1/0/27, Gi1/0/28 2 vlan-dhcp active Gi1/0/1, Gi1/0/2, Gi1/0/3 Gi1/0/4, Gi1/0/5 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- --------

------ ------

1 enet 100001 1500 - - - - - 0 0 2 enet 100002 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- --------

------ ------

1003 trcrf 101003 4472 1005 3276 - - srb 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trbrf 101005 4472 - - 15 ibm - 0 0

VLAN AREHops STEHops Backup CRF

---- ------- ------- ----------

1003 7 7 off

Remote SPAN VLANs

------------------------------------------------------------------------------

Primary Secondary Type Ports

------- --------- -----------------

------------------------------------------

Switch#show ip dhcp snoop Switch DHCP snooping is disabled DHCP snooping is configured on following VLANs:

2 Insertion of option 82 is enabled Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Interface Trusted Rate limit (pps)

------------------------ ------- ---------------- GigabitEthernet1/0/1 yes unlimited GigabitEthernet1/0/2 yes unlimited GigabitEthernet1/0/3 yes unlimited GigabitEthernet1/0/4 yes unlimited GigabitEthernet1/0/5 yes unlimited

- T
- Trendkill
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Tue, Oct 2, 2007 11:29 PM

Why do you have an IP-helper on VLAN 2? While I would think this wouldn't hinder anything, I would definitely remove that first, especially since the switch sees those frames before anything else.....

- A
- Asif
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Tue, Oct 2, 2007 11:39 PM

------------------------------------------------------------------------------

At first I did a shutdown cmd on the default vlan 1 and simply connected the dhcp server and the clients. I did not configure the helper- address though. Then I decided that I want an isolated subnet, in which I want to perform dhcp operations. All this is for testing network boot by-the-way. So now I have the vlan #2 (192.168.2.x). By-the-way, when I looked at the cisco docs and used the ip helper-address cmd, the directions were to configure the helper-address per vlan. I tried do the helper-address per interfaces connected to the clients and this is unsupported by the cisco f/w I have 12.2(25)SEB4.

- T
- Trendkill
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Tue, Oct 2, 2007 11:41 PM

------------------------------------------------------------------------------

Ip-helper is only needed for subnets that do not have a directly connected dhcp server. Additionally, you are saying your dhcp server is .100, and your ip-helper says .150. I would either make that match, or get rid of it, especially since these clients are on the same vlan. Let me know how you fare and we can move to the next phase of looking at your issue.

- A
- Asif
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Tue, Oct 2, 2007 11:59 PM

------------------------------------------------------------------------------

As I already mentioned, in my previous simple configuration, I simply connected the dhcp server to port 1 and clients to ports 3 through 5. I did not do anything else. This did not work. So then I found out about helper- address and proceeded to perform the current configuration. If you look once more, the helper-address is set to 192.168.2.100 and the vlan 2 ip address is set to

192.168.2.150. And I repeat my dhcp server ip address is 192.168.2.100. Here is a copy of the above snippet for your convenience:

- T
- Trendkill
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Wed, Oct 3, 2007 12:00 AM

------------------------------------------------------------------------------

I'm sorry, the helper address does match. Regardless, you shouldn't need it on the same vlan as the dhcp server, so I'd still try to remove and test. Additionally, your show ip int brief show all ports as up/active as needed?

- T
- Trendkill
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Wed, Oct 3, 2007 12:02 AM

------------------------------------------------------------------------------

Ok, I saw your latest post. Can you ping the dhcp server from the switch? What happens when you do an extended ping (and choose a source interface of the VLAN 2 IP address)? If ping is successful, can you try to set one of the clients to a hard coded IP and do the same test? Can you ping between the static IPed client and the dhcp server? Does show mac-address-table show macs for the clients when they first connect as they should?

- A
- Asif
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Wed, Oct 3, 2007 12:28 AM

------------------------------------------------------------------------------

Did several of these from the switch and it works:

Switch#ping 192.168.2.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.100, timeout is 2 seconds: !!!!!

On the dhcp client system:

# ping 192.168.2.100

192.168.2.100 is alive

As I understand, broadcast pkts to 255.255.255.255 are not allowed to be propagate across the switch ports by default and my guess is that this is the problem I am facing with the dhcp operation. But then I though that the ip helper-address was meant to address this issue. But you are saying that the helper-address is used for subnet to subnet traffic flow in particular for dhcp. Anyway, I do appreciate your help so far. All the checks you suggested work so far. I tried the dhcp boot and it still fails. I have not changed anything yet.

- M
- Merv
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Wed, Oct 3, 2007 7:39 AM

- A
- Asif
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Wed, Oct 3, 2007 7:17 PM

----------------=AD---

dhcp server: Internet Systems Consortium DHCP Server V3.0.4b2

Cisco 3750 VERSION (reformatted): Switch =3D 1 Ports =3D 28 Model =3D WS-C3750G-24TS SW Version =3D 12.2(25)SEB4 SW Image =3D C3750-IPSERVICES-M

Back2Back: If you look in my earlier posts, you'll see that I've conformed that it works. Anyway, I reconfirmed again, and back2back works.

Got rid of the ip dhcp snooping, and it still does not work! I am running out of ideas here.

- S
- Scott Perry
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Wed, Oct 3, 2007 8:40 PM

VLAN 2 contains a DHCP server and several client computers. The layer 3 switch (Cisco 3750) does not have to do anything for DHCP to work. Remove the IP helper configuration completely. There is no doubt that IP helper forwards DHCP requests from a VLAN to another VLAN containing a DHCP server when the DHCP server and DHCP clients are on different broadcast domains, such as the case when they are seperated by a router.

Quote from Cisco documentation: DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.

Based on your below posted configuration, enter the following:

no ip dhcp snooping vlan 2 no ip helper-address 192.168.2.100

Test that without the IP helper-address. If it works, add DHCP snooping back in but do not use IP helper-address if the DHCP server is within the same VLAN on that switch as the DHCP clients.

- A
- Asif
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Wed, Oct 3, 2007 10:29 PM

in message

------------------------------------------------------------------------------

Ok got rid of ip helper-address and dhcp snooping. It works. But interestingly it takes a long time. Here is an example dhcp session on a Sun SPARC at the OBP ok prompt:

ok load net:dhcp,192.168.2.100,hello Boot device: /pci@1f,700000/network@2:dhcp,192.168.2.100,hello File and args:

-v

1000 Mbps FDX Link up Timeout waiting for BOOTP/DHCP reply. Retrying ... Timeout waiting for BOOTP/DHCP reply. Retrying ... Timeout waiting for BOOTP/DHCP reply. Retrying ...

Server IP address: 192.168.2.100 Client IP address: 192.168.2.130 Router IP address: 192.168.2.1 Subnet Mask : 255.255.255.0 ok