DHCP guest layer 2 extension

Similar Messages

• Data Center Interconnect - Layer 2 Extension using vPC

  Hi, I wanna if possible try to validate the design to connect 4 nexus 7010 to permit data center interconnect and layer 2 extension using the same vpc and the same port channel number and only 2 links between them as showed in the attach ppt
    Is anybody using a design like that ??

  this will work if it is *only* layer2 between the two pairs of N7K. You cannot create a L3 SVI and attempt to route it via the vpc port channel. It won't work.  If you need both L3 and L2, one option will be to use OTV.  Rgds Eng Wee

• Clients not receiving DHCP on layer 2 Vlan

  I have flexconnect WAPs with local switching and local dhcp server on the switch.
  I have one SSID assigned to a layer 2 vlan.  The wireless clients are unable to receive an ip address on this vlan.  The wired clients are able to receive an ip address on this vlan with no problem.
  The WAP switchport is trunked and all of the layer 3 vlans are working with no problem.
  The layer 2 vlan interface is assign the DHCP -  ip address pool Vendor_VLan
  Any help would be appreciated.
  Thanks
  LH

  Hi LH,
  Have you configured the SSID with "Local Switching" feature. 
  Also did you do the vlan mapping on this FlexConnect AP for the configured SSID ?
  HTH
  Rasika
  **** Pls rate all useful responses ****

• E4200v2 Bridge Mode + Guest Access: No DHCP IP's assigned?!

  New E4200v2 on 2.0.37.  In "Bridge Mode - DHCP" (i.e. Access Point not router).  Guest Access is enabled & SSID broadcast.  Dhcp Server is disabled, because my main Sonicwall router is providing that for main LAN 192.168.1.0.
  PROBLEM = Client PC can see "-guest" SSID fine and associate to it, BUT PC does NOT receive a DHCP IP address (i.e. 192.168.33.x) therefore the browser login page never appears and guest access does not work.
  I'm pretty sure that it's all related to DHCP.  I'm assuming that the E4200 is not receiving or sending guest DHCP packets with the client PC.
  I seen Guest Access work on the older E4200v1's before so I know what it should look like.
  Can anyone suggest any likely reasons why my E4200v2 wouldn't be providing DHCP guest addresses in the 192.168.33.0 subnet?
  I only have 24 hrs until I have to deploy 2 new E4200v2's at a remote site, and after that it's going to be really hard to troubleshoot because I won't be at that site.
  Thanks in advance for any expert advice!
  Solved!
  Go to Solution.

  When you're in bridge mode DHCP server option goes away.  And I don't care if DHCP requests are getting to my Sonicwall b/c that device is not going to assign the Linksys Guest IP's... E4200 must do that, apparently in a totally hidden way.
  In any case, I don't have any more time to waste on E4200v2's so I'm going to try some E4200v1's which I just happen to have handy, thankfully.
  If Bridge Mode + Guest Access works better on the V1's then I'll retreat back to that older more obsolete hardware. 
  I'll report back later.
  (In meantime if anyone else cares to offer their knowledge experience about this, V2 or V1, I'm all ears)
  gv wrote:
  Do guests get an IP address if you enable the DHCP server?
  Do you see guest DHCP requests on your sonicwall?

