Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

DHCP request problem with VLAN/ACL

SOLVED
Go to solution
ProTest
Advisor

DHCP request problem with VLAN/ACL

I have a 5406 which I want to use in combination with VLANs. Windows network.

Port 1 is connected to a Cisco router with address 4.4.0.1/19. This router is configured to relay the subnets to the switch. Tagged to VLAN8, untagged for VLAN0

Port 2 is connected to a DHCP server, 4.4.0.20 with several scopes. One of the is VLAN8, 4.4.8.1-100/24 GW 4.4.8.251

Port 3 is a XP client, untagged to VLAN8

The switch itself has the following settings
MSTP,
ip routing
VLAN 8
ip address 4.4.8.251/24
ip helper-address 4.4.0.40/24
ACL allow access to VLAN0 (default vlan)


If I configure the client with static IP, like 4.4.8.34/24 GW 4.4.8.251, then I have access to the switch, DHCP server and router (and WAN).
If I use DHCP I get a "DHCP server unreachable", why?
23 REPLIES
Mohieddin Kharnoub
Honored Contributor
Solution

Re: DHCP request problem with VLAN/ACL

Hi

The "ip helper-address 4.4.0.40/24" under vlan8 should be "ip helper-address 4.4.0.20/24" which is the DHCP server.

Be sure that ACL allow clients to get the DHCP server.

Don't forget to assign point for any posts.

Good Luck !!!
Science for Everyone
ProTest
Advisor

Re: DHCP request problem with VLAN/ACL

ip helper-address has been corrected but no positive results.

I've added the reduced config file of the core switch. Ignore the trunks, the problem also shows on the main switch.

Matt Hobbs
Honored Contributor

Re: DHCP request problem with VLAN/ACL

If you haven't tried this already, remove the ACL entries on the VLANs. When you get back to this, it's generally recommended to only assign ACL's 'in'.

In your post you mention the XP client is on Port 3 (A3?) untagged in VLAN8. The configuration shows A3 is untagged in VLAN1.
ProTest
Advisor

Re: DHCP request problem with VLAN/ACL

The problems remain with and without ACLs in/out.

Some sources say that MSTP is not the best protocol to be used. RSTP should be used, cause this is quicker.
Is this right?
Mohieddin Kharnoub
Honored Contributor

Re: DHCP request problem with VLAN/ACL

I have a solution for you.

Change the Scope on the DHCP server for Vlan8 which is : 4.4.8.1-100/24 GW 4.4.8.251, change the Gateway to 4.4.0.1 (the cisco router), in this case you need to add a static route on Cisco router for Vlan8 to point to Vlan1 ip address: ip route 4.4.8.0 0.0.0.255 4.4.0.40

Your problem not in ACL, since assgining static addresses are ok.

Good Luck !!!
Science for Everyone
Mohieddin Kharnoub
Honored Contributor

Re: DHCP request problem with VLAN/ACL

By the way

In the configuration:
interface A1
name "CLIENT"
exit

Change A1 to A3.

:)
Science for Everyone
Matt Hobbs
Honored Contributor

Re: DHCP request problem with VLAN/ACL

I'm not sure how the suggestion to change the scope on the DHCP server would help. Doesn't make sense to me.

What DHCP server are you using?
ProTest
Advisor

Re: DHCP request problem with VLAN/ACL

W2K3 DHCP server

Changing the GW of the DHCP server scope won't work since the switch itself takes care of the routing between VLANs.
The cisco router relays all subnet traffic to subnet 0 (VLAN1)
Matt Hobbs
Honored Contributor

Re: DHCP request problem with VLAN/ACL

Is A3 meant to be untagged in VLAN8? Currently it isn't.

To start with you should verify that you can assign DHCP addresses in the same VLAN as your DHCP server (VLAN1). If it is unable to this you know the problem is with the DHCP server configuration.
ProTest
Advisor

Re: DHCP request problem with VLAN/ACL

DHCP is working perfectly within the VLAN1 setup. This is the base setup prior to vlan migration

A3 (Client) is untagged.

Is there a way to debug or view the DHCP request as it happens?
Matt Hobbs
Honored Contributor

Re: DHCP request problem with VLAN/ACL

I would install ethereal/wireshark on both the DHCP server and the client, start a packet capture in promiscuous mode and type in 'bootp' as the filter.
ProTest
Advisor

Re: DHCP request problem with VLAN/ACL

Same client systems:

VLAN1, untagged gives
0.0.0.0 255.255.255.255 DHCP Discover
4.4.0.20 DHCP Offer
0.0.0.0 DHCP request
4.4.0.20 DHCP ack

VLAN8, untagged/tagged gives, with or without ACLs
0.0.0.0 255.255.255.255 DHCP discover (4x)

in other words, the package does not reach the DHCP server at all as soon as VLAN8 is used.
Matt Hobbs
Honored Contributor

Re: DHCP request problem with VLAN/ACL

Few more ideas...

It should be enabled by default, but try:

ProCurve(config)# dhcp-relay

Otherwise try rebooting the switch.

Does the DHCP server have its default gatway set to 4.4.0.40?

