Cisco 1760-v DHCP? 1

[reili]

We are about to set up a cisco 1760-v as a DHCP server.
The problem is that it is not giving out IP addresses.
Do you have to enable DHCP?
If so how?
!
ip dhcp excluded-address 172.16.200.1 172.16.200.127
!
ip dhcp pool LocalPool
network 172.16.200.0 255.255.255.0
default-router 172.16.200.1
dns-server 153.259.173.190 153.259.173.191
domain-name domain.com
!



Reili
Need IP!

 

[MTandSAV]

you probably want to post your whole config. Did you put ip nat inside/outside command at the interfaces?

 

[reili]

service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname host
!
logging buffered 100000 debugging
enable secret 1234
!
ip subnet-zero
ip classless
no ip finger
no ip source-route
no ip domain-lookup
no logging console

logging buffered 100000 debugging

interface serial0/0
description Link
ip address 192.22.124.1 255.255.255.248
ignore-dcd
no keepalive
hold-queue 150 out
hold-queue 2 in
ip nat outside
ip access-group 199 in
no cdp enable
no shutdown

interface FastEthernet0/0
description Local
ip address 172.16.200.1 255.255.255.0
ip nat inside
ip access-group 198 in
no shutdown
!
ip dhcp excluded-address 172.16.200.1 172.16.200.127
!
ip dhcp pool Local
network 172.16.200.0 255.255.255.0
default-router 172.16.200.1
dns-server 153.259.173.190 153.259.173.191
domain-name domain.com
netbios-node-type b-node
lease 30
!
ip route 0.0.0.0 0.0.0.0 192.22.124.2
!
ip nat inside source list 155 interface Serial0/0 overload
!
no ip http server
!
access-list 123 remark ACL_VTY_LOGGING
access-list 123 permit ip 172.16.200.0 0.0.0.255 any log
!
access-list 155 remark ACL_PAT
access-list 155 permit ip 172.16.200.0 0.0.0.255 any
!
access-list 198 remark ACL_INTERNAL_FILTER
access-list 198 deny ip any 0.0.0.255 255.255.255.0
access-list 198 permit ip any any
!
access-list 199 remark ACL_EXTERNAL_FILTER
access-list 199 deny ip 0.0.0.255 255.255.255.0 any
access-list 199 deny ip 172.16.200.0 0.0.0.255 any
access-list 199 permit tcp any host 192.22.124.1 established
access-list 199 permit udp any eq domain host 192.22.124.1
access-list 199 permit icmp any host 192.22.124.1 echo-reply
access-list 199 permit icmp any host 192.22.124.1 time-exceeded
access-list 199 permit icmp any host 192.22.124.1 unreachable
access-list 199 deny ip any any log
!
line vty 0 4
access-class 123 in
password 123456
login
!
end

 

[reili]

I found the fault.
To much filter.
When I removed
ip access-group 199 in
and
ip access-group 198 in
It worked.

 

[wanking]

Hi reili,

If you removed these two statements: ip access-group 199 in
; ip access-group 198 in, how can you maintain the security you did before the changes.

 

[rburke]

I would leave the access-group 199 applied to your Serial interface inbound, but I think you messed up on your ACL 198.

access-list 198 remark ACL_INTERNAL_FILTER
access-list 198 deny ip any 0.0.0.255 255.255.255.0
access-list 198 permit ip any any

That is going to filter anything that has a 255 in the 4th octet. From your configs it looks like your FastEthernet0/0
is using the IP block 172.16.200.1/24 which means its broadcast IP is 172.16.200.255.
When a machine boots up and requests an IP address from the DHCP server it sends out a broadcast on the wire. The broadcast will be to the 172.16.200.255 address. Then once it reaches the interface that is filtered and the DHCP server in the router doesn't recieve the request. Remember that inbound ACL's are ALWAYS processed as soon as a packet enters an interface. So that is why it wasn't working until you removed that ACL. Just for future reference.

Let me know if this helps.

Burke