Solved

Cisco WAN Sub-Interface DHCP not getting address

Posted on 2011-03-07
25
845 Views
Last Modified: 2012-05-11
HI everyone, justa  quick question or re-affirming my belief

I have a dynamic IP form my ISP i get a few from them but all dynamic. I run NAT behind my router. I have everything working perfect on my FA0/1 which is a physical interface. and all my internal ones including ym vlans on FA0/0 work great.

But since im trying to establish another public IP from my cable modem (dynamic of course) on a sub interface of my OUTSIDE one which is FA0/1 it will not get an IP. Please review bellow and let me know if my FA0/1.80 is configured correwctly because i cant get it to get a DHCP address from my ISP

Im using a Cisco 2651xm Router

ROUTER3A-EXCHANGE#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up      
FastEthernet0/0.5          172.17.17.20    YES NVRAM  up                    up      
FastEthernet0/0.20         172.25.146.6    YES NVRAM  up                    up      
FastEthernet0/0.26         192.168.9.1     YES NVRAM  up                    up      
FastEthernet0/1            174.x.x.x   YES DHCP   up                    up      
FastEthernet0/1.80         unassigned      YES unset  up                    up <--------- THIS IS WHERE THE PROBLEM IS


interface FastEthernet0/1
 description $FW_OUTSIDE$$ETH-WAN$
  ip address dhcp client-id FastEthernet0/1
 ip access-group 3 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1.80
 description $FW_OUTSIDE$$ETH-WAN$
 encapsulation dot1Q 2
 ip access-group 3 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 no cdp enable
0
Comment
Question by:mxrider_420
  • 15
  • 10
25 Comments
 
LVL 1

Author Comment

by:mxrider_420
ID: 35058645
ohh and sorry i saw above i am missing

the dhcp client id. when i add it look what happens:

ROUTER3A-EXCHANGE(config-subif)#ip address dhcp client-id FastEthernet0/1.80
                                                                         ^
% Invalid input detected at '^' marker.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35058733
Hi,

you need:

interface FastEthernet0/1.80
 description $FW_OUTSIDE$$ETH-WAN$
 ip address DHCP
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35058817
thanks.

can you write that in full with what i have above so i can redo the interface via copy paste?

also i dont really WANT a vlan because there is no switching at this level of my network but when i create a sub-interface i assume i need to specify one correct? above i have vlan 2 there is no vlan 2 on my network not to mention this is my OUTSIDE interface im making the sub int on.

please clarify thanks

0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35058938
ok so it should look like this...

interface FastEthernet0/1.80
description $FW_OUTSIDE$$ETH-WAN$
ip address DHCP
encapsulation dot1Q NATIVE
ip access-group 3 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule out
ip virtual-reassembly
no cdp enable
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35059739
Ok, so i called ISP and they dont need to do anything to release a 2nd IP to you. SO this is my config bellow. take a look and see if you can help me out. It looks like the config is ok but it is not receiving any IP. even when i reboot my cable modem to try and give me that 2nd IP i so desperately need.

By the way i changed it to .70 for a fresh start and delted my other config! :)


interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 encapsulation dot1Q 1 native
 ip address dhcp
 ip access-group 3 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 no cdp enable
!

ROUTER3A-EXCHANGE#show ip interface bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up      
FastEthernet0/0.5          172.17.17.20    YES NVRAM  up                    up      
FastEthernet0/0.20         172.25.146.6    YES NVRAM  up                    up      
FastEthernet0/0.26         192.168.9.1     YES NVRAM  up                    up      
FastEthernet0/1            174.5.180.x   YES DHCP   up                    up      
FastEthernet0/1.70         unassigned      YES DHCP   up                    up      <------------------- ?
NVI0                       unassigned      NO  unset  up                    up
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35059770
you need to finetunin Acl 3:

 ip access-group 3 in

please provide us " sh access-list 3"
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35059778
on the outside interface needs to be configure "inspection in":

https://learningnetwork.cisco.com/thread/13408
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35060397
ROUTER3A-EXCHANGE#sh access-list 3
Standard IP access list 3
    10 permit 192.168.1.57 (8694 matches)
    20 permit any (5615502 matches)


its a simple rule this rule is on my actual physical WIC interface too fa0/1
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35060471
you need:

access-list 130 permit udp any eq bootps any eq bootpc

interface FastEthernet0/1.70
 no  ip access-group 3 in
ip access-group 130 in
 no  ip inspect SDM_LOW out
  ip inspect SDM_LOW in
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35060591
perfect thanks ill try this now...

