Switch apparently using DHCP against my wishes in VLAN

[AdaptiveGroup]

Hello there,

I've found a problem in my work network, and I was hoping anyone knows what can be done to solve it. I'm not a network management expert, nor do I know why everything is set the way it is, it was like this before I had to took charge of it recently.

Switch: Cisco SG300-52
Routers: Mikrotik RB1200

Each modem has 7 IPs assigned by the ISP, and uses DHCP to deliver them. The thing is, 6 out of each 7 router interfaces get their IPs correctly, but the seventh one never gets a DHCP lease. I checked with the ISP and the missing IPs are all assigned to the SG300 MAC address, which leads me to believe that in each VLAN, the switch must be using DHCP to get its IP.

Why is this happening? The switch is set to layer 2, so I can't set each interface to use Static IPs (that kind of options are available when using the "layer 3 switch" mode). I imagined a Layer 2 Switch wouldn't emit DHCP Requests.

Any help is appreciated, thank you very much.

 

[Carson Dyle]

What exactly are you trying to do?

To me, the routers look like they're on the "wrong side" of the switch. Does the diagram show that you have 7 switch ports from each router connected to 7 switch ports on the switch. Why?

 

[AdaptiveGroup]

... nor do I know why everything is set the way it is, it was like this before I had to took charge of it recently ...

So... the "why is it the way it is" eludes my grasp. I'd assume a single one of those routers could manage all 3 modems and the VLANs instead of "a switch and 3 routers". Maybe they upgraded from small, personal routers with lesser capabilities and didn't bother to change the design?

Functionally speaking, each VLAN has a modem and 7 hosts (router interfaces) that should each get an IP from the modem using DHCP. This way, each router has 7 public IPs to use, and the whole company has 21 public IPs total. The "inner" side of the structure is working perfectly, load is balanced accordingly, traffic goes in and out of the different router interfaces as it's supposed to do.

What I'm trying to do is to find out and fix whatever is happening with the seventh IP of each modem, the one the routers are not getting. The system right now is working perfectly, but with only 18 of the 21 IPs.

Thanks!

 

[imagoon]

Bet dollars to donuts you have:

ip address dhcp

in the vlan interfaces.

This will make the switch pull an IP address in each vlan configured that way. Remove the DHCP IP and either use a static or since it is the net, don't assign one at all.

Post a sanitized config.

Also post:
(going from memory)
show ip address
show dhcp statistics

--edit--

and yes the design doesn't make a whole lot of sense. Those Mikrotik should support multiple IP's on a single port making the switch pointless and unneeded.

 

[AdaptiveGroup]

vlan database
vlan 2-4 
exit
interface vlan 1
<static IP> 
exit
interface vlan 1
no ip address dhcp 
exit
<hostname>
logging buffered debugging 
<username / password>
no snmp-server server
clock timezone " " -3
ip telnet server
interface eth2
switchport trunk native vlan 2 
exit
interface gigabitethernet3
switchport trunk native vlan 2 
exit
interface gigabitethernet4
switchport trunk native vlan 2 
exit
interface gigabitethernet5
switchport trunk native vlan 2 
exit
interface gigabitethernet6
switchport trunk native vlan 2 
exit
interface gigabitethernet7
switchport trunk native vlan 2 
exit
interface gigabitethernet8
switchport trunk native vlan 2 
exit
interface gigabitethernet9
switchport trunk native vlan 2 
exit
interface gigabitethernet10
switchport trunk native vlan 3 
exit
interface gigabitethernet11
switchport trunk native vlan 3 
exit
interface gigabitethernet12
switchport trunk native vlan 3 
exit
interface gigabitethernet13
switchport trunk native vlan 3 
exit
interface gigabitethernet14
switchport trunk native vlan 3 
exit
interface gigabitethernet15
switchport trunk native vlan 3 
exit
interface gigabitethernet16
switchport trunk native vlan 3 
exit
interface gigabitethernet17
switchport trunk native vlan 3 
exit
interface gigabitethernet18
switchport trunk native vlan 4 
exit
interface gigabitethernet19
switchport trunk native vlan 4 
exit
interface gigabitethernet20
switchport trunk native vlan 4 
exit
interface gigabitethernet21
switchport trunk native vlan 4 
exit
interface gigabitethernet22
switchport trunk native vlan 4 
exit
interface gigabitethernet23
switchport trunk native vlan 4 
exit
interface gigabitethernet24
switchport trunk native vlan 4 
exit
interface gigabitethernet25
switchport trunk native vlan 4 
exit

IP Address returns an empty list for all VLAN interfaces but the first one (which has a static IP assigned). I couldn't manage to bring up DHCP statistics, maybe it's only available if the switch is in Layer 3 mode? Couldn't find it in the manual either.

