?
Solved

Cisco 3560g IP HELPER problems with DHCP and second VLAN

Posted on 2006-06-06
14
Medium Priority
?
6,482 Views
Last Modified: 2010-05-18
i am having a problem with getting a second dhcp range from a win2k server through a cisco switch.  I have created a second VLAN and when i try and get an ip through it i get the range from VLAN1.  I am trying to create a second subnet to increase the amount of ip's i have.  currently i have a class C 192.168.100.x and i would like to add 192.168.200.x.

On my dhcp server (192.168.100.5) i have created a second scope 192.168.200.x and on the switch i have created a second vlan.  The ip helper is set to 192.168.100.5.

When i try and get an ip i get a 192.168.100.x ip not 192.168 200.x.

Here is my router config... thanks in advance!

version 12.2
service config
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname CMT3560_Server_Room
!
enable secret 5 $1$D3rC$mYqVJa9nbjoOi3hKvU58r.
!
ip subnet-zero
!
ip dhcp-server 192.168.100.5
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface GigabitEthernet0/29
!
interface GigabitEthernet0/30
!
interface GigabitEthernet0/31
!
interface GigabitEthernet0/32
!
interface GigabitEthernet0/33
!
interface GigabitEthernet0/34
!
interface GigabitEthernet0/35
!
interface GigabitEthernet0/36
 no switchport
 no ip address
 no ip route-cache
!
interface GigabitEthernet0/37
!
interface GigabitEthernet0/38
!
interface GigabitEthernet0/39
!
interface GigabitEthernet0/40
!
interface GigabitEthernet0/41
 no switchport
 no ip address
 no ip route-cache
!
interface GigabitEthernet0/42
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
!
interface GigabitEthernet0/48
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet0/49
!
interface GigabitEthernet0/50
!
interface GigabitEthernet0/51
!
interface GigabitEthernet0/52
!
interface Vlan1
 ip address 192.168.100.201 255.255.255.0
 no ip route-cache
!
interface Vlan2
 ip address 192.168.200.201 255.255.255.0
 ip helper-address 192.168.100.5
 no ip route-cache
!
ip classless
ip http server
!
snmp-server community public RO
snmp-server enable traps tty
!
control-plane
!
!
0
Comment
Question by:lgropper
14 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 16848190
NO ip dhcp-server 192.168.100.5...this is most likely your problem...your telling the switch/router to run dhcp.

The IP helper command is used to point to a windows server, hosting dhcp for multiple scopes.
Setup a scope for both subnets...and
I think it should look something like this..


!
interface Vlan1
 ip address 192.168.100.201 255.255.255.0
ip helper-address 192.168.100.5
no ip route-cache

!
interface Vlan2
 ip address 192.168.200.201 255.255.255.0
 ip helper-address 192.168.100.5
no ip route-cache

Remember that your DHCP server should be allowed to see VLAN2, via a trunk port...can't remember....
The point of a VLAN is to segregate networks, not just expand class.
0
 

Author Comment

by:lgropper
ID: 16848358
i have removed the dhcp server and changed the vlan's to how you have it above.  still is unable to grab an IP from 192.168.100.5.  Scope is all setup correctly.  

I have a second NIC which i configured to 192.168.200.x and plugged that into the vlan and got an IP.  so it has to be some issue with the helper...


Any other idea's you think?

Thanks,
0
 
LVL 5

Expert Comment

by:onlinerack
ID: 16848766
hello lgropper,
Try this.... I think it is failing because the DHCP uses UDP to forward the packets, however I do not see UDP forwarded on your configs so they die on the router side.
try this in the global config and not the interface

ip forward-protocol udp 3001

I think 3001 is the port needed to relay the packets.... if it does not work remove it and leave it like
ip forward-protocol udp
if this works then you know where the problem is..... do not leave it with no port specification as it could flood your network with UDP broadcasts :)
Let me know if this helps.
Thanks,
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:Sorenson
ID: 16854511
I believe that you need to turn IP routing on with the switch.   In config mode, enter "ip routing".  This enables the switch to pass packets between the vlan interfaces.  After it is turned on, the dhcp scope for 192.168.200.x should point to 192.168.200.201 as the "router" or default gateway.  The server will also need a static route (or default route if one doesn't exist on the network already) pointing to 192.168.100.5  (static route on win2x server would be:  route add 192.168.200.0 mask 255.255.255.0 192.168.100.5 ).

After this gets DHCP working, be sure to add the lines:
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
to the config to prevent master browser issues.  By default the ip help will forward all UDP broadcast to the specified host.  This is bad for windows workstations/servers as they default to udp broadcasts for some lookups as well as determining master browsers for network enumeration.

Hope that helps.


0
 

Author Comment

by:lgropper
ID: 16886385
Sorenson,

thanks! all is working now except there is a strange problem with Shares and printers... I am unable to connect to any printers or shares in the new subnet from vlan1.  but if i am in vlan 2 i can connect to shares in vlan1 and vlan2.

its only the one way!

any idea's?
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 16886438
Sounds like a routing issue..
With the clients / servers, what are you using for the default gateway on vlan1 ? what on vlan2?
on the switch, do a "show ip route" and send it as well.

thanks!
0
 

Author Comment

by:lgropper
ID: 16886474
the gateway on vlan one is a firewall 192.168.100.71 which has a static route to the cisco switch. and vlan2's gateway is the cisco switch 192.168.150.201.  (i'm using 192.168.150.x/24 rather then 192.168.200.x/24 as stated above)

here is the show ip route

CMT3560_Server_Room#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.100.71 to network 0.0.0.0

C    192.168.150.0/24 is directly connected, Vlan2
C    192.168.100.0/24 is directly connected, Vlan1
S*   0.0.0.0/0 [1/0] via 192.168.100.71

Chad
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 16886539
What type of firewall is it?
On a test workstation with shares, change the default gateway to be the the cisco switch, and test.  Alot of firewalls do not permit icmp redirects, as they see them as spoof attempts (packet goes in and out same interface), so they do not play well as routers...

or if you cannot add a gateway to a test workstation/server, add the route manually:   on windows:  route add 192.168.150.0 mask 255.255.255.0 192.168.100.201
and then test to and from that machine...
-s
0
 

Author Comment

by:lgropper
ID: 16886564
I tried with my laptop.  i am on vlan1 and i set my default gateway to 192.168.100.201 (cisco switch) and i try to connect to a share at 192.168.150.64 without luck.  I am able to ping it and all but just can't connect.

its a nortel contivity 1100, but if the firewall was blocking it? wouldn't it not let me connect to a share from vlan2 to vlan 1?


chad
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 16886606
if you change your gateway, the firewall should be out of the picture.

try telnet to 192.168.150.64 139 and see if it answers (it wont display anything, but the telnet session will not close right away, enters should bring cursor down a line)....

any software firewalls on laptop of 192.168.150.64?

how are you trying to connect to the share and what type of error do you get back?
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 16886614
software firewall on laptop or 192.168.150.64 <-- sorry, typo on original
0
 

Author Comment

by:lgropper
ID: 16886680
my god... i've been banging my head over this for a few days... it was the windows firewall, totally forgot about it.

what ports do i have to open to allow the shares and printing rather then turning it completely off?
0
 
LVL 10

Accepted Solution

by:
Sorenson earned 2000 total points
ID: 16886732
open the windows firewall, check the exceptions tab, and check file and print sharing.. i think tcp 139 and 445, and udp 137 and 138... might need 135 tcp/udp as well.

0
 

Author Comment

by:lgropper
ID: 16886744
Sorenson,

you are awesome... thanks for all the help!!! and fast replies!!
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question