DHCP Relay prob

[keithja]

Hi,

I am trying to configure a DHCP helper address on a 3750 and am having some problems that I hope someone can help me with.

I have a windows DHCP server (Id prefer not using the 3750 to serve DHCP) on VLAN1 segment with addr scope of 10.199.135.0/24.

The DHCP server is attached to a workgroup switch on port fa0/2.
The workgroup switch is attached to the core switch from port Gi0/1 to port Gi3/0/20
Also attached to the core switch at port Gi5/0/12, is a test client.

The core switch is a stack of 3750s, and the workgroup switch is a 3560. All are running 12.2.52.

I am creating a separate VLAn (199) with scope of 10.199.199.128/26

I would like to be able to use the same DHCP server for both scopes.

Refer to the config captures below for the pertinent ports, below. But basically I created the vlan on the core switch, in the appropriate scope, and set the vlan interface address to .129, and set up a helper address on the VLAN interface pointing to our DHCP server on vlan 1.

I then created the appropriate DHCP scope on our DHCP server.

Next I created a test port set to access vlan 199, on the core switch. Since I haven't done helper addresses before I wanted to keep it as straight-forward as possible.

I then plugged a client, configured to obtain a dhcp address, into the port and waited with anticipation. And waited, and waited, and eventually timed out: no IP address.

I am able to ping 10.199.199.129 from the DHCP server - so I know Im good there.

When I do a packet capture using cisco span, whether I capture at the ingress of the test client port, ingress/egress of vlan199, or ingress/egress of the DHCP server port, I see 4 DHCP request packets - all set with all of the IP slots to 0.0.0.0, and nothing set in the relay slot, and no replies from the server.


I am sure I'm overlooking something dumb, but I just cant spot it.

Can anyone give me a hand on this?

thanks for your help.

======================================
DHCP Server Address 10.199.135.27/24

DHCP scope:
10.199.199.129-10.199.199.190 /26

exclude:
10.199.199.129-10.199.199.134

.................................
Host Port Core Switch

Building configuration...

Current configuration : 91 bytes
!
description TestHost
interface GigabitEthernet5/0/12
switchport access vlan 199
spanning-tree portfast
end

.................................

VLAN core switch

Building configuration...

Current configuration : 98 bytes
!
interface Vlan199
ip address 10.199.199.129 255.255.255.192
ip helper-address 10.199.135.27
end
.................................

Core Switch port to WkGrp Switch
Building configuration...

Current configuration : 162 bytes
!
interface GigabitEthernet3/0/20
description Telcom1
switchport trunk encapsulation dot1q
switchport mode trunk
priority-queue out
mls qos trust dscp
end

.................................

WkGrp Switch port to Core Switch

Building configuration...

Current configuration : 138 bytes
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
priority-queue out
mls qos trust dscp
end

.................................

DHCP Server to WkGrp switch

Building configuration...

Current configuration : 98 bytes
!
interface FastEthernet0/2
description DHCPserv
switchport mode access
spanning-tree portfast
end

 

[unclerico]

so you're saying that your packet capture lists 0.0.0.0 for relay agent address?? you don't have any dhcp snooping enabled or anything?? have you tried capturing on the dhcp server itself?? you have double-checked your scope details including whether or not the scope is activated??

 

[keithja]

so you're saying that your packet capture lists 0.0.0.0 for relay agent address?? "
Correct

"you don't have any dhcp snooping enabled or anything"
No

"have you tried capturing on the dhcp server itself?? "
I captured at the core port to the WG swith to which the DHCP server was attached and got the results listed above. I have not tried capturing at the wkgrp Fa0/2 interface, or using a net tap between the switch and dhcp server but if you think that may give a clue, I can give it a try.

"you have double-checked your scope details including whether or not the scope is activated?? "
yes

thanks for your help

 

[unclerico]

make sure your test host is really plugged into 5/0/12...no relay agent ip says that the host is in a different port and that port is a member of a different VLAN than 199 with no helper-address configured...

 

[keithja]

I'll recheck tomorrow - Im about 95% sure now, but I'll recheck

thx

 

[keithja]

ok, I was able to check remotely by checking the mac addr table and the test host is definitely connected to gi5/0/15.

thx

 

[keithja]

anyone have any new ideas on this?(BTW the above message has a typo - it should read that it is definitely connected to gi5/0/12 - which has now been physically confirmed as well)

 

[chieftan]

I may be barking up the wrong tree here, who knows......