• DMZ Anchor WLC setup for Wireless Guest Access

  I have the following setup.
  A DMZ WLC 4402 connected to firewall DMZ interface in 10.10.73.0/24 network.
  An Inside WLC 2106 connected to firewall Inside interface in 10.10.71.0/24 network.
  Both WLCs are running the same 4.2.176 code.
  DMZ WLC is anchor to itself and Inside WLC select the DMZ WLC as the anchor point.
  I have setup EoIP between DMZ and Inside WLCs successfully with both the control and data path both show as UP status. >> "show mobility anchor"
  The main issue: Clients cannot obtain IP addresses after connected to Guest SSID.
  1. Inside WLC, the guest WLAN ingress is 802.11b/g radio and egress port is set to management interface (EoIP) of type WLAN.
  What is the DMZ WLC setting? Is the ingress set to "802.11b/g" which does not make sense because the ingress is EoIP from Inside WLC?
  Or I still set as 802.11b/g? Same config as Inside WLC? I read from other threads suggested by Terry that the config must be the same for both WLCs.
  In the Inside WLC, I saw alot of pdu encapsulation errors for broadcast packets which is ffff.ffff.ffff xxxx which I think is the DHCP request from the connected Wireless clients not making through the EoIP tunnel. I have set static ip for the Wireless client but the packets cannot route through the EoIP tunnel to the far end.
  2. DHCP server is provided by DMZ WLC with the scope 10.10.76.0/24. In the Inside WLC, which DHCP server IP adddress to set to? DMZ WLC mgmt ip address? DMZ WLC, the DHCP server is also set to DMZ WLC mgmt ip?
  3. Layer 2 authentication. I read that DMZ WLC is supposed to be the DHCP server, Layer 2 or 3 authentication for Wireless Clients. However, it seems like Inside WLC is required to configure the Layer 2 authentication parameters and the DMZ WLC is set to providing the DHCP service?
  4. Lastly, anyone has done DMZ WLC sending the Wireless clients traffic to Bluecoat proxy server before hitting the Internet?
  Thanks.

  One of the biggest things is to make sure the wlan is configured exactly the same. The DMZ WLC ingress is the management and also is the egress port. You can create a dynamic interface on the DMZ WLC, but this way makes thing easier. The DMZ WLC should provide the dhcp, so the dhcp scope of course will be on the same subnet as the management of the DMZ WLC. The DHCP Server will be the ip address of the management interface of the DMZ WLC. The authentication also has to be configured exactly the same on the inside wlc and the DMZ wlc. Since you are pushing clients through the tunnel to the DMZ WLC, that is where clients will need to get their ip address, since that DMZ WLC has a network interface to the guest network. I haven't had luck when a proxy is involved, but I know there was a post a while ago on how to setup the proxy to allow the wlc to bypass the users initial dns resolution.

• FabricPath & Layer-3 VPNs (VRF) between 2 Data Centres

  Hi there,
  I'm looking at deploying FabricPath for layer-2 extension between 2 Data Centres.
  We also have the requirement for providing layer-3 services between the 2 DC, as in Layer-3 VPN (MPLS VPN).
  The alternative technology was MPLS, with full blown Layer-3 VPN, and Layer-2 VPNs through AToM or VPLS.
  My question is, how can we provide VRF support over FabricPath?? Can we use 2 routers with VRF lite configuration in each DC, then dot1q on the trunk through the Fabric Path? Or just VRF Lite on the layer-3 terminating routers, with a specific VLAN for interconnecting the different VRFs?
  Thanks,

  Fabricpath is L2; not related to the L3 technology you want to use; if VRF are in use you can just use VLANs which is described in your first scenario : "use 2 routers with VRF lite configuration in each DC, then dot1q on the trunk through the Fabric Path"

• WS-C2960-24PC-L VS. WS-C2960-24PC-S : capabilities.

  Good afternoon
  We are presently looking to standardize out infrastructure to use Cisco Catalyst switches, exclusively.  
  We presently have 1 3560, and a WS-C2960-24PC-L.  These switches feed a stack of netgear switches (which we want to get rid of).
  Our reason for doing so, is to bring Avaya POE IP Phones into the company to replace the digital hand sets (which are not POE).
  We currently have 8 Avaya POE phones, which are all patched into the WS-C2960-24PC-L (for POE and Voice VLAN propagation).
  I have found a good deal on a set of WS-C2960-24PC-S switches, but am concerned about the LAN Base model versus the LAN Lite Model.
  The network setup is simple: two VLANs (data, voice), three /24 networks (routed by the 3560, directly connected).  
  Is there any difference, between the two models, that would prevent me from achieving my desired outcome?
  Thanks in advance.

