Archive for the ‘dhcp’ tag
We're an Avaya voice shop (for now if I have my way) and have Avaya systems of various sizes and shapes all around the Enterprise. I was at one of our remote locations a few weeks back and helped the guys there replace a non-PoE switch so they could get the old power injector panel out of their rack. When we moved stuff around, the phones didn't come back and had the dreaded DHCP Ack Error. Read the rest of this entry »
More study notes. Correct if wrong, though I hope I get some of it right since I already since I'm an R&S guy. :$
- switchport mode access: This config makes the port an access port that carries the primary and voice VLAN traffic
- switchport mode trunk: This config akes the port a trunk unconditionally, but it will still send DTP messages
- switchport nonegotiate: This config keeps the port from sending DTP messages.
- switchport mode dynamic auto: If the port receives DTP messages, it will become a trunk. If not, it will be an access port.
- switchport mode dynamic desirable: The port actively sends DTP messages trying to become a trunk. This is the default configuration on a Cisco switch.
Cisco IP Phone Boot Process
- Phone connects to an Ethernet switch and gets power if needed
- Switch tells the phone the correct voice VLAN through CDP
- Phone sends DHCP request for its voice VLAN
- DHCP offer includes the TFTP server from which to download the config
- Phone downloads the config from the TFTP server
- Phone contacts the call processing server as dictated in the config file
DHCP Settings on a Cisco Router or L3 Switch
R1(config)#ip dhcp pool MYPOOL
R1(dhcp-config)#network 192.168.0.0 255.255.255.0
R1(dhcp-config)#option 150 ip 192.168.0.20 <– Tells the phone to download the config from this TFTP server
R1(config)#ip dhcp excluded-address 192.168.0.1 192.168.0.100 <– Don't use these IPs when handing out DHCP
Why should you use NTP for a CME setup?
- Phones display correct time
- Voicemails have the correct time
- CDRs are timestamped accurately
- Router logs are timestamped accurately
- Time-based access worked predictably
R1(config)#ntp server 184.108.40.206
R1(config)#clock timezone MYTZ -5 <– Sets the timezone to a zone called MYTZ that's 5 hours behind UTC
Here’s a handy list of ACL entries to allow your devices to speak routing protocols, availability protocols, and some other stuff. We’ll assume you have ACL 101 applied to your Ethernet inbound; your Ethernet has an IP of 192.168.0.1.
- BGP : Runs on TCP/179 between the neighbors
access-list 101 permit tcp any host 192.168.0.1 eq 179
- EIGRP : Runs on its own protocol number from the source interface IP to the multicast address of 220.127.116.11
access-list 101 permit eigrp any host 18.104.22.168
- OSPF : Runs on its own protocol number from the source interface IP to the multicast address of 22.214.171.124; also talks to 126.96.36.199 for DR/BDR routers
access-list 101 permit ospf any host 188.8.131.52
access-list 101 permit ospf any host 184.108.40.206
- HSRP : Runs on UDP/1985 from the source interface IP to the multicast address of 220.127.116.11. I’ve seen in the past that it runs on UDP/1985, but I didn’t find any evidence of that in a quick Google for it. Can someone verify?
access-list 101 permit udp any host 18.104.22.168 eq 1985
- HSRP version 2 : Runs on UDP/1985 from the source interface IP to the multicast address of 22.214.171.124.
access-list 101 permit udp any host 126.96.36.199 eq 1985
- RIP : Runs on UDP/520 from the source interface IP to the multicast address of 188.8.131.52
access-list 101 permit udp any host 184.108.40.206 eq 520
- VRRP : Runs on its own protocol number from the source interface IP to the multicast address of 220.127.116.11
access-list 101 permit 112 any host 18.104.22.168
- VRRP-E : This is a Foundary thing according to readers, and runs on UDP/8888 from the source interface IP to the multicast address of 22.214.171.124
access-list 101 permit 112 any host 126.96.36.199 eq 8888
- GLBP : Runs on UDP from the source interface IP to the multicast address of 188.8.131.52
access-list 101 permit udp any host 184.108.40.206
- DHCPD (or bootps) : Runs on UDP/67 from 0.0.0.0 (since the client doesn’t have an address yet) to 255.255.255.255 (the broadcast).
access-list 101 permit udp any host 255.255.255.255 eq 67
If anyone else has one to add, do so in the comments.
Let’s keep going with our example setup on the ASA 5505 and set up DHCP on this guy. You can set it up to either forward (relay) DHCP requests to a DHCP server somewhere or have it be the DHCP server. Let’s do it.
To set up DHCP forwarding, you have to configure where the DHCP server is and then enable the relaying on the proper interfaces. Let’s say we have a DHCP server on the inside interface at 192.168.14.11 and we want it to serve IPs to the guests network. Setting up the DHCP server is beyond the scope here, so you’ll have to look elsewhere on how to set that up.
dhcprelay server 192.168.14.11 inside
dhcprelay enable guests
Another piece of cake, right?
Setting up the 5505 to be the DHCP server requires a few more lines, but, again, it’s easy. In the simplest setup, you only have to define your DHCP scopes and enable it on an interface. Let’s set up a DHCP scope for the inside interface of 192.168.14.101 – 120.
dhcpd address 192.168.14.101-120 inside
dhcpd enable inside
You probably want to serve a DNS server to the DHCP clients as well. You have two options — you can provide your own DNS server or have the 5505 serve the DNS servers it got from the upstream provider (like your cable modem provider) via DHCP. To serve out your DNS server at 192.168.14.12, just do this.
dhcpd dns 192.168.14.12
Serving the same DNS servers that the firewall got from the provider via DHCP is a little weird. Who puts underscores in commands? Assuming your outside interface is toward your ISP, just do this.
dhcpd auto_config outside
There’s the basics, but you can do all sorts of stuff with it. Change the lease time. Set the default search domain. Set a WINS server. Notice one thing, though; there’s no way to configure a default gateway. The ASA 5505 (and the rest of the 5500 series) only serve their own IPs as the default gateway, so be aware.