DHCP relay issues - WLC4400 series

Similar Messages

• NAC.OOB.L2.Real IP GW.dhcp-relay issue.

  Hello.
  I have CAM (manager) which is configured as L2 OOB real-ip gateway. central deployment.
  ethernet 0 (trusted) is L3. (ip add x.x.x.x)
  ethernet 1 (untrusted) is .1q and several authentication vlans (a,b,c,d) are connected to it.
  of cause managed subnets are configured for auth vlans on eth1.
  Manager is configured as dhcp-relay.
  Is it ok that manager changes dhcp packets to the dhcp server so that it's ethernet 0 ip address (x.x.x.x) becomes the source address of the requests to the dhcp server?
  how can dhcp server recognize auth vlan a from auth vlan b if all packets have the single source (x.x.x.x)???
  Where could be my mistake?
  Regards

  Hello varnavsky!
  You have to configure vlan mapping (at the CAM) for all authentication vlan! After the authentication and posture validation, the NAC client won't give a new IP address, so the client has to have an IP address from the proper access vlan. When you configure these vlan mappings CAS always acquire an IP address from the proper range.
  By(e) Miki

• SGE2000 DHCP Relay Issue

  I am looking for some help with DHCP Relay on a SGE2000 switch.
  I have configured two VLANs on the switch, VLAN2 (192.168.10.x/24) and VLAN3 (192.168.9.x/24). I have the switch in Layer 3 mode. I have configured the DHCP relay server of 192.168.10.4 and the DHCP Interfaces as VLAN3. All of the IP Static Routes were generated by the switch.
  If I put a client computer on a port that is Untagged VLAN 3 and try to get a DHCP address from the server on an Untagged VLAN 2 port I never get a response back.
  I have done some packet captures and here is what I have found:
  I see the DHCP broadcast on the client computer
  I see the DHCP Request on the DHCP server coming from the IP assiged to the switch on VLAN 3 (192.168.9.254)
  I see the DHCP server respond with a DHCP Offer
  The DHCP offer never gets to the client computer
  I can't seem to get a DHCP address to any system not on the same VLAN as the DHCP server. Option 82 is disable and I did try enabling it, which made no difference.
  Any help would be great.
  Thanks,
  Phil

  Hi phil,
  Have you created a static route on the DHCP server that points back to the 192.168.9.0/24 network.
  The gateway for that network,  from the DHCP relay servers perspective,  is the VLAN2 IP address of the SGE2000 switch.
  i would think that if you tried to ping the VLAN3 switch  IP address from the DHCP server now,  you will not get a reply.
  When you create a static or persistant route in the DHCP server,   you then should be able to ping VLAN3 IP address of the switch.
  regards Dave

• 3000 series and Multiple DHCP scopes (DHCP-relay)

  I need to send different DHCP options to users; however, I need to put certain groups in different subnets. Is it possible to setup the concentrator to relay for addresses from different scopes?

  - Configuration
  - System
  - IP Routing
  - DHCP Relay
  a. Enable 'Enabled' checkbox
  b. Select Forward to
  c. Address == 192.168.10.8 255.255.255.0
  - Address Management
  - Assignment
  a. Enable 'Use DHCP'
  - User Management
  - Groups
  - Select 'groupA'
  - Modify Group
  - Click General tab
  - Enter 'DHCP Network Scope' x.x.x.x
  - Select 'groupA'
  - Remove Address Pool
  Now I get the following error:
  118 02/08/2005 13:29:00.720 SEV=3 DHCPDBG/39 RPT=34
  DHCP discover timeout: no response from polled servers (xid 3821297335)
  I can ping the server, and it is serving up this scope to other devices (just not from the concentrator)

• ASA 5512-X - VPN & local clients DHCP relaying (DHCP Proxy vs. DHCP Relay conflict)