  WS-C2960-24PC-L means the hardware runs on LAN Base software.  WS-C2960-24PC-S means it's running a cut-down version of the LAN Base software called LAN LITE (aka LAN Cr@p).  You really, really don't want to invest in the latter.  
  Cisco Catalyst 2960 LAN Base switches have several advantages: 
  • Gigabit Ethernet connectivity in 8-, 24-, and 48-port configurations 
  • RPS support and support for a wide range of SFP transceivers 
  • Enhanced security through Layer 2-4 access control lists (ACLs), DHCP Snooping, and more extensive Network Admission Control capabilities such as Web authentication and 802.1x enhancements
  • Additional QoS capabilities: The LAN Base IOS supports policing, class and policy maps, differentiated services code point (DSCP), AutoQoS, and configurable queue weights, buffers, and thresholds 
  • Higher network-level availability with features such as Flex Links and Link State Tracking 
  •Increased number of VLANs (256) and other enhancements such as IPv6 Host, MLD Snooping, LLDP-MED, RSPAN, MVR, DHCP Option 82, and IP SLA (responder) 

• Deploying Cisco Overlay Transport Virtualization (OTV) in Data Center Networks

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to plan, design, and implement Cisco Overlay Transport Virtualization (OTV) in your Data Center Network with Cisco experts Anees Mohamed Abdulla and Pranav Doshi.
  Anees Mohamed Abdulla is a network consulting engineer for Cisco Advanced Services, where he has been delivering plan, design, and implementation services for enterprise-class data center networks with leading technologies such as vPC, FabricPath, and OTV. He has 10 years of experience in the enterprise data center networking area and has carried various roles within Cisco such as LAN switching content engineer and LAN switching TAC engineer. He holds a bachelor's degree in electronics and communications and has a CCIE certification 18764 in routing and switching. 
  Pranav Doshi is a network consulting engineer for Cisco Advanced Services, where he has been delivering plan, design, and implementation services for enterprise-class data center networks with leading technologies such as vPC, FabricPath, and OTV. Pranav has experience in the enterprise data center networking area and has carried various roles within Cisco such as LAN switching TAC engineer and now network consulting engineer. He holds a bachelor's degree in electronics and communications and a master's degree in electrical engineering from the University of Southern California.
  Remember to use the rating system to let Anees and Pranav know if you have received an adequate response.  
  Because of the volume expected during this event, Anees and Pranav might not be able to answer each question. Remember that you can continue the conversation on the Data Center, sub-community forum shortly after the event. This event lasts through August 23, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Dennis,
      All those Layer 2 extension technologies require STP to be extended between Data Centers if you need to have multiple paths between Data Centers. OTV does not extend STP rather it has its own mechanism (AED election) to avoid loop when multiple paths are enabled. It means any STP control plane issue, we don't carry to the other Data Center.
      OTV natively suppresses Unknown Unicast Flooding across the OTV overlay. Unknown unicast flooding is a painful problem in layer 2 network and difficult to troubleshoot to identify the root cause if you don't have proper network monitoring tool.
     It has ARP optimization which eliminates flooding ARP packets across Data Center by responding locally with cached ARP messages. One of the common issues I have seen in Data Center is some server or device in the network sends continuous ARP packets which hits Control plane in the Aggregation layer which in turn causes network connectivity issue.
  The above three points proves the Layer 2 domain isolation between data centers. If you have redundant Data Centers with Layer 2 extended without OTV, the above explained layer 2 issue which happens in one Data Center carries the same failure to the second data center which creates the question of what is the point of having two different Data Centers if we can not isolate the failure domain.
    OTV natively supports HSRP localization with few command lines. This is a very important requirement in building Active/Active Data Center.
  Even though your question is related to L2TP, OTV deserves the comparison with VPLS and those comparison will also be applicable for L2TP. The below link explains in detail...
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c11-574984.html
  Thanks,
  Anees.

