5 Replies Latest reply on Oct 9, 2014 8:58 AM by levi

    Netvanta 1638p  DHCP snooping issue

    davide New Member

      Adtran Netvanta 1638p

      I enabled the DHCP snooping feature in our network domain and the 10.0.94.13 wireless access point was not working anymore.

      What is the right solution ?

       

      ip hw-access-list extended DENY-DHCP

        permit udp host 10.0.94.29  any eq bootps

        permit udp host 10.0.94.29  any eq bootpc

        permit ip host 10.0.94.13 any

        deny   udp any  any eq bootps

        deny   udp any  any eq bootpc

        permit ip any  any 

       

      hw-access-map MAP1

      vlans 3

      forward ip DENY-DHCP

        • Re: Netvanta 1638p  DHCP snooping issue
          Employee

          davide - Thanks for posting your question on the forum!

           

          Could you tell me what you mean by the wireless access point was not working anymore?  Also, which port is the wireless access point plugged into? Please post the switchport configuration for it as well. Also, which port is your DHCP server plugged in? Please post the switchport configuration for it as well.

           

          You may find the following thread helpful: How does one block (allow / deny) DHCP traffic on specifc interfaces?

           

          Let us know if you have any questions.

           

          Thanks,

          Noor

          1 of 1 people found this helpful
            • Re: Netvanta 1638p  DHCP snooping issue
              davide New Member

              The domain controller is on  port  0/31 and the CISCO AP1041 on port 0/3.

              The wireless users cannot lease an IP address.

              here is my config file:

               

               

              !

              !

              ! ADTRAN, Inc. OS version R10.9.4

              ! Boot ROM version R10.3.0.SB

              ! Platform: NetVanta 1638P, part number 1700569F1

              ! Serial number LBADTN1330AA497

              !

              !

              hostname "Netvanta-1638P"

              enable password encrypted 1c17d6b091f3a8886dd56ab626c7076837d1

              !

              clock timezone -6-Central-Time

              clock no-auto-correct-DST

              !

              ip subnet-zero

              ip classless

              ip routing

              host "mail.aerotecheng.org" 66.49.32.186

              host "mx.aerotecheng.org" 174.79.200.12

              host "remote.aerotecheng.org" 174.79.200.13

              host "wireless.aerotecheng.org" 174.79.200.14

              domain-name "atedc.aero.local"

              domain-proxy

              name-server 10.0.94.29

              !

              !

              ip route-cache express

              !

              no auto-config

              !

              event-history on

              no logging forwarding

              no logging email

              !

              service password-encryption

              !

              username "admin" password encrypted "464d541d51fdb8ae0067f7f051e320bf9b29"

              username "dlonigro" password encrypted "2229b429dbe752c0149c7c59c76a551b8c23"

              !

              banner login #

              Unauthorized access to this device is strictly prohibited and if you got inadvertently exit immediately!

              #

              !

              !

              !

              !

              !

              !

              dot11ap access-point-control

               

              dos-protection 4,6,20,40-41,60-61,100

               

              no desktop-auditing dhcp

               

              no network-forensics ip dhcp

              !

              !

              !

              !

              !

              qos dscp-cos 0 8 16 24 32 40 48 56 to 0 1 2 3 4 5 6 7

              ! DSCP to CoS mapping only operates on ports that have 'qos trust cos' applied

              !

              spanning-tree priority 0

              !

              gvrp

              !

              !

              !

              !

              vlan 1

                name "Default"

              !

              vlan 2

                name "pubblic-IP-switch"

              !

              vlan 3

                name "AEROTECH"

              !

              vlan 5

                name "Voice"

              !

              vlan 6

                name "Wireless"

              !

              vlan 7

                name "DataBackup"

              !

              interface loop 1

                ip address  172.16.1.14  255.255.255.255

                no shutdown

              !

              interface eth 0/1

                description Management Interface

                ip address  172.16.1.15  255.255.255.0

                no awcp

                shutdown

              !