  Hey all,
  I have ASA-5512-X serving as general firewall/router. It also serves as AnyConnect SSL VPN gateway (webvpn).
  It has ~10 VLANs connected over 1 trunk port. One of the VLANs has DHCP server that shall serve all the VLANs (192.168.16.2).
  I'm trying to have the ASA relay DHCP requests from all VLANs to the DHCP server and to also serve VPN clients.
  However, according to bug https://tools.cisco.com/bugsearch/bug/CSCsd22469 both DHCP Proxy (webvpn) and DHCP Relay (local interfaces) can't be enabled at the same time.
  As VPN clients connect to the same VLANs as local users (eg. VLAN 2 - 192.168.2.0/24) I want to have the very same DHCP server serving both, otherwise it's gonna become a mess.
  Note: if I configure DHCP Relay functionality and disable DHCP Proxy - local clients are served fine. If I configure DHCP Proxy (webvpn) and disable DHCP Relay VPN clients are served fine. I therefore consider setup to be correct, just the ASA limitation won't allow me to make it serve both.
  Can DHCP Relay also serve VPN clients (no DHCP Proxy enabled)? did I miss something?
  Thanks!

  Hi,
  The only workaround for this issue is to configure the ASA itself to act as DHCP server for vpn clients. You also have the flexibility of using local pool and AAA server. Why exactly do you want to use the same DHCP server for both?
  AM

• DHCP Relay Cisco SG500X

  Hi, 
  I've create 2 vlan in a cisco SG500X-24 and a DHCP server on vlan 2. I just want to dhcp server assign ip to devices on vlan 3. I've configured the vlan and dhcp server relay commands.
  ip dhcp relay address 192.168.1.11
  ip dhcp relay enable
  ip dhcp information option
  interface vlan 2                                      
   ip address 192.168.1.250 255.255.255.0
  interface vlan 3
   ip address 192.168.51.254 255.255.255.0
   ip dhcp relay enable
  The dhcp server gets the request from pc, and sends a new address, but the offer packet not comes to device. With Wireshark a see like offer dhcp packet can't jump to vlan 3.
  It's the first time a work with SMB series, and this never happens with catalyst. I'm turning crazy.
  Anyone can help me? Thank you in advances.
  Victor.

  Hi,
  Yes, also I configured ip dhcp relay on intefaces.
  Yesterday I found the trouble. I was using the tftpd32 dhcp server, and I tested with a Windows DHCP server and everything works like a champ. I didn't know what have do, and i turned crazy, so I began to change every element on solution, finally the DHCP server that it was the key.
  Thank you so much for your answer.
  KR!

• WRVS4400Nv2 DHCP Relay on 2nd VLAN

  Hi,
  Here's what I'm trying to figure out:
  My network is set up such that I have a Wireless Network in VLAN 1, which is the primary network that we use.  The subnet is 10.5.1.x.
  My goal is to set up a completely isolated Guest Wireless Network, however it would work best.  What I am trying to do now is I created a seperate VLAN (VLAN 2, IP range 10.5.2.x) and turned on DHCP on the WRVS4400N.  However, in the Guest Network, it is always picking up a 10.5.1.x IP which is handed out by the DHCP server (10.5.1.5, Win 2003) and still routing all of the traffic to/from our private network.
  Here's What I have set:
  Wireless>Security Settings>Guest Network (SSID 2)
  Wireless Isolation (between SSID w/o VLAN): Enabled
  Wireless Isolation (within SSID): Enabled
  Setup>LAN>VLAN 1
  Router IP 10.5.1.1, WLAN IP 10.5.1.3
  DHCP Relay for 10.5.1.5
  Setup>LAN>VLAN 2
  Router IP 10.5.2.1
  DHCP Enabled for 10.5.2.x subnet
  DHCP Relay option is grayed out (not sure why)
  Setup>Advanced Routing
  Inter-VLAN Routing: Disabled
  Any way to solve this would be fine.  I just do not want traffic routing through our internal network.  Ideally, if I could get the Windows server to hand out 10.5.2.x addresses, that would be perfect, but I'm not sure how to configure it for such. 
  If anyone has any ideas, that'd be great- thanks!
  Matt