• How to fix Personal Hotspot

  Hey all,
  If like many people you're having problems connecting to Personal Hotspot (especially from an iPad) read up!
  I was getting really frustrated with connecting my iPad to my 4S via Personal Hotspot. After a fresh boot of the phone it would work as expected but if the connection was terminated (say by switching hotspot off and on) or after the two hadn't been connected for a while it got into this state where I could see and connect to the hotspot but it would drop a few seconds later then try again over and over.
  After a lot of experimenting I finally figured out that there seems to be a pretty serious bug in the hotspot's DHCP server. AP discovery and WPA authentication work great but in this weird state the iPhone will not give the connecting device an IP. The only solution to fix the DHCP server is to reboot the phone.
  To avoid having to constantly reboot the phone, you need to give the connecting device a static IP address. This gets around the DHCP issue.
  For the less technically inclined, here's how to do that with an iPad:
  - Reboot your phone and connect to the hotspot as usual and ensure the connection works
  - On the iPad go to Settings - WiFi and tap the arrow to the right of your iPhone's name
  - Write down all the values you see under the DHCP tab
  - Tap the Static tab
  - Enter in the same values you just wrote down
  - Hit "WiFi Networks" at the top to go back
  The iPad will now reconnect using the same settings as DHCP would have given it, but without relying on the broken DHCP server. Subsequent connections will use this same information too. This is also faster than having the iPad wait for DHCP to respond so it's not a bad idea even if yours usually works.
  Optional extra: Instead of using whatever DNS values the DHCP server (and by extension your mobile data ISP) gives you, use OpenDNS IP's instead. This will speed up YouTube due to their partnership with Google and prevent your ISP from traking your web usage via DNS interception. To do this enter the following into the DNS field under the Static tab: 208.67.222.222,208.67.220.220 (note the comma)
  Cheers,
  Graham

  I found this happend to my ipad 1 and nothing seemed to resolve the problem......But I found a way around this quite easy: 1. Turn on personal hotspot on your iphone or what ever phone you may have that has this feature. 2. turn on bluetooth on your phone and your ipad.  3. search devices on your ipad and find your phone through the bluetooth feature. 4. now connect the 2 devices and your phone will start to flash "personal hotspot connection"
  Your ipad infact does not even need a personal hotspot icon anymore to connect to your phone, its all done through bluetooth anyway. The only downside is that you will not be able to connect the 2 devices via wifi which you could do after 5.1.1 update , but at least you can still tether your 2 devices and enjoy internet on your ipad without needing a 3G sim version of ipad.  Hope this helped

• Data Centre Interconnection - firewall and load balancer deployment

  Hi all,
  I've read lots of Cisco docs/white papers on DCI - Layer 2 extension between DCs, but as yet I cannot find any decent information on how best to deploy firewalls and load balancers in such a design. I've seen refs to FHRP isolation on Nexus 7k (and possible 6k if you use DCI block) but nothing on the services elements.
  The services element seems to be a complete minefield here:
  - active/standby across sites, or deploy resilient pairs in each site?
  - how to align optimal traffic flows inbound and ooutbound (RHI, SNAT, etc.)
  - best practice suggestions ideally.
  Cisco DCI docs seem to always gloss over the fact that most customers would have to deal with firewalls and load balancers here, and simply refer to 'coming soon' for that info.
  If anyone has any good suggestions/links to docs explaining detailed implementation info would be much appreciate
  Thanks
  Phil

  You might want to check out this new product called ITD.
  Simple and faster solution:
  ITD provides :
  ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
  No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
  Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  IP-stickiness
  Resilient (like resilient ECMP)
  VIP based L4 load-balancing
  NAT (available for EFT/PoC). Allows non-DSR deployments.
  Weighted load-balancing
  Load-balances to large number of devices/servers
  ACL along with redirection and load balancing simultaneously.
  Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
  Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  The servers/appliances don’t have to be directly connected to N7k
  Monitoring the health of servers/appliances.
  N + M redundancy.
  Automatic failure handling of servers/appliances.
  VRF support, vPC support, VDC support
  Supported on both Nexus 7000 and Nexus 7700 series.
  Supports both IPv4 and IPv6
  N5k / N6k support : coming soon
  Blog
  At a glance
  ITD config guide
  Email Query or feedback:[email protected]