If still no luck, can you attach a screenshot of your scopes?
Mohieddin Kharnoub
Honored Contributor

Re: DHCP request problem with VLAN/ACL

It doesn't look that A3 is untagged to vlan8 in the config you posted, its untagged to Vlan1.

vlan 1
name "DEFAULT_VLAN"
untagged A1-A3
ip address 4.4.0.40 255.255.224.0
tagged Trk2-Trk4
exit

Clients should have Vlan8 Scope "4.4.8.0/24", so if you just do the following:

- Untagg port A3 to Vlan8.
- connect on PC directly to A3 with DHCP and see whats going on.
- if it doesn;t work, assign a static IP to the PC and check it.
- If it works, then you have a problem with the DHCP Scpoe of the "4.4.8.0/24", check it, because you said the Scope for Vlan1 is ok.

I hope everything will be ok with you.
Regarding my suggestion, i know its not kind of solution, but i had it work before, and i did suugested it to be sure that your DHCP is working or not.

I Wish to hear a good news from you today.



Science for Everyone
ProTest
Advisor

Re: DHCP request problem with VLAN/ACL

I've added an attachment with
* exact config of the DHCP server,
* its IP settings
* routing of the switch
* spanning tree settings of the switch
* config extraction of the switch

DHCP-relay is on, tested your advices except restart. Restart is normally only requires during an STP/RSTP/MSTP switch.

TRK2,3,4 is used to link 2626 switchs via dual GBics.
Matt Hobbs
Honored Contributor

Re: DHCP request problem with VLAN/ACL

That looks about right to me. When testing from VLAN8 to VLAN1, on VLAN1 do you see the DHCP requests coming through to the DHCP server at all? If not then the dhcp-relay simply does not look to be working, in that case a reboot may be required.
ProTest
Advisor

Re: DHCP request problem with VLAN/ACL

The current DHCP relay settings are:

5406zl# sh dhcp-relay
DHCP Relay Agent : Enabled
Option 82 : Enabled
Response validation : Disabled
Option 82 handle policy : append
Remote ID : ip


Client Requests Server Responses

Valid Dropped Valid Dropped
---------- ---------- ---------- ----------
9 0 0 0

Is this the best one to be used?
Mohieddin Kharnoub
Honored Contributor

Re: DHCP request problem with VLAN/ACL

Hi

I just finished for one of our clients the same scenario you have.

I have 2 Vlans, routed by 5304, 192.168.1.x and 192.168.2.x
Vlan1 ip: 192.168.1.3 - Vlan2 ip: 192.168.2.3
Router : 192.168.1.1 - DHCP Server 192.168.1.2

DHCP has 2 scopes, first one

Vlan1: 192.168.1.100-250 , DNS: 192.168.1.2, Gateway: 192.168.1.1

Vlan2: 192.168.2.100-250, DNS: 192.168.1.2, Gateway: 192.168.2.3

Vlan2 should be tagged all the way between switches, except to server from the clients to the servers.

Ip helper-address for vlan2: 192.168.1.2

Notice :
- IP default-gateway 4.4.0.40, sould be 4.4.0.1 which is the Router in the Scope you mentioned for Vlan1 - anyway you have enabled routing on the switch.

and i have:

SW5304_Main# sh dhcp-relay
DHCP Relay Agent : Enabled
Option 82 : Disabled
Response validation : Disabled
Option 82 handle policy : append
Remote ID : mac

-- Since your Clients are connected to A3 i think you are using a switch, so please tagg both A3 and other side to Vlan8,4 and untagged to vlan1.
If A3 for one clinet, it should be untagged to Vlan1.

Don;t forget to assing points.



Science for Everyone
ProTest
Advisor

Re: DHCP request problem with VLAN/ACL

Thanks for the effort but it did not help.

I've added the full config with all VLANs in it. In the passed I removed them to simply the issue. (see the file)

The fully tagged trunks are connected to 2626 switches.

I will assign points later on.
Matt Hobbs
Honored Contributor

Re: DHCP request problem with VLAN/ACL

This is unrelated to the current issue, but with MSTP you should define workstations as edge-ports:

spanning-tree edge-port

Otherwise everytime a PC gets rebooted, it will cause a topology change which can decrease performance on your network. Right now you're seeing a significant amount of topology changes. Also make sure to update the 2600's firmware.

Back to the current issue, have you been able to verify if the DHCP requests are coming through to the DHCP server from different VLANs by running ethereal on it or something?

By the sounds of it they are not, if you haven't done already so I think now is the time for a reboot of that switch - everything else seems to be right from what I can see.
ProTest
Advisor

Re: DHCP request problem with VLAN/ACL

> spanning-tree edge-port
> Right now you're seeing a significant amount of topology changes.

Thanks for the advice

>Also make sure to update the 2600's firmware.
All switches are at the latest firmware H_08_98 (2626) and K_11_33 (5400)

> Back to the current issue, have you been able to verify if the DHCP requests are coming through to the DHCP server from different VLANs by running ethereal on it or somethingg

I will reboot all switches this weekend and see what happens next week
ProTest
Advisor

Re: DHCP request problem with VLAN/ACL

The problem has been resolved by reconfiguring MSTP and the network reboot

The reboot made a hot ipconfig/renew action work, changing edge port to Yes made a cold ipconfig/renew action work as well.

Thanks for the support!
stieven struyf
Frequent Advisor

Re: DHCP request problem with VLAN/ACL

I had exactly the same problem last week on a 5412zl chassis.
dhcp relay didn't work, didn't knew why.
reboot of the switch solved it.