  Yes...here's an answer I got from Cisco's Engineering support:
  The issue you reported is a know issue.
  Engineering and development are aware of this issue, and have provided  the following information:
  PROBLEM DESCRIPTION:
  If the WRVS4400N is configured with multiple VLANs, and these VLANs are  mapped to different SSID, the user cannot use an external DHCP server to  provide IP scopes for these VLANs.
  Hosts connected to both SSID will obtain IP address from native DHCP  server only.
  The workaround for this is to use the embedded DHCP server for all VLANs  defined on the WRVS4400N.
  Note: This is not considered a bug but rather a product limitation. The  developer has confirmed the WRVS4400N is functioning as designed.
  Regarding a fix:
  Due to wireless and trunk switch port using different chip set, it is  not possible to provide a fix for this issue.
  In future product, Engineering & Dev teams will strive to use the  same chip set (same vendor). 
  This functionality has been targeted for next new Product.  No fix will  be made on the current hardware. 
  Note: If this feature/function is mission critical to your deployment,  and you would like to recover the cost of the WRVS4400N, please forward  the serial number and a copy of the proof of purchase, and we will  gladly provide a refund.
  Best regards,
  Alex Delano

• PXE with IP Helpers/DHCP Relay

  I'm a Sysadmin and I have a question about what is best practice in regards to PXE servers. We are currently using DHCP Options for PXE clients (options 66,67). This works for most clients but is not the recommended method from either of the vendors we have used (Microsoft or Symantec). They recommend using IP Helpers / DHCP relay to forward the DHCP discover request to the PXE servers so that the PXE server is getting the actual request. This is more of an issue now with UEFI-based machines where the boot file would be different based on if the client is UEFI.
  My Network team is against using IP Helpers and thinks it can cause issues. This doesn't seem to make much sense to me, as from what I understand, all that happens is both the DHCP server and the PXE servers get the DHCP discover and respond with their relevant info. Can someone clarify what, if any, issues there are using multiple IP helpers/DHCP relay with PXE Servers like SCCM & Altiris? Is this not standard practice?

  It's very common to use DHCP relays (IP helpers) in order to centralize DHCP infrastructure. Larger organizations will frequently use this approach in order to avoid having to manually edit DHCP configurations at the router or switch level. Having a few servers with a central DHCP configuration for all segments is a good management proposition.
  In most environments, there isn't a problem with doing this, but it is a major architectural consideration and not something you just turn on without consideration. This is largely because DHCP works on a broadcast principle. The clients are going to broadcast for the first DHCP server that answers with an acceptable offer, which they will take. If you have a mixture of local DHCP servers and relays, the local servers will respond faster and may not provide the configuration you want to deploy... at best. At worst, you will have a mix of acceptable responses and a lot of potential for conflicting addresses. On any network segment where you're using DHCP relays, the local server needs to be disabled.
  It might be worthwhile going back to your network team and asking what sorts of "issues" that they feel the implementation of DHCP relays would cause. There may be something unique to your environment that makes them reluctant to pursue this approach.

• Sonicwall DHCP relay not working

  I recently set up a new vlan and am trying to get the dhcp server on the existing vlan to issue IPs.  I have no trouble getting dhcp working with the sonicwall as the server, but I can't get it to pass it along to the actual server.  I've set up the IP of the server as a trusted DHCP relay host but I don't see anything in the logs for the relay for the test host on the vlan. I tagged the port the server is connected to for the new vlan so I'm lost as to why it isn't working. DNS also isn't working using that server for the lookup.  I am able to ping it by IP though. I'm sure it's something simple I'm missing but vlans are new to me so I'm still learning.
  This topic first appeared in the Spiceworks Community

  I recently set up a new vlan and am trying to get the dhcp server on the existing vlan to issue IPs.  I have no trouble getting dhcp working with the sonicwall as the server, but I can't get it to pass it along to the actual server.  I've set up the IP of the server as a trusted DHCP relay host but I don't see anything in the logs for the relay for the test host on the vlan. I tagged the port the server is connected to for the new vlan so I'm lost as to why it isn't working. DNS also isn't working using that server for the lookup.  I am able to ping it by IP though. I'm sure it's something simple I'm missing but vlans are new to me so I'm still learning.
  This topic first appeared in the Spiceworks Community

