Solved

Cisco WAN Sub-Interface DHCP not getting address

Posted on 2011-03-07
25
849 Views
Last Modified: 2012-05-11
HI everyone, justa  quick question or re-affirming my belief

I have a dynamic IP form my ISP i get a few from them but all dynamic. I run NAT behind my router. I have everything working perfect on my FA0/1 which is a physical interface. and all my internal ones including ym vlans on FA0/0 work great.

But since im trying to establish another public IP from my cable modem (dynamic of course) on a sub interface of my OUTSIDE one which is FA0/1 it will not get an IP. Please review bellow and let me know if my FA0/1.80 is configured correwctly because i cant get it to get a DHCP address from my ISP

Im using a Cisco 2651xm Router

ROUTER3A-EXCHANGE#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up      
FastEthernet0/0.5          172.17.17.20    YES NVRAM  up                    up      
FastEthernet0/0.20         172.25.146.6    YES NVRAM  up                    up      
FastEthernet0/0.26         192.168.9.1     YES NVRAM  up                    up      
FastEthernet0/1            174.x.x.x   YES DHCP   up                    up      
FastEthernet0/1.80         unassigned      YES unset  up                    up <--------- THIS IS WHERE THE PROBLEM IS


interface FastEthernet0/1
 description $FW_OUTSIDE$$ETH-WAN$
  ip address dhcp client-id FastEthernet0/1
 ip access-group 3 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1.80
 description $FW_OUTSIDE$$ETH-WAN$
 encapsulation dot1Q 2
 ip access-group 3 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 no cdp enable
0
Comment
Question by:mxrider_420
  • 15
  • 10
25 Comments
 
LVL 1

Author Comment

by:mxrider_420
ID: 35058645
ohh and sorry i saw above i am missing

the dhcp client id. when i add it look what happens:

ROUTER3A-EXCHANGE(config-subif)#ip address dhcp client-id FastEthernet0/1.80
                                                                         ^
% Invalid input detected at '^' marker.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35058733
Hi,

you need:

interface FastEthernet0/1.80
 description $FW_OUTSIDE$$ETH-WAN$
 ip address DHCP
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35058817
thanks.

can you write that in full with what i have above so i can redo the interface via copy paste?

also i dont really WANT a vlan because there is no switching at this level of my network but when i create a sub-interface i assume i need to specify one correct? above i have vlan 2 there is no vlan 2 on my network not to mention this is my OUTSIDE interface im making the sub int on.

please clarify thanks

0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 1

Author Comment

by:mxrider_420
ID: 35058938
ok so it should look like this...

interface FastEthernet0/1.80
description $FW_OUTSIDE$$ETH-WAN$
ip address DHCP
encapsulation dot1Q NATIVE
ip access-group 3 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule out
ip virtual-reassembly
no cdp enable
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35059739
Ok, so i called ISP and they dont need to do anything to release a 2nd IP to you. SO this is my config bellow. take a look and see if you can help me out. It looks like the config is ok but it is not receiving any IP. even when i reboot my cable modem to try and give me that 2nd IP i so desperately need.

By the way i changed it to .70 for a fresh start and delted my other config! :)


interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 encapsulation dot1Q 1 native
 ip address dhcp
 ip access-group 3 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 no cdp enable
!

ROUTER3A-EXCHANGE#show ip interface bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up      
FastEthernet0/0.5          172.17.17.20    YES NVRAM  up                    up      
FastEthernet0/0.20         172.25.146.6    YES NVRAM  up                    up      
FastEthernet0/0.26         192.168.9.1     YES NVRAM  up                    up      
FastEthernet0/1            174.5.180.x   YES DHCP   up                    up      
FastEthernet0/1.70         unassigned      YES DHCP   up                    up      <------------------- ?
NVI0                       unassigned      NO  unset  up                    up
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35059770
you need to finetunin Acl 3:

 ip access-group 3 in

please provide us " sh access-list 3"
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35059778
on the outside interface needs to be configure "inspection in":

https://learningnetwork.cisco.com/thread/13408
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35060397
ROUTER3A-EXCHANGE#sh access-list 3
Standard IP access list 3
    10 permit 192.168.1.57 (8694 matches)
    20 permit any (5615502 matches)


its a simple rule this rule is on my actual physical WIC interface too fa0/1
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35060471
you need:

access-list 130 permit udp any eq bootps any eq bootpc

interface FastEthernet0/1.70
 no  ip access-group 3 in
ip access-group 130 in
 no  ip inspect SDM_LOW out
  ip inspect SDM_LOW in
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35060591
perfect thanks ill try this now...

