From: Huan Pham (Huan.Pham@peopletelecom.com.au)
Date: Thu Aug 28 2008 - 23:26:59 ART
Hi Jack,
For this type of problem, you need to do "debug ip packets detail" to
see what's going on. Your DHCP clients do not get IP assigned, because
their requests are block by your ACL.
Look at the debug output below (on the switch):
01:47:19: IP: s=0.0.0.0 (Vlan30), d=255.255.255.255, len 604, rcvd 1
01:47:19: UDP src=68, dst=67
01:47:19: IP: tableid=0, s=10.53.8.1 (local), d=10.53.8.201 (Vlan30),
routed via RIB
The DHCP requests are sent as broadcast messages from 0.0.0.0 (as
clients do not know their IP originally), and UDP port = 68 , UDP dest =
67. They are denied, because the source IP (0.0.0.0) does not belong to
your LAN subnets.
You need to "permit ip any any" instead of "permit ip 10.53.8.0
0.0.0.255 any", or if you want to go more specific, you can do "permit
udp any eq bootpc any eq bootps" as David suggested.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
David Prall
Sent: Friday, 29 August 2008 1:35 AM
To: 'Jack Tsai'; 'omar parihuana'
Cc: 'Cisco certification'
Subject: RE: DHCP is not working 3560G
permit udp any eq bootpc any eq bootps
-- http://dcp.dcptech.com> -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf > Of Jack Tsai > Sent: Thursday, August 28, 2008 11:14 AM > To: omar parihuana > Cc: Cisco certification > Subject: Re: DHCP is not working 3560G > > What about using "out" instead of "in" on the interface Vlan30? > > Jack > > omar parihuana wrote: > > Hi Group, > > > > I've configured a Switch 3560G with 3 SVIs in order to VLAN Routing: > > > > ! > > interface Vlan10 > > description VLAN 10 > > ip address 10.53.0.253 255.255.255.0 ! > > interface Vlan20 > > description VLAN 20 > > ip address 10.53.5.1 255.255.255.0 > > ! > > interface Vlan30 > > description VLAN 30 > > ip address 10.53.8.1 255.255.255.0 > > ! > > ip route 0.0.0.0 0.0.0.0 10.53.0.1 > > ! > > > > After I've configured a DHCP Pool in order to assign IP > address only to VLAN > > 30, the conf is: > > > > ! > > ! > > ip dhcp excluded-address 10.53.8.1 10.53.8.199 ip dhcp pool DCHP > > network 10.53.8.0 255.255.255.0 > > default-router 10.53.8.1 > > dns-server 200.41.96.24 200.41.96.26 ! > > > > After that host in vlan 30 are assigned an IP Address > correctly and the > > intervlan routing working fine, but as I need that VLAN 30 > only reach to > > external networks (Internet) and not to other networks > (VLAN 10 and VLAN20) > > I've created an Access-list > > ! > > ip access-list extended BLOCKING-VLAN permit ip 10.53.8.0 0.0.0.255
> > host 10.53.0.1 > > deny ip 10.53.8.0 0.0.0.255 10.53.0.0 0.0.0.255 log > > deny ip 10.53.8.0 0.0.0.255 10.53.5.0 0.0.0.255 log > > permit ip 10.53.8.0 0.0.0.255 any > > ! > > > > ! > > interface Vlan30 > > description VLAN 30 > > ip address 10.53.8.1 255.255.255.0 > > ip access-group BLOCKING-VLAN in > > ! > > > > The first sentence in ACL is necessary to reach the default > gateway in > > VLAN10 (see default route above). Apparently all is working > well the host in > > VLAN 30 don't reach to Servers in VLAN 10 and VLAN20, but > DHCP IS NOT > > WORKING! no assign IP address to hosts. After of check the > debugs, I noticed > > that when the access-list is applied to Int VLAN30 the > Switch is not aware > > about DHCP request. DHCPD: DHCPDISCOVER is never received > by Switch. But > > when I removed the access-list then DHCP working well, then > how should I > > configure the access-list in order to allow DHCP in VLAN30 > and the hosts in > > VLAN30 don't communicate the others VLANs? or maybe change the DHCP > > Configuration but how? > > > > Rgds. > > > Blogs and organic groups at http://www.ccie.net > > ______________________________________________________________ > _________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:33 ART