• Archiso in vbox, depmod after every reboot

  HelloArchers,
  I have a question that I have not been able to solve on my own. I build my own iso with archiso. A little while back I decided to replace vbox for qemu. Now I want to use vbox, installed it and is working, but, every time I start the iso trough vbox, I have to run depmod first, then restart the systemd-modules-load, log out of X, log back in and there I have all the vbox modules (vboxguest etc.) working.
  I thought depmod.service was static, but I created a systemd service file for it, no success.
  The guest-utils/modules, extensions and guest-iso packages are installed
  Vbox is started trough a very standard 'xdg' desktop file, '/etc/xdg/virtualbox.desktop'
  [Desktop Entry]
  Type=Application
  Encoding=UTF-8
  Version=1.0
  Name=vboxclient
  Name[C]=vboxclient
  Comment[C]=VirtualBox User Session Services
  Comment=VirtualBox User Session Services
  Comment[it]=Servizi di sessione utente di VirtualBox
  Comment[pl]=Usługi sesji użytkownika VirtualBox
  Exec=/usr/bin/VBoxClient-all
  X-GNOME-Autostart-enabled=true
  X-KDE-autostart-after=panel
  And /etc/modules-load.d/virtualbox.conf
  vboxguest
  vboxvideo
  vboxsf
  No systemd service file and no 'VboxClient-all' in xinitrc.
  This has worked since I first build this ISO, over a year ago.
  Am I overlooking something, or is this way not possible anymore
  These I tried, non solve it:
  depmod.service I got from https://github.com/lucasdemarchi/system … od.service.
  # This file is part of systemd.
  # systemd is free software; you can redistribute it and/or modify it
  # under the terms of the GNU General Public License as published by
  # the Free Software Foundation; either version 2 of the License, or
  # (at your option) any later version.
  [Unit]
  Description=Updating Module Dependencies
  DefaultDependencies=no
  Before=sysinit.target systemd-modules-load.serice vboxservice.service
  After=remount-rootfs.service
  Requires=remount-rootfs.service
  [Service]
  ExecStart=/usr/bin/depmod -a
  Type=oneshot
  vboxservice.service
  [Unit]
  Description=VirtualBox Guest Service
  ConditionVirtualization=oracle
  After=depmod.service
  [Service]
  ExecStartPre=/usr/bin/modprobe vboxguest
  ExecStartPre=/usr/bin/modprobe vboxvideo
  ExecStartPre=/usr/bin/modprobe vboxsf
  ExecStart=/usr/bin/VBoxService -f
  [Install]
  WantedBy=multi-user.target
  xinitrc
  VBoxClient-all

  I'm haveing the same problem, looking through this forum i found another thread that i think is related.
  See. 'http://discussions.apple.com/thread.jspa?threadID=1426843&tstart=0'
  Extract to what i believe the solution. Please note that i have not yet had the chance to test this.
  "Hi I was having the same problem & just worked it out. Maybe this will work for you - If you open your harddrive window, you should see <name> Time Capsule on the left under Shared. Do you also have Macintosh-######### & If you click on it is it trying to connect or failed connection? This was my clue. It sees Time capsule as a Shared Disk.
  Go into System Preferences, then Sharing - If the Computer Name is blank - type in the <name> that was before the word Time Capsule. You may also need to turn file sharing ON if its not. Now go up to the Time Machine logo in the Menu Bar & Start Back Up.
  By the way you might try hard wiring the Time Capsule w/ ethernet cables & turning off Airport the first time you back up. I've been on Tech Support with my TC 4+ hours between last night & today & this one I got myself.
  Hope that helps. If it works pass it on."

• Does CSR 1000v support HA feature & how?

  Does CSR 1000v support HA feature?
  I noticed that redundancy command support in configuration mode,but neither sso/ha mode can config,
  Router(config-red)#?
  Redundancy configuration commands:
    default   Set a command to its defaults
    exit      Exit from redundancy configuration mode
    main-cpu  Enter main-cpu mode
    mode      redundancy mode for this chassis
    no        Negate a command or set its defaults
    timer     Select a timer to configure
  Router(config-red)#mode ?
    none  no redundancy
  Router#show platform 
  Chassis type: CSR1000V            
  Slot      Type                State                 Insert time (ago) 
  R0        CSR1000V            ok, active            00:18:57      
  F0        CSR1000V            ok, active            00:18:57      
  Is it possible to enable HA feature in csr1000v?
  I noticed that in startup, R1 was insert，but not online，which was in disabled state.

