DMZ and DHCP ????

Hi all: We have setup and DMZ off of our BM39 server. The
only purpose of the DMZ is to allow a few clients relatively
unencumbered internet access. We have had lots of problems
with our BM proxy interfering with secure Citrix implemented
by some partner we work with (Hospitals).
We also have visiting review staff from Drug companies as we
do many drug studies. These visitors often need internet
access and up to this point I have been placing them on our
internal subnet. But I am rethinking this and am
considering moving our visitors to the DMZ instead.
To do this I want to setup a DHCP server on our BM server
(Done) to serve up addresses for the DMZ. However during
testing the clients are not seeing the DHCP server. I
suspect this is a filtering issue. I currently only have
one set of filters for the DMZ which allows all traffic from
the public interface to the DMZ and back.
I am assuming the DHCP server needs a filter to allow
traffic but I have no idea what that would look like. Can
you help me out? Thanks, Chris.

OK, got this working suing Craig's filter book _ glad to
have purchased it.
>>> On 9/21/2009 at 11:05 AM, in message
<4AB75DE5.CE15.0032.0@N0_$pam.vrapc.com>,
Chris<cmosentine@N0_$pam.vrapc.com> wrote:
> Hi all: We have setup and DMZ off of our BM39 server.
> The
> only purpose of the DMZ is to allow a few clients
> relatively
> unencumbered internet access. We have had lots of
> problems
> with our BM proxy interfering with secure Citrix
> implemented
> by some partner we work with (Hospitals).
>
> We also have visiting review staff from Drug companies
> as we
> do many drug studies. These visitors often need
> internet
> access and up to this point I have been placing them on
> our
> internal subnet. But I am rethinking this and am
> considering moving our visitors to the DMZ instead.
>
> To do this I want to setup a DHCP server on our BM
> server
> (Done) to serve up addresses for the DMZ. However during
> testing the clients are not seeing the DHCP server. I
> suspect this is a filtering issue. I currently only
> have
> one set of filters for the DMZ which allows all traffic
> from
> the public interface to the DMZ and back.
>
> I am assuming the DHCP server needs a filter to allow
> traffic but I have no idea what that would look like.
> Can
> you help me out? Thanks, Chris.

Similar Messages

  • Guest anchor WLAN and DHCP

    hi,
    I am trying to setup a guest WLAN using a local controller and  a controller in my DMZ using the mobility-anchor configuration.
    Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
    Local Controller config
    Configured mobility-groups, verified mobility group is working
    Created WLAN called "guest" - assigned it to the management interface.
    Have tried the following with regards to DHCP on this WLAN.
         Set it to "override" and specified the DMZ controller's mangement interface
         Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management      interface
         Left DHCP server blank on the local controller's management interface
    Setup the DMZ controller as the mobility anchor for the "guest" WLAN
    DMZ controller config
    Configured mobility-groups, verified mobility group is working
    Created WLAN called "guest"
    Created a dynamic interface called "guest" associated to the "guest" WLAN
    Setup mobility anchor for the "guest" interface,  mobility-anchor = local controller
    Created an internal DHCP server scope and enabled it
    Have tried the following with regards to DHCP on the "guest" WLAN
         Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest"      dynamic interface
         Set DHCP to "assignment required" and specified the IP address of the  controllers "guest" dynamic interface as the DHCP server on the "guest"       dynamic interface
         Set DHCP to "override" and specified the DMZ controller's management interface IP
         Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
    After all this,  my client still cannot get an IP address via DHCP.  I verfiied the client is associating to the AP.
    Any help would be appreciated.
    Thanks
