Unable to access the dhcp when computer is on a different vlan - Cisco Switch
I have a PC on vlan20. I have configured the ip-helper cmd on the interface on the cisco switch but the pc is not reaching the dhcp server which is 10.10.10.6. what should i be using as a gateway for the additional vlans. PC doesnt get online even with static info of the following:
ip address: 10.10.20.100\24
gateway: 10.10.20.250 or 10.10.20.1
dns: 10.10.10.6
DHCP: 10.10.10.6
vlan 20: 10.10.20.250 \24
please see configs below:
#sho run int vlan 20
Building configuration...
Current configuration : 93 bytes
!
interface Vlan20
ip address 10.10.20.250 255.255.255.0
ip helper-address 10.10.10.6
end
#sho vlan
VLAN Name Status Ports
---- --------------------------
1 default active
10 DESKTOPS active Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8, Fa1/0/9, Fa1/0/10, Fa1/0/11, Fa1/0/12, Fa1/0/13, Fa1/0/14, Fa1/0/15, Fa1/0/16, Fa1/0/21, Fa1/0/22, Fa1/0/23, Fa1/0/24
Fa1/0/25, Fa1/0/26, Fa1/0/27, Fa1/0/28, Fa1/0/29, Fa1/0/30, Fa1/0/31, Fa1/0/32, Fa1/0/33, Fa1/0/34, Fa1/0/35, Fa1/0/36, Fa1/0/37, Fa1/0/38, Fa1/0/39, Fa1/0/40, Fa1/0/41, Fa1/0/42, Fa1/0/43
Fa1/0/44, Fa1/0/45, Fa1/0/46, Fa1/0/47, Fa1/0/48, Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4
20 GUEST-VLAN active Fa1/0/18, Fa1/0/19, Fa1/0/20
30 WIRELESS active
40 SERVERS active
sho int trunk
Port Mode Encapsulation Status Native vlan
Fa1/0/17 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/0/17 1-4094
Port Vlans allowed and active in management domain
Fa1/0/17 1,10,20,30,40
Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/17 1,10,20,30,40
#sho ip int br
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan10 10.10.10.250 YES NVRAM up up
Vlan20 10.10.20.250 YES manual up up
Vlan30 10.10.30.250 YES manual up up
Vlan40 10.10.40.250 YES manual up up
let me know if there is anything you guys might need.
thanks
DHCP-server-scope-settings.PNG
ip address: 10.10.20.100\24
gateway: 10.10.20.250 or 10.10.20.1
dns: 10.10.10.6
DHCP: 10.10.10.6
vlan 20: 10.10.20.250 \24
please see configs below:
#sho run int vlan 20
Building configuration...
Current configuration : 93 bytes
!
interface Vlan20
ip address 10.10.20.250 255.255.255.0
ip helper-address 10.10.10.6
end
#sho vlan
VLAN Name Status Ports
---- --------------------------
1 default active
10 DESKTOPS active Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8, Fa1/0/9, Fa1/0/10, Fa1/0/11, Fa1/0/12, Fa1/0/13, Fa1/0/14, Fa1/0/15, Fa1/0/16, Fa1/0/21, Fa1/0/22, Fa1/0/23, Fa1/0/24
Fa1/0/25, Fa1/0/26, Fa1/0/27, Fa1/0/28, Fa1/0/29, Fa1/0/30, Fa1/0/31, Fa1/0/32, Fa1/0/33, Fa1/0/34, Fa1/0/35, Fa1/0/36, Fa1/0/37, Fa1/0/38, Fa1/0/39, Fa1/0/40, Fa1/0/41, Fa1/0/42, Fa1/0/43
Fa1/0/44, Fa1/0/45, Fa1/0/46, Fa1/0/47, Fa1/0/48, Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4
20 GUEST-VLAN active Fa1/0/18, Fa1/0/19, Fa1/0/20
30 WIRELESS active
40 SERVERS active
sho int trunk
Port Mode Encapsulation Status Native vlan
Fa1/0/17 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/0/17 1-4094
Port Vlans allowed and active in management domain
Fa1/0/17 1,10,20,30,40
Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/17 1,10,20,30,40
#sho ip int br
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan10 10.10.10.250 YES NVRAM up up
Vlan20 10.10.20.250 YES manual up up
Vlan30 10.10.30.250 YES manual up up
Vlan40 10.10.40.250 YES manual up up
let me know if there is anything you guys might need.