  Alan,
  HA provided across a network segment within AWS is not a simple solution due to the restrictions that they place on the L2 segments.  As an example, here is Amazon's suggestion for NAT HA:
  http://aws.amazon.com/articles/2781451301784570
  With that said, we're working on documenting a solution that will work around some of the restrictions through overlaid connections.  At a high level, one way that you can do this is with a couple of CSR1000Vs connected via a GRE tunnel over their Amazon segment.  You then would have to setup BFD and configure an EEM script to watch for a peer down event.  This script would then have to modify the AWS VPC Routing table (the VPC gateway) so that the hosts use the appropriate CSR as an exit point.  The unfortunate piece is that from the CSR1000V we cannot call the AWS API directly so this requires use of a second EEM script to SSH to a helper VM and execute the AWS VPC commands.  Hopefully within the next couple of weeks we will have a configuration guide to step through the individual components, as there are many moving parts.  At a high level this solution was presented in the Cisco Live session BRKARC-2023 around slides 35-40 (Session PDF) are some of the network diagrams and an example of the EEM script.  
  With that said, another solution that you might consider is Cisco InterCloud:
  http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/InterCloud/InterCloud/Cirrus_2.html
  This allows for a secure Layer 2 extension from your data center into the public cloud which could remove some complexity in dealing with the AWS infrastructure.  This solution is not one that would be for the one off, single CSR type deployment, however if you are looking at scale it could be a good alternative.  
  As for TAC support with the Advanced License, this is the hourly paid model that we have within Amazon.  Support for this type of licensing is currently only offered through the support forum, however we are looking at other options that could allow direct TAC engagement on a case by case basis rather than a term license.  Depending on where you are at with regards to your deployment it may be appropriate to engage your Cisco Account Team to help determine which solution is best for you.  I can help track them down if you want to send me a private message.
  -Nick

• ASA ESP Packet discard messages

  Dear All,
  we have a L2L tunnel between ASA 8.2.5 to Cisco Router. Recently we see tunnel is going down and shows messages in ASA about ESP packet discard. Below is the message.
  %ASA-7-710006: ESP request discarded from x.x.x.x to outside_int:x.x.x
  At the same time from router the tunnel shows up but ASA not. We see CSCso50226 which matches exactly with our issue.
  As a workaround we were resetting tunnel from router. It comes up and runs for a week.
  Please someone look into this and help.
  Regards,
  Ravi

  Hi Ravi,
  8.4 is great, dont let the NAT change scare you off two much and 8.2 was really buggy.
  I guess this raises further questions, if your tunnel goes down once a week is it the same length of time ? and does this relate to the timings set on either end in teh configuration ?
  When the tunnel goes down is it at a quiet time ? and have you tried using a test ping/rtr/sla to keep the tunnel up ?
  The site below identifies the syslog messages and yours makes me think somethings not right. Do you have the sysoptions enabled or are you using ACL's to limit who can connect to the appliance as a vpn peer ? If you have ACL's have you included IP 50 ?
  http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html
  710006
  Error Message    %ASA-7-710006: protocol request discarded from source_address to
  interface_name:dest_address
  Explanation This message appears when the adaptive security appliance does not have an IP server that services the IP protocol request; for example, the adaptive security appliance receives IP packets that are not TCP or UDP, and the adaptive security appliance cannot service the request.
  Recommended Action In networks that use broadcasting services such as DHCP, RIP or NetBIOS extensively, the frequency of this message can be high. If this message appears in excessive numbers, it may indicate an attack.
  Best Regards
  Ju
  http://helpamunky.wordpress.com/

• Ios VPN access form handled devices

  hi
  someone here had configured on a router the vpn access form handled devices?
  Really i don't know where to start!

