Re: ip helper - same main interface - other vlan

gpopescu · ‎10-06-2006

Hi,

I have the following design: A 3745 with a gigabit interface is routing between 15 vlans, and is used with dot1q. From 15 vlans the PCs are requesting ip configurations to the dhcp server on the main interface address segment(to a windows 2003 server with a superscope). The gigabit interface is configured with subinterfaces for the 15 vlans with PCs, and with the server's lan on the main interface. On subinterfaces the ip helper address of the dhcp server is configured. The problem is that when the PC's request the address, they don't receive it.

Does anybody have any ideea?

Thank you in advaced.

Gabriel

Edison Ortiz · ‎10-06-2006

Debug time

#debug ip dhcp server events

#debug ip dhcp server packets

and post the result here.

Also, let's see the router config.

Thanks

gpopescu · ‎10-06-2006

I'd tried it but no result. No output for the two debug commands. For the the debug ip dhcp server events, as far as I understand, the output can only be shown if the router is the dhcp server.

amit-singh · ‎10-07-2006

Hi Gabriel,

I do agreee with Rick on this. We have seen this problem related to superscope in most of the cases. Please hardcode the IP on one of the PC and check if you have the IP connectivity, If yes, then delete the superscope and add individual DHCP scope of each and every vlan. This should work fine.

HTH

-amit singh

Edison Ortiz · ‎10-07-2006

You should be able to see DHCP packets even if the router is not acting as DHCP server. The router is forwarding the DHCP packets so it should be able to see it and report it on the debug. See my other reply about your config.

Richard Burts · ‎10-06-2006

Gabriel

When other people have posted similar situations in the past, most of the time the problem turns out to be problems with the superscope. As a test I would suggest eliminating the superscope (at least temporarily) and configuring a scope for a single subnet and trying from that VLAN and see if that works.

There are other possible causes which you can check if testing with a scope for a single VLAN/subnet does not fix the issue:

- there might be a possible error in configuring the helper address. If you post the config we could check that.

- there might be some IP connectivity issue from the other VLANs/subnets to the server. If you hard code an appropriate address in a PC in one of the VLANs/subnets can it reach the server?

- there might be access lists that impact the ability to get the DHCP.

There could be other things. But these are what I would start with. Try my suggestions and let us know what you find.

HTH

Rick

HTH

Rick

gpopescu · ‎10-06-2006

I have configured only one scope for the test pc's subnet (172.20.139.0/24) on the w2003 dhcp server. The ping works from the test pc to the server. Now I'll post the router config:

interface GigabitEthernet2/0

description *** LAN Interface ***

ip address 172.20.0.1 255.255.255.0 secondary

ip address 192.168.2.2 255.255.255.0

no ip redirects

ip directed-broadcast

no ip proxy-arp

ip pim sparse-mode

ip igmp query-interval 100

load-interval 30

negotiation auto

ntp disable

no cdp enable

.....................................

interface GigabitEthernet2/0.1139

description *** VLAN bari ***

encapsulation dot1Q 1139

ip address 172.20.139.1 255.255.255.0

ip helper-address 172.20.0.2

no snmp trap link-status

no cdp enable

The 172.20.0.2 is the dhcp server. The 172.20.139.0/24 is the test pc's network.

I've attached the network diagram(simplified) and the dhcp server config.

royalblues · ‎10-06-2006

Hi

Check if there is any portfast feature available on the HP switches.

Alsi i would advice to use a sniffer program like ethereal and capture the packets on the interface connected to the 3745 & the DHCP server.

HTH

Narayan

Richard Burts · ‎10-07-2006

Gabriel

Thanks for posting additional information. You tell us that the ping from PC to server works and that is important to know. Can you also test a ping from the server to the PC? (I believe it will work but would like to verify that.)

The configuration of helper address looks ok. I note that the subnet/VLAN of the server is configured on the physical interface while the subnet/VLAN of the PC is a VLAN subinterface. I wonder what would happen if you configured the server subnet/VLAN as a VLAN subinterface (marked as the native VLAN). Could you try that?

HTH

Rick

HTH

Rick

Edison Ortiz · ‎10-07-2006

You need to remove L3 information from the physical interface when configuring trunking on Cisco Routers. L3 information will go in the subinterfaces.

For information on how to configure trunking please see

http://www.cisco.com/en/US/tech/tk389/tk390/technologies_tech_note09186a00800949fc.shtml

It talks about ISL trunking but it's basically the same concept as dot1q.

____

Please rate helpful posts.

Thanks

gpopescu · ‎10-09-2006

I removed the L3 info from the main interface, and created a separate vlan for the dhcp server. When looking with the protocol analyzer, I can see that only the discover packet arrives at the server, and the server does not respond. So the ip helper works sience the discover arrives at the server. Also when debug ip udp on the router, I can see the forwarding of the broadcast towards the server (anyway when using debug ip dhcp paket and events I don't get any output).

I put the client in the same vlan with the server and it works to give an ip address form the same segment.

I am going to put the server on another physical interface to see the results. I'll keep you updated.

Thanks!

gabriel

gpopescu · ‎10-09-2006

Hello everybody,

Thank you for your help. Now the problem was solved. I think that this could be published on the Cisco web site: By default the service dhcp is enabled. When you secure your router every tutorial says that you have to disable it, if you don't need a dhcp server runnig on the router, but, no paper says that when you configure the ip helper-address you must have the service dhcp enabled !!! This was the problem and nothing else.

Thanks,

Gabriel

kirkster · ‎10-09-2006

You serious ? I must admit I have not tried this but it seems unbelievable. The box is not acting as DHCP server and just as an IP forwarder so why should the service dhcp make any difference?

I will check that one out in our lab.

Was your superscope OK after all?

Steve

gpopescu · ‎10-09-2006

Hi,

Yes this is true.

The superscope was OK, and I knew it, because the same configuration worked ok in another site, where an HP 5308xl is doing the L3 job and is forwarding the broadcasts to the W2003 dhcp server. (Without the supersope it did not work, because the server must give addresses for networks not in its subnets).

After you'll verify, please put the result here to help other people also. I think this is not documented and can be usefull for everybody.

Gabriel Popescu

weerapatr · ‎10-10-2006

Gabriel Popescu

You correct!! I try to do something like you I found when you use ip helper-address command you must enable dhcp service which is enabled by default.