I suppose that assigning different static IPs to each VLAN interface would solve my problem, right? Static IP definition removes DHCP configuration according to the manual. I've just tried it and my switch stopped responding through telnet/http after entering "ip address <unused static> <mask>". It's still working though, I'm just unable to configure anything. In a couple of hours, when people go home, I'll restart it and try to fix this once and for all.

Thanks!

 

[Carson Dyle]

Just curious... What will that extra IP address in each VLAN buy you? Are these public IP addresses needed for services made available behind the routers, or are they just part of a shared pool used for NATing client PCc?

 

[AdaptiveGroup]

For one, "the company is paying for 21 public IPs, whilst only having 18 available" immediately suggests that something is wrong with the IT department. "Everything should work 100% correcly" is a nice methodology to follow and endorse. Functionality-wise, they are just part of a shared pool.

 

[Carson Dyle]

For one, "the company is paying for 21 public IPs, whilst only having 18 available" immediately suggests that something is wrong with the IT department. "Everything should work 100% correcly" is a nice methodology to follow and endorse. Functionality-wise, they are just part of a shared pool.

Ok. Then I have to ask: By that philosophy, if you think the configuration you posted in the OP doesn't make sense, why don't you start there and reconfigure the network? Even if that means bringing in someone from outside who better knows what they're doing.

Could the switch be doing some kind of DHCP pass-through, with the routers actually getting those public IP addresses through DHCP?

How many clients are there behind each of those routers?

 

[AdaptiveGroup]

Of course, I'm already pushing to change it in the next "big maintenance", but I can't just come in one day and shutdown everything for a while. In the mean time (and until I'm approved to change the whole configuration), I want to have everything working as it should. I'm using it as a learning experience, and have no issues with bringing an expert from outside if it's what is needed, probably not the guy who was here before me though. I'll see when the time comes.

The routers ARE getting their public addresses through DHCP, each VLAN has a DHCP Server (the modem), each router interface just asks for an IP and its given one if avalable, they could be connected to 7 different modems for all they know. 10-15 clients behind each router.

I checked with the ISP and one IP address of each modem is assigned to the switch's MAC, so it's not relaying or anything, just annoying me.

EDIT: I'll emphasize this, it's primarily a learning experience for me. I'm new to networking. You are encouraged to point out whatever you find wrong with the configuration, it's not my work and I intend to rebuild it asap because it's clearly not ok. All your suggestions will help me build a better, more solid network.

 

[Carson Dyle]

Wait. Aren't there only 6 usable host IP addresses in subnet of 8? The first address is the address of the subnet itself and the last is the broadcast address.

 

[imagoon]

Well #1 the switchport mode trunk native vlan x is likely wrong. I would suspect
switchport mode access
switchport access vlan x

is what you want. And Carson has a good point. What is the netmask for the ISP provided ranges? If it is 3 groups of 8 IE 255.255.255.248 you can only have 6 out of the 8. One is network the other is broadcast.

 

[AdaptiveGroup]

Isn't subnetting L3? The switch is L2 -> doesn't care about IPs, the VLANs only limit the broadcast domains, each VLAN on its own -> that's why broadcast DHCP Requests are only answered by one modem at a time, and all request from each routers are answered by the same modem.

Public IPs assigned through DHCP by the modems will likely belong to different subnets of the ISP, but that's really outside of my scope, and I doubt they use something like 255.255.255.248/3.

Or maybe I'm extremely confused. I will read before further commenting.

EDIT: "Will likely belong" is accurate. Checked against the IP addresses, they are in the form of A.B.X.Y/24 (A/B constant, X/Y vary), only a few belong to the same subnet.

EDIT2: Should switchport modes affect wether a the switch uses DHCP (if so, how?) or it was just a comment on the configuration? Having read Cisco's specification about switchport, it would seem that the trunk mode is indeed unnecessary in the current configuration, as each switchport only has traffic belonging to a specific VLAN.