thanks
DHCP-server-scope-settings.PNG
ASKER
gave the pc static 10.10.20.100 \24 gateway 10.10.20.250 cannot ping the vlan20 interface or the 10.10.10.250 which is the native vlan. Cannot ping 10.10.10.6 (DHCP server)
when on the switch i can ping 10.10.20.250 (vlan 20) i cannot ping the pc from the switch.
#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 4 subnets
C 10.10.10.0 is directly connected, Vlan10
C 10.10.20.0 is directly connected, Vlan20
C 10.10.30.0 is directly connected, Vlan30
C 10.10.40.0 is directly connected, Vlan40
I have a cisco ASA also connected to the switch.
when on the switch i can ping 10.10.20.250 (vlan 20) i cannot ping the pc from the switch.
#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 4 subnets
C 10.10.10.0 is directly connected, Vlan10
C 10.10.20.0 is directly connected, Vlan20
C 10.10.30.0 is directly connected, Vlan30
C 10.10.40.0 is directly connected, Vlan40
I have a cisco ASA also connected to the switch.
Check that the Windows Firewall is switched off on the workstation - this can be configured to block ICMP which is misleading when troubleshooting with the ping and tracert tools. Also, validate that you can ping the workstation's own IP address. This should rule out any issue with the workstation itself.
If the ping test from the workstation to its default gateway still fails, run the following from the Command Prompt and see whether the IP and MAC address of the switch is listed:
Similarly, from the switch run the following command to check whether the IP and MAC address of the workstation is listed:
If the ping test from the workstation to its default gateway still fails, run the following from the Command Prompt and see whether the IP and MAC address of the switch is listed:
arp -aSimilarly, from the switch run the following command to check whether the IP and MAC address of the workstation is listed:
show arp
Which port on the switch are you connecting the client to??
Can you show us the config for that port?
Can you show us the config for that port?
ASKER
the pc is connected to port 17. see below:
#sho run int fa 1/0/17
Building configuration...
Current configuration : 148 bytes
!
interface FastEthernet1/0/17
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
end
#sho run int fa 1/0/17
Building configuration...
Current configuration : 148 bytes
!
interface FastEthernet1/0/17
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
end
This is the problem. Port 17 is a trunk port. The workstation needs to be connected to ports 18, 19, or 20.
ASKER
firewall on the pc is turned off.
arp -a on the pc shows only the switch int vlan 20 10.10.20.250 but mac is all 0's and shows as invalid.
pc is not being displayed on sho arp
#sho arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.2 60 c0c1.c016.6040 ARPA Vlan10
Internet 10.10.10.1 81 001e.bed0.f0b0 ARPA Vlan10
Internet 10.10.10.6 0 eec8.cf3f.5363 ARPA Vlan10
Internet 10.10.10.125 4 0090.a99d.ceb9 ARPA Vlan10
Internet 10.10.10.138 149 001d.4fe3.5ae1 ARPA Vlan10
Internet 10.10.10.137 89 1cab.a761.361b ARPA Vlan10
Internet 10.10.10.130 14 fcc2.de20.1f33 ARPA Vlan10
Internet 10.10.10.131 17 0004.f22a.508c ARPA Vlan10
Internet 10.10.10.128 0 5ca3.9d36.36ec ARPA Vlan10
Internet 10.10.10.132 127 0090.a99d.ceb9 ARPA Vlan10
Internet 10.10.10.150 0 c81f.66b1.6696 ARPA Vlan10
Internet 10.10.40.250 - 0012.43b6.9ac2 ARPA Vlan40
Internet 10.10.30.250 - 0012.43b6.9ac4 ARPA Vlan30
Internet 10.10.20.250 - 0012.43b6.9ac3 ARPA Vlan20
Internet 10.10.10.250 - 0012.43b6.9ac1 ARPA Vlan10
arp -a on the pc shows only the switch int vlan 20 10.10.20.250 but mac is all 0's and shows as invalid.