• SG300 won't insert option82 during DHCP relay

  Hey guys, anyone having trouble getting an SG300 series switch to insert option82 information? I have DHCP relay working successfully between two VLANs, however, I would like to identify where the client is connected in order to set their routing preferences optimally.
  switch-20-0#show ip dhcp relay DHCP relay is EnabledOption 82 is EnabledMaximum number of supported VLANs without IP Address is 256Number of DHCP Relays enabled on VLANs without IP Address is 1DHCP relay is not configured on any port.DHCP relay is enabled on Vlans: 20Active: 20Inactive: Servers: 192.168.0.2
         I have to missing something simple. Any help, or even "hey did you try" type answers very much appreciated!

  http://www.cloudshark.org/captures/f1dbc2e0e9a6
  I had already done this at some point, but I tried again this morning after a cup of coffee. At some point this started working!
  Now I just need Dnsmasq to recognize this info!

• Windows DHCP Server and Linux DHCP Relay Agent

  We are trying to organize a VLAN (say VLAN 1) for guests who must be assigned IP addresses from a DHCP server in a different VLAN (VLAN 2). This DHCP server is configured with two scopes - 172.16.0.0/24 (for VLAN 2) and 172.16.4.0/24 (for the Guests
  VLAN 1). The DHCP server successfully distributes addresses to clients in its VLAN (it has the IP address 172.16.0.2). For the clients in the other VLAN a DHCP Relay Agent has been setup on the router. It is DHCRELAY running on Linux (CentOS) which has
  been configured to accept the DHCPDISCOVER broadcasts coming on the VLAN1 interface of the router and forward these to the DHCP server. The IP address of the VLAN1 interface of the router is 172.16.4.254 and on the VLAN2 interface - 172.16.0.254
  The problem is that the DHCP server won't respond with a DHCPOFFER message to the relay agent. I have traced the frames on the router and on the DHCP server. They arrive on the DHCP server with the correct GIADDR of the relay agent. According to all documentation,
  if a scope has been configured on the DHCP server and it receives a unicast message with the GIADDR set by a relay agent that matches one of the configured scopes, the DHCP server must send a unicast DHCPOFFER to the relay agent. But it doesn't.
  Here is what Wireshark reports (ignore the Destination port unreachable messages, the DHCP service was stopped at the time Wireshark was running)
  When the service is running, there are just DHCPDISCOVERs - no OFFER. You can see that the server has the two scopes configured:
  The relay agent seems to work normally - it forwards the DHCPDISCOVERs to the server continuously (tried many times with ipconfig /renew on the client).
  I read many posts about this problem. Some users had other services running on the DHCP server that used the DHCP port, but I don't have such an issue (you see that when the service is stopped, an ICMP port unreachable is sent which is correct). Others however
  did not find a solution. Am I missing something? Is there something specific when using the DHCRELAY agent from DHCPD? Can I turn on some verbose logging to track this down? Thanks in advance.

  WIth DHCP, there is really nothing to configure. If the Relay Agent/IP Helper is pointing to it, and the VLAN subnet exactly matches the scope subnet, then it should just work.
  What I've seen in the VLAN config is either a static route back to the subnet the DHCP server itself is sitting on is not configured or incorrectly configured, or there are ports blocked (need UDP, too, since that's what DHCP uses to pass the OFFER), and
  other necessary ports are opened, then it should just work.
  Sometimes NIC teaming on the DHCP server will cause it. Not sure. Microsoft doesn't support teaming prior to Windwos 2012, but it doesn't mean that it doesn't work. Don't get me wrong, teaming works nicely, but they just don't support it because they never
  certified the drivers, that's all.
  The issues I've seen with DHCP relays and VLANs in the forums are usually based on misconfigs in the VLAN or ports blocked. Sometimes we'll refer to call Microsoft Support for specific, hands-on assistance. And searching the threads, from what
  I've found that if they did call support, they've never posted back what the problem was based on or the resolution. I can post a couple of them for you to read through, but there were never any response with the actual resolution.
  If you like, you also have the option to contact Microsoft Support. Here's a list of phone numbers if you choose this option:
  http://support.microsoft.com/contactus/
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• DHCP lease issue for PPPoA sessions when using external DHCP server