              !

              interface gigabit-switchport 0/1

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/2

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/3

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/4

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/5

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/6

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/7

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/8

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/9

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/10

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/11

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/12

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/13

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/14

                no shutdown

                switchport access vlan 3

                qos trust cos

              !

              interface gigabit-switchport 0/15

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/16

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/17

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/18

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/19

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/20

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/21

                no shutdown

                switchport access vlan 3

                qos trust cos

              !

              interface gigabit-switchport 0/22

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/23

                speed 1000

                no shutdown

                switchport access vlan 3

                qos trust cos

              !

              interface gigabit-switchport 0/24

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/25

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/26

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/27

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/28

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/29

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/30

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/31

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/32

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/33

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/34

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/35

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/36

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/37

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/38

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/39

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/40

                no shutdown

                switchport access vlan 3

              !

              interface gigabit-switchport 0/41

                no shutdown

              !

              interface gigabit-switchport 0/42

                no shutdown

              !

              interface gigabit-switchport 0/43

                no shutdown

              !

              interface gigabit-switchport 0/44

                no shutdown

              !

              interface gigabit-switchport 0/45

                no shutdown

                switchport access vlan 2

              !

              interface gigabit-switchport 0/46

                no shutdown

                switchport access vlan 2

              !

              interface gigabit-switchport 0/47

                no shutdown

                switchport access vlan 2

              !

              interface gigabit-switchport 0/48

                no shutdown

                switchport access vlan 2

              !

              !

              interface xgigabit-switchport 1/1

                no shutdown

                switchport mode trunk

                switchport trunk allowed vlan 1-7

                speed auto

                no lldp send-and-receive

              !

              interface xgigabit-switchport 1/2

                no shutdown

                switchport mode access

                speed 1000

              !

              !

              !

              interface vlan 1

                ip address  10.0.92.14  255.255.255.0

                ip route-cache express

                no shutdown

              !

              interface vlan 2

                no ip address

                ip route-cache express

                shutdown

              !

              interface vlan 3

                ip address  10.0.94.14  255.255.255.0

                ip route-cache express

                no shutdown

              !

              !

              !

              !

              !

              ip hw-access-list extended DENY-DHCP

                permit udp host 10.0.94.29  any eq bootps  

                permit udp host 10.0.94.29  any eq bootpc  

                deny   udp any  any eq bootps  

                deny   udp any  any eq bootpc  

                permit ip any  any   

              !

              !

              !

              ip route 0.0.0.0 0.0.0.0 10.0.94.1

              ip route 10.0.94.0 255.255.255.0 10.0.94.1

              ip route 172.16.1.10 255.255.255.255 10.0.94.10

              ip route 172.16.1.17 255.255.255.255 10.0.94.17

              !

              no tftp server

              no tftp server overwrite

              no http server

              http secure-server

              no snmp agent

              no ip ftp server

              ip ftp server default-filesystem flash

              no ip scp server

              no ip sntp server

              !

              !

              !

              !

              !

              !

              !

              !

              line con 0

                login

                password encrypted 1e1583c47be78c1e476c10ca32c391e0d94a

              !

              line telnet 0 4

                login

                password encrypted 151ef24f7d0a9f593caa0a333f0d2e5fc846

                shutdown

              line ssh 0 4

                login local-userlist

                no shutdown

              !

              sntp server us.pool.ntp.org

              !

              !

              !

              end

                • Re: Netvanta 1638p  DHCP snooping issue
                  Employee

                  davide - Your configuration for filtering DHCP traffic looks correct. Would you be able to obtain a packet capture off a port mirror on the port that the AP is connected to? This would probably give us the best picture as to whether DHCP broadcasts are being sent and received using that port.

                   

                  Please do not hesitate to let us know if you have any questions.

                   

                  Thanks,

                  Noor

              • Re: Netvanta 1638p  DHCP snooping issue
                levi Employee

                davide:

                 

                Do you still have further questions on this post?  Please, do not hesitate to reply.

                 

                Levi

                  • Re: Netvanta 1638p  DHCP snooping issue
                    levi Employee

                    davide:

                     

                    I went ahead and flagged "Assumed Answered" on this post to make it more visible and help other members of the community find solutions more easily. If you feel like there is a better answer, feel free to come back to this post and select it with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                     

                    Thanks,

                     

                    Levi