pc is not being displayed on sho arp
#sho arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.2 60 c0c1.c016.6040 ARPA Vlan10
Internet 10.10.10.1 81 001e.bed0.f0b0 ARPA Vlan10
Internet 10.10.10.6 0 eec8.cf3f.5363 ARPA Vlan10
Internet 10.10.10.125 4 0090.a99d.ceb9 ARPA Vlan10
Internet 10.10.10.138 149 001d.4fe3.5ae1 ARPA Vlan10
Internet 10.10.10.137 89 1cab.a761.361b ARPA Vlan10
Internet 10.10.10.130 14 fcc2.de20.1f33 ARPA Vlan10
Internet 10.10.10.131 17 0004.f22a.508c ARPA Vlan10
Internet 10.10.10.128 0 5ca3.9d36.36ec ARPA Vlan10
Internet 10.10.10.132 127 0090.a99d.ceb9 ARPA Vlan10
Internet 10.10.10.150 0 c81f.66b1.6696 ARPA Vlan10
Internet 10.10.40.250 - 0012.43b6.9ac2 ARPA Vlan40
Internet 10.10.30.250 - 0012.43b6.9ac4 ARPA Vlan30
Internet 10.10.20.250 - 0012.43b6.9ac3 ARPA Vlan20
Internet 10.10.10.250 - 0012.43b6.9ac1 ARPA Vlan10
ASKER
I just made it a trunk. I will put on port 18 now and post back right away. Stay tuned.
ASKER
still no go. What should i assign as the gateway for that machine? 10.10.20.250 or 10.10.10.1 (firewall and gateway for all other pcs that are on main vlan which is vlan10)
ASKER
sho run int vlan 20
Building configuration...
Current configuration : 93 bytes
!
interface Vlan20
ip address 10.10.20.250 255.255.255.0
ip helper-address 10.10.10.6
end
Building configuration...
Current configuration : 93 bytes
!
interface Vlan20
ip address 10.10.20.250 255.255.255.0
ip helper-address 10.10.10.6
end
ASKER
I believe the issue is on my asa.
take a look at my routing table. The additional networks are not there.
Gateway of last resort is x.x.x.x to network 0.0.0.0
C 10.10.10.0 255.255.255.0 is directly connected, inside
C x.x.x.x 255.255.255.248 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside
take a look at my routing table. The additional networks are not there.
Gateway of last resort is x.x.x.x to network 0.0.0.0
C 10.10.10.0 255.255.255.0 is directly connected, inside
C x.x.x.x 255.255.255.248 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside
Please post the configuration for port 18 (where the workstation is now connected).
The gateway for the workstation has to be an IP address in its own range, so 10.10.20.250.
The gateway for the workstation has to be an IP address in its own range, so 10.10.20.250.
ASKER
what cmd is needed to add here?
conf t
route inside 10.10.20.0 255.255.255.0 10.10.10.1 ?
10.10.10.1 is the firewall
when i try to add that i get the following message:
***Invalid next hop address, it belongs to one of our interfaces
conf t
route inside 10.10.20.0 255.255.255.0 10.10.10.1 ?
10.10.10.1 is the firewall
when i try to add that i get the following message:
***Invalid next hop address, it belongs to one of our interfaces
First of all, you need to make sure you can ping from workstation to default gateway address (VLAN120 SVI) and vice versa. We can then look at the ASA
The cleanest solution is to connect the Cisco ASA to your LAN via a trunked port rather than an access port on VLAN10 as is the case now. Like that you can have inside IP addresses on the Cisco ASA of 10.10.10.1 (VLAN10) and 10.10.20.1 (VLAN20). Workstations on VLAN20 would use 10.10.20.1 as their default gateway (the Cisco ASA) to be uniform with VLAN10.