  We used to use the Cisco 7206VXR's DHCP server to hand out leases, and when we lost several hundred customers on a link, the router was able to get them up and connected with an IP address within minutes.
  We switched over to using an external DHCP server so we could have more control over some extended DHCP options, as well as to aggregate all our DHCP traffic. Now, if we lose 100 DSL customers all at once, it takes 90 minutes for them to come up again. They come in a few at at time, until all 100 are back.
  We see waves of RADIUS auth's in our RADIUS log (RADIUS has always been handled externally, so nothing changed there), and continuous streams of DHCP requests come in and DHCP offers go out. What seems to be happening is that a whole bunch of modems auth with RADIUS, request IP addresses, but for whatever reason, timeout when they don't all get their lease, drop the connection, and retry the whole process all over again. We purchased a dedicated DHCP server, thinking that was the bottleneck, but performance is about identical.
  Here's our config:
  interface Virtual-Template1
  ip unnumbered Loopback11
  ip helper-address a.b.c.d
  peer default ip address dhcp
  ppp authentication pap
  ppp ipcp dns a.b.c.d e.f.g.h
  ppp ipcp unique-address
  My questions are:
  - is there any performance issue with using an external DHCP server and PPPoA
  - is there anything in our config that would cause such delays
  Frank

  GP:
  No, the DHCP server is not across a WAN link; there is only a 10/100 switch in between the router and the DHCP server. There are no dropped packets on the interface.
  I ended up opening a case with TAC about this issue. While I had the helper address configured in the template, TAC recommeneded that I specify the actual DHCP server with the command "ip dhcp-server x.x.x.x". This eliminates the DHCPBROADCAST (which I've verified). Perhaps the DHCP relay portion of the Cisco router is performed serially, instead of in parallel. By that, I mean, the next DHCPBROADCAST won't go out until there is the response for the first DHCPBROADCAST.
  I'll know in a few days when we test again.
  Frank

• Internet DHCP/DNS issues with WRT1900ac

  I've had a WRT1900ac now for about 2 weeks and the problems seem to be escalating.  Need help.  And yes, I've already read dozens of threads about these issues and nothing seems to be working.
  Most of the problems seem to be centered around this DHCP/DNS issue that so many have been reporting.
  First, the symptoms:
  Galaxy S4 phones when connected via wifi have some apps that don't update (facebook and google play)
  Some computers (both Win 7) will connect to the network just fine, both wired and wireless - but won't be able to get to the internet
  I've spent the last 2-3 days of my life reading forums and trying all sorts of things to get this to work properly (like my old router) and I'm still stuck.  Some things I've tried:
  Firmware is up-to-date (latest version: 1.1.8.164461)
  Manually assigned static DNS in router config settings (connectivity -> local network) to various combinations including the router address, 8.8.8.8, 8.8.4.4, 75.75.75.75, 75.75.76.76 (I have comcast), OpenDNS addresses, etc.  I read that the router address is not needed, so I stopped including it.
  I manually assigned IPs and DNS on the Galaxy S4 phones and that seemed to work... but also seems unnecessary.
  I've reserved DHCP addresses on the computers in question, that didn't seem to work, I also manually set DNS on one of the comupters (can't on the other... long story/not my computer) and that worked for a while and then stopped working.
  The only way to get one of the computers on the internet now is to turn on the guest network (even though the computer is hard wired to the router), connect, and then the wired network works.  No clue why this is, but my guess is that it needs the guest network for DNS, then it fails back over to the wired network.  Once that happens, I can actually turn off the wifi on the computer and everything works great... until I reboot.  Key point: I can't change any settings on that box other than entering in SSID/passphrase info for the wireless connection.  I can connect to the regular (non-Guest) wifi just fine - I just can't ever get to the internet.
  I've tried massaging DHCP settings on the router until I'm blue in the face - Static DNS, reserving DHCP addresses, hell I even put one of the computers in the DMZ to see if that would work and it still can't connect to the internet (it's worth noting that with my old router, Linksys WRT310N, the setup was literally plug-and-play - no hassle with any of this).
  I've tried countless router reboots, factory resets, turning off my modem and router for 2+ minutes, and nothing is working.
  I even read somewhere that if you modify your DHCP settings at all that the WRT1900ac stops doing DNS properly and breaks, so I even tried several "hard" factory resets and used all the default DHCP/DNS settings.  And it worked... for a few hours.
  Seriously, I'm at my wit's end.  I'm out a lot of money on this thing and it's been one headache after another.  Please help.