what is the SDM low for?
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35060709
also with an extended acl such as the one you have above i can not do host based PAM. are you suggesting i change my standard rule 3 to a 103 extended rule?..
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061068
when i do this my entire internet doesnt work. i even added a permit any any to 130.

interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 encapsulation dot1Q 1 native
  ip address dhcp
  ip access-group 130 in
  ip redirects
  ip unreachables
  ip proxy-arp
  ip nat outside
  ip inspect SDM_LOW in
  ip ips sdm_ips_rule out
  ip virtual-reassembly
 no cdp enable
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35061475
ok please disable fw and acl
interface FastEthernet0/1.70
no   ip access-group 130 in
no   ip ips sdm_ips_rule out
no   ip inspect SDM_LOW in
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061516
keep the vlan1 tho?

so it should look like this: ...

interface FastEthernet0/1.70
encapsulation dot1Q 1 native
ip address dhcp
ip redirects
ip unreachables
ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35061541
yep...

it is working?
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061567
did not work. again when i add this interface it drops internet to entire network... :S
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061585
i think i need the fw in there to tell it its a outside network. but im not sure why it will not allow me to access internet from fa0/1 even if the fa0/1.70 isnt configured correctly...
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35061602
did you get IP address form the new ISP or not?
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061623
yes they said its automatic. like im assuming that a sub interface acts as a real one. my router has 2 ports one is physically plugged into ISP side modem and the other goes to inside switch to network.

now having said this i still cant understand why when 0/1.70 is configured the rest drop off even tho fa0/1 KEEPS its IP.
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061841
THIS allows me to have the interface FA0/1.70 AND access the itnernet but still not getting DHCP from ISP yet they STILL claim it should work. any ideas?

ROUTER3A-EXCHANGE#sh access-list 109
Extended IP access list 109
    10 permit udp any eq 2525 any eq 2525
    20 permit tcp any eq 2525 any eq 2525
    30 permit udp any any (531 matches)
    40 permit tcp any eq smtp any eq smtp
    50 permit udp host 64.59.176.15 eq domain any
    60 permit tcp any any eq ftp
    70 permit tcp any any eq 443
    80 permit tcp any any eq www
    90 permit udp host 64.59.176.13 eq domain any
    100 permit udp host 74.54.82.185 eq ntp any eq ntp
    110 permit ahp any any
    120 permit esp any any
    130 permit udp any any eq isakmp
    140 permit udp any any eq non500-isakmp
    150 permit udp any eq bootps any eq bootps
    160 permit udp any eq bootps any eq bootpc
    170 permit icmp any any echo-reply
    180 permit icmp any any time-exceeded
    190 permit icmp any any unreachable
    200 deny ip 172.17.17.0 0.0.0.255 any
    210 permit ip any any log (3079 matches)

ROUTER3A-EXCHANGE#show ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up      
FastEthernet0/0.5          172.17.17.20    YES NVRAM  up                    up      
FastEthernet0/0.20         172.25.146.6    YES NVRAM  up                    up      
FastEthernet0/0.26         192.168.9.1     YES NVRAM  up                    up      
FastEthernet0/1            174.5.180.x   YES DHCP   up                    up      
FastEthernet0/1.70         unassigned      YES DHCP   up                    up


interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 encapsulation dot1Q 1 native
 ip address dhcp
 ip access-group 109 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 no cdp enable
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35061906
you need to add:

ip access-list extended 109
 1 permit udp any eq bootpc any bootps
 2 permit udp any eq bootp2 any bootpc
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061952
2 permit udp any eq bootp2 any bootpc
 doesnt work. it gives error. this is maddening.
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35073417
any one?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35120151
ok... try to disable firewall:

interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 no  ip access-group 109 in
 no ip inspect SDM_LOW out

Did you get ip address?

0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 35120152
ok... try to disable firewall:

interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 no  ip access-group 109 in
 no ip inspect SDM_LOW out

Did you get ip address?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now