The alternative is to set up static routes on your LAN switch and Cisco ASA to route traffic to / from VLAN20 (not nice!)
The alternative is to set up static routes on your LAN switch and Cisco ASA to route traffic to / from VLAN20 (not nice!)
ASKER
gave the pc the following:
10.10.20.110\24
gateway: 10.10.20.250
i can ping gateway and from the switch i can ping the pc.
now lets check the asa
10.10.20.110\24
gateway: 10.10.20.250
i can ping gateway and from the switch i can ping the pc.
now lets check the asa
ASKER
I want to create static routes. only a few so shouldnt be that bad.
ASKER
setting up the asa port as a trunk now. what is the next step?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Whenever I try and turn the asa port into a trunk port i lose internet connection. The below is what I was attempting.
port where asa firewall is connected:
sho run int fa 1/0/48
Building configuration...
Current configuration : 175 bytes
!
interface FastEthernet1/0/48
description Cisco ASA
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
end
port where asa firewall is connected:
sho run int fa 1/0/48
Building configuration...
Current configuration : 175 bytes
!
interface FastEthernet1/0/48
description Cisco ASA
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
end
Just seen your latest post where you have decided to set up a trunk port rather than static routes. This is the preferred option.
Regarding your configuration of port FastEthernet1/0/48, you need to remove the line:
switchport access vlan 10
Add:
switchport trunk allowed vlan 10,20
switchport trunk native vlan [xxx]
You also need to define the port on the Cisco ASA side as a trunk port and specify the two VLANs (10, 20) and their addresses (10.10.10.1, 10.10.20.1).
Regarding your configuration of port FastEthernet1/0/48, you need to remove the line:
switchport access vlan 10
Add:
switchport trunk allowed vlan 10,20
switchport trunk native vlan [xxx]
You also need to define the port on the Cisco ASA side as a trunk port and specify the two VLANs (10, 20) and their addresses (10.10.10.1, 10.10.20.1).
ASKER
ok thanks.
what is the cmd that i should be putting in the asa?
what is the cmd that i should be putting in the asa?
It depends on the specific configuration of your Cisco ASA. If you post the configuration I can get back to you as I am going offline in a few minutes. In the interim you can try the static routing solution that I posted earlier.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Remove any sensitive information from your configuration before posting.
I'm sure I just said that... :-)
Also post the complete config from your switch (without passwords, etc).
ASKER
ASKER
this route was added to get internet access on that vlan
nat (inside,outside) after-auto source dynamic any interface
the only issue remaining is that i cannot ping 10.10.10.6 (DHCP server) from any other vlan
what do I need to add to be able to ping that server?
nat (inside,outside) after-auto source dynamic any interface
the only issue remaining is that i cannot ping 10.10.10.6 (DHCP server) from any other vlan
what do I need to add to be able to ping that server?
ASKER
Ok so I changed the .6 dhcp gateway to 10.10.10.250 and I can now a dhcp address and get online. Thanks for the help the guys.
Step 1:
Ensure that the workstation is connected to VLAN20 (that is connected to switch port 18, 19 or 20)
Step 2:
Apply the static TCP/IP details (as per your question) to the workstation on VLAN20 and validate whether you can ping the default gateway (10.10.20.250) from that workstation. If you cannot, try to ping it from the switch instead. If neither of these work, revalidate the configuration of VLAN20
Step 3:
Try to ping from the workstation on VLAN20 to a workstation / server on a different VLAN but on the same switch ideally. If this does not work, validate your IP routing. Run a show ip route and check the output (post if required). Is the switch whose configuration you have shown doing the IP routing or is a different switch / router responsible?
I hope this is helpful.