what is the SDM low for?
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35060709
also with an extended acl such as the one you have above i can not do host based PAM. are you suggesting i change my standard rule 3 to a 103 extended rule?..
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061068
when i do this my entire internet doesnt work. i even added a permit any any to 130.

interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 encapsulation dot1Q 1 native
  ip address dhcp
  ip access-group 130 in
  ip redirects
  ip unreachables
  ip proxy-arp
  ip nat outside
  ip inspect SDM_LOW in
  ip ips sdm_ips_rule out
  ip virtual-reassembly
 no cdp enable
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35061475
ok please disable fw and acl
interface FastEthernet0/1.70
no   ip access-group 130 in
no   ip ips sdm_ips_rule out
no   ip inspect SDM_LOW in
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061516
keep the vlan1 tho?

so it should look like this: ...

interface FastEthernet0/1.70
encapsulation dot1Q 1 native
ip address dhcp
ip redirects
ip unreachables
ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35061541
yep...

it is working?
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061567
did not work. again when i add this interface it drops internet to entire network... :S
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061585
i think i need the fw in there to tell it its a outside network. but im not sure why it will not allow me to access internet from fa0/1 even if the fa0/1.70 isnt configured correctly...
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35061602
did you get IP address form the new ISP or not?
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061623
yes they said its automatic. like im assuming that a sub interface acts as a real one. my router has 2 ports one is physically plugged into ISP side modem and the other goes to inside switch to network.

now having said this i still cant understand why when 0/1.70 is configured the rest drop off even tho fa0/1 KEEPS its IP.
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061841
THIS allows me to have the interface FA0/1.70 AND access the itnernet but still not getting DHCP from ISP yet they STILL claim it should work. any ideas?

ROUTER3A-EXCHANGE#sh access-list 109
Extended IP access list 109
    10 permit udp any eq 2525 any eq 2525
    20 permit tcp any eq 2525 any eq 2525
    30 permit udp any any (531 matches)
    40 permit tcp any eq smtp any eq smtp
    50 permit udp host 64.59.176.15 eq domain any
    60 permit tcp any any eq ftp
    70 permit tcp any any eq 443
    80 permit tcp any any eq www
    90 permit udp host 64.59.176.13 eq domain any
    100 permit udp host 74.54.82.185 eq ntp any eq ntp
    110 permit ahp any any
    120 permit esp any any
    130 permit udp any any eq isakmp
    140 permit udp any any eq non500-isakmp
    150 permit udp any eq bootps any eq bootps
    160 permit udp any eq bootps any eq bootpc
    170 permit icmp any any echo-reply
    180 permit icmp any any time-exceeded
    190 permit icmp any any unreachable
    200 deny ip 172.17.17.0 0.0.0.255 any
    210 permit ip any any log (3079 matches)

ROUTER3A-EXCHANGE#show ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up      
FastEthernet0/0.5          172.17.17.20    YES NVRAM  up                    up      
FastEthernet0/0.20         172.25.146.6    YES NVRAM  up                    up      
FastEthernet0/0.26         192.168.9.1     YES NVRAM  up                    up      
FastEthernet0/1            174.5.180.x   YES DHCP   up                    up      
FastEthernet0/1.70         unassigned      YES DHCP   up                    up


interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 encapsulation dot1Q 1 native
 ip address dhcp
 ip access-group 109 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 no cdp enable
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35061906
you need to add:

ip access-list extended 109
 1 permit udp any eq bootpc any bootps
 2 permit udp any eq bootp2 any bootpc
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35061952
2 permit udp any eq bootp2 any bootpc
 doesnt work. it gives error. this is maddening.
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 35073417
any one?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35120151
ok... try to disable firewall:

interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 no  ip access-group 109 in
 no ip inspect SDM_LOW out

Did you get ip address?

0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 35120152
ok... try to disable firewall:

interface FastEthernet0/1.70
 description $FW_OUTSIDE$$ETH-WAN$
 no  ip access-group 109 in
 no ip inspect SDM_LOW out

Did you get ip address?
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question