  I think for most people its a bad idea to hold out that hope, lol. It seems like a great piece of hardware but if you really need a router and don't want to have to 'play' with it, its probably not a good choice. I have an EA6900 that I am very happy with but it has the same restrictions as far as DNS and I really hate the idea that I am forced to use the smartwifi portal. I would really like for them to give me a choice of the old gui or the new one and let ME decide. Lots of routers to choose from out there now and new ones seem to be coming out all the time so do some reading and see if something suits you better. Good luck!

• Setting up a DHCP relay agent

  Hello,
  I'm trying to setup a relay agent for an XP client to obtain configuration through 2 routers on a VM LAB
  I have 3 Segments/subnets 1,2 and 3
  the topology is the following:
  1- server 2008 R2 AD DS DC on subnet 1 (192.168.1.0) and a DHCP server with 2 scopes
  Internal 192.168.1.0 (subnet1)
  external 192.168.3.0 (subnet 3)
  2- server 2008 R2 with RRAS installed
  Interface 1 pointing to the internal subnet1 192.168.1.0
  Interface 2 pointing to subnet2 192.168.2.0
  3- server 2003 with RRAS installed
  Interface 1 pointing to subnet2 192.168.2.0
  Interface 2 pointing to subnet3 192.168.3.0
  relay agent installed on Interface 2
  (servers/Routers 2 and 3 running RIP v2)
  4-  XP client on subnet3 (192.168.3.0) and the client trying to obtain config.
  The XP client is unable to contact the DHCP to obtain config.
  server 2003 relay agent receiving requests with no replies.
  How do i get this to work?

  Hi,
  First, let’s see how DHCP relay agent works:
  1. The DHCP client broadcasts a DHCPDISCOVER packet.
  2. The DHCP relay agent on the client’s subnet forwards the DHCPDISCOVER message to the DHCP server by using unicast.
  3. The DHCP server uses unicast to send a DHCPOFFER message to the DHCP relay agent.
  4. The DHCP relay agent broadcasts the DHCPOFFER packet to the DHCP client’s subnet.
  5. The DHCP client broadcasts a DHCPREQUEST packet.
  6. The DHCP relay agent on the client’s subnet forwards the DHCPREQUEST message to the DHCP server by using unicast.
  7. The DHCP server uses unicast to send a DHCPACK message to the DHCP relay agent.
  8. The DHCP relay agent broadcasts the DHCPACK to the DHCP client’s subnet.
  We can see in the second step, DHCP relay agent send unicast to DHCP server after receiving DHCP request. So confirm unicast communication between DHCP server
  and DHCP relay agent works fine. At least ping should be working. You can use the following commend to add the route entry.
  Add a static IP route
  http://technet.microsoft.com/en-us/library/cc757323(v=ws.10).aspx
  The result should be based on your test. If it doesn’t work it just indicates that we cannot configure another DHCP relay agent behind a relay agent.
  Hope this helps.

• DHCP Relay forwarded to Secondary when Scope is not available in Primaray

  Two ip helper-addresses (let suppose DHCPServer1 and DHCPServer2) are defined on each of the branch router, and customer want to divide the load of DHCP request on two different DHCP Servers. The propose solution by customer is to disable some scope from one DHCP Server (DHCPServer1) and define the similar scope in second DHCP Server (DHCPServer2). Does the DHCP Relay request would be forwarded to secondary server (DHCPServer2), if the scope is disabled on first DHCP Server (DHCPServer1)?

  The DHCP request is forwarded to all the addresses defined with the ip helper-address command.
  So if you have 2 ip helper-addresses then the DHCP request is sent to both at the same time by the router. First one to respond is usually the one accepted by the client.
  Jon