EDIT3: Hey, what about setting "no interface ip dhcp" and i.e. "ip address 192.168.1.20X 255.255.255.0" in each VLAN X(2, 3 or 4) Interface? Well, apparently a bad idea, I can't set any static IP without the switch management interface crashing (set in let's say 192.169.1.199 - VLAN 1). The switch continues to work correctly but I cannot longer access it through HTTP nor Telnet. I don't detect it either using an IP Scanner (previous static address marked as dead). I'll step back and try to understand the problem better. My only lead is "the ISP say those IP addresses are assigned to the switch's MAC".

 

[imagoon]

Isn't subnetting L3? The switch is L2 -> doesn't care about IPs, the VLANs only limit the broadcast domains, each VLAN on its own -> that's why broadcast DHCP Requests are only answered by one modem at a time, and all request from each routers are answered by the same modem.

Public IPs assigned through DHCP by the modems will likely belong to different subnets of the ISP, but that's really outside of my scope, and I doubt they use something like 255.255.255.248/3.

Or maybe I'm extremely confused. I will read before further commenting.

EDIT: "Will likely belong" is accurate. Checked against the IP addresses, they are in the form of A.B.X.Y/24 (A/B constant, X/Y vary), only a few belong to the same subnet.

EDIT2: Should switchport modes affect wether a the switch uses DHCP (if so, how?) or it was just a comment on the configuration? Having read Cisco's specification about switchport, it would seem that the trunk mode is indeed unnecessary in the current configuration, as each switchport only has traffic belonging to a specific VLAN.

EDIT3: Hey, what about setting "no interface ip dhcp" and i.e. "ip address 192.168.1.20X 255.255.255.0" in each VLAN X(2, 3 or 4) Interface? Well, apparently a bad idea, I can't set any static IP without the switch management interface crashing (set in let's say 192.169.1.199 - VLAN 1). The switch continues to work correctly but I cannot longer access it through HTTP nor Telnet. I don't detect it either using an IP Scanner (previous static address marked as dead). I'll step back and try to understand the problem better. My only lead is "the ISP say those IP addresses are assigned to the switch's MAC".

Most isps limit you via an IP group. Mostly so you can't "steal" other ones. That may not be true in this case but it was an idea. DHCP is a combo L2 / L3.

From your config however I suspect that something else is actually grabbing the IP and the switch's MAC is just "collateral damage" in the sense that they just found it in a port scan or what ever. I am pretty sure that switch doesn't do anything with DHCP during boot up and your config doesn't suggest that it does either.

edit: The routers actually show IP / 255.255.255.0 on the interfaces?

EDIT2: no it should because you used native vlan statements. This dumps any untagged frames (which in your case is likely everything) in to that vlan. I personally would change that config because... quite frankly it is poor.

edit3: if you set IP's you need make sure they are not on the same network as the telnet IP or it will take over and then produce a "no route to host" type issue.

So how exactly is their DHCP configured? It is pretty atypical except in the case of a single static to use DHCP. I would imagine they would need to be using MAC reservations. Also just plugging a static entry in to the router *should* work barring and ISP "magic" going on in the background.

If they are using DHCP reservations, the only way the switch MAC would get an IP is if someone registered as a reserved MAC:IP entry.

 

[skillyho]

Hope you've made some progress with this...if not a few questions for you.

Your company is paying for 21 public IP's from your ISP, and you've been tasked with finding out why you don't "have them all"...Is that correct? Have you considered just putting a router between your ISP/Modems and your LAN and creating a dynamic pool or static entries for NAT to your LAN? Or do you want to do overload?

Also why the multiple dedicated trunked ports from your switch? Why not just trunk a single port with multiple allowed vlans to subinterfaces on your router and do your dot1q encapsulation over that trunked link. Keep in mind that VLANS do equal broadcast domains, but broadcast domains also equal new subnetwork ranges. You cannot have a broadcast domain on a VLAN broadcasting to another subnet or it's not actually another VLAN...see what a mean? Each VLAN should have it's on unique subnetwork range.

Blah blah ip helper to proper dhcp server per vlan, blah blah. I'm just rambling now I guess...

I'm really at a loss as to why your network is setup the way it is in your diagram and I'm just trying to get a better understanding of why it's setup this way.