On your client set up the line "Switchport mode access" is missing - may not mean anything....

 

[keithja]

additional info:

As UncleRico suggested, I stuck in an NTAP betwen the WkGrp Switch and the DHCP Server and did a capture that way.

When I took a look at the capture, I do see DHCP packets with the relay agent correctly set - WOOHOO (not sure why I didnt see that on the span at interface from core to wkgrp switch unless it was because it was trunked the whole way through up until the point it actually tried to hit the DHCP server port on the wkgrp switch)

What I dont see in that capture, is a reply back from the DHCP server either to .129, or .129's mac addr.

I have verified the DHCP scope is active. Can anyone think of anything else? Do I need to switch over to the DHCP forum at this point?

thx for your help.

 

[baddos]

Did you disable service dhcp on that layer 3 switch? I beleive it needs to be enabled for dhcp relay to function.

service dhcp

 

[keithja]

(PS - I did force it to switch mode access just to cover all the bases, but got the same results)
thx

 

[keithja]

baddos, I thought I had checked that before but I didnt see it in a sh run so I reentered it.

I am still not getting an address. I did notice, however, that - looking at the packet capture from the ntap between the dhcp server and switch - immediately after the DHCP request packet arrives, the DHCP server issues an ICMP Unreachable packet specifying from 10.199.135.27(dhcp server) to 10.199.199.129 (GW for VLAN 199). Typeestination Unreachable. Codeort unreachable (It was port 67 to 67).

which still makes it look like it cant talk to the DHCP server service on core switch...

thx

 

[unclerico]

what verion of windows is running on the server?? is the windows firewall disabled??

 

[keithja]

ok, Here is the rough sequence of the packets I see:

Client sends dhcp address request packet with all 0's on all dhcp ip fields, and its mac in the client hw addr slot

A packet leaves the wkgrp switch port to the DHCP server a few microseconds later.
It is a dhcp req packet with all dhcp ip slots set to 0 except the relay agent slot which is set to 10.199.199.129 - which is the gw addr for vlan 199 on the core switch.
Its destination addr is 10.199.135.29/mac-of-dhcp-srvr and
its source addr the GW for vlan199/mac-of-vlan1-on-core

Then - still looking at the ntap between dhcp srvr and wkgrp sw:

dhcp server sends out an arp broadcast request asking for the mac addr of the vlan1 core switch.

An arp reply is received from 'Idontknowwhere' supplying the core vlan1 mac

Then DHCP server sends a packet to 10.199.199.129 (vlan199 GW) to core sw vlan1 mac saying the port isnt reachable.

does this make sense to anyone?


for grins I tried doing a service dhcp on the wkgrp switch, but got the same results.

thx

 

[keithja]

ps unclerico,

It is running on Win2kSP4. I know... THis is kind of a secondary dhcp server for us that runs a couple of minor scopes for us via multihoming.

If I can get this all worked out, I'll eventually move all of these small ones over to our main DHCP server using helpers.

Call this a dry run for that.

No firewall.

 

[unclerico]

yeah, this sounds like a dhcp server issue not a network issue. try moving the scope over to one of your other DHCP servers and re-point the helper to it and see what happens. heck, even download tftd32 and run the dhcp service on a windows xp laptop (in an isolated network of course) to verify.

 

[keithja]

yup - that was it. I moved the scope to our main dhcp server and reset the helper and bango - slicker than snot.

Or, it was because our main dhcp server was connected directly to the core switch rather than through a wkgrp switch like the other one?

Maybe later I will try moving the secondary dhcp to the core, turning off the scope on the main dhcp server, turning the one on the secondary back on, and seeing if it acquires.

If it does, then why? what was the problem? Ill let you know how it turns out.

Meanwhile, THANKS for everyones help!! I cant believe I beat my head against a networking issue for so long when it might have just been an outdate dhcp, or some other dhcp problem.

 

[keithja]

Nope, Definitely the DHCP server. I moved it to the core switch and did the test described above, and it still failed. Reactivated the scope on our main DHCP and it was hunky dorey!

Thanks again for your help

 

[unclerico]

cool beans, glad you got it sorted.