  You must select one of the following modes of operation when you enable the PIX Firewall as an Easy VPN Remote device:
  Client modeIn this mode, VPN connections are initiated by traffic, so resources are only used on demand. In client mode, the PIX Firewall applies Network Address Translation (NAT) to all IP addresses of clients connected to the inside (higher security) interface of the PIX Firewall. To use this mode, you must also enable the DHCP server on the inside interface, as described in " Using the PIX Firewall DHCP Server."
  Network extension modeIn this mode, VPN connections are kept open even when not required for transmitting traffic. This option does not apply NAT to any IP addresses of clients on the inside (higher security) interface of the PIX Firewall.
  In network extension mode, the IP addresses of clients on the inside interface are received without change at the Easy VPN Server. If these addresses are registered with the Network Information Center (NIC), they may be forwarded to the public Internet without further processing. Otherwise, they may be translated by the Easy VPN Server or forwarded to a private network without translation.
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72d.html

• IPad 2 constantly drops WiFi connection when tethered to iPhone via Hotspot

  I have a wifi only iPad 2 that I tether to my iPhone 4 via the personal hotspot. The iPhone and the iPad are constantly being separated throughout the day and my problem is that when the iPad gets back in range of the iPhone hotspot it won't reconnect at all! In fact the iPad no longer sees the iPhone as a wifi option in the network list even though the iPhone hotspot is running just fine (other devices cam still see and connect to the iPhone hotspot)
  I have to turn off the iPhone hotspot, wait 2 seconds and then turn it back on. Then the iPad sees the hotspot again and connects.
  Also if I turn the auto lock off on the iPad so that it never locks, then it will reconnect to the iPhone hotspot just fine. But the problem with turning auto lock off is that the screen has to stay on all day!
  There is obviously something wrong that is happening when the iPad locks. It drops the wifi connection and then does not reconnect when I turn the screen back on.
  Is there anything I can do to make sure the iPad reconnects to the hotspot whenever I get back in range without having to keep it on all the time?
  Message was edited by: dawgma

  I found this post on another thread and tried it for tethering my iPad 2 to my iPhone 4 and so far it's worked great. Good luck!!
  jlchatelain
  Re: iphone 4s - HOTSPOT - WILL NOT STAY CONNECTED
  Mar 13, 2012 1:20 PM (in response to coalxman)
  I have been having that problem for 6 months and my IT guy finally found a solution by mining the web. I don't know the source of the answer to give credit but it works !
  Text of blog posting below:
  t does, thanks! I was getting really frustrated with connecting my iPad to my 4S via Personal Hotspot. After a fresh boot of the phone it would work as expected but if the connection was terminated (say by switching hotspot off and on) or after the two hadn't been connected for a while it got into this state where I could see and connect to the hotspot but it would drop a few seconds later then try again over and over.
  After a lot of experimenting I finally figured out that there seems to be a pretty serious bug in the hotspot's DHCP server. AP discovery and WPA authentication work great but in this weird state the iPhone will not give the connecting device an IP. The only solution to fix the DHCP server is to reboot the phone.
  That being the case, grasshoppertrekker's advice is bang on - you need to give the connecting device a static IP address. This gets around the DHCP issue.
  For the less technically inclined, here's how to do that with an iPad:
  - Reboot your phone and connect to the hotspot as usual and ensure the connection works
  - On the iPad go to Settings - WiFi and tap the arrow to the right of your iPhone's name
  - Write down all the values you see under the DHCP tab
  - Tap the Static tab (or Manual)
  - Enter in the same values you just write down
  - Hit "WiFi Networks" at the top to go back
  The iPad will now reconnect using the same settings as DHCP would have given it, but without relying on the broken DHCP server.
  Optional extra: Instead of using whatever DNS values the DHCP server (and by extension your mobile data ISP) gives you, use OpenDNS IP's instead. This will speed up YouTube due to their partnership with Google and prevent your ISP from traking your web usage via DNS interception. To do this enter the following into the DNS field under the Static tab: 208.67.222.222,208.67.220.220 (note the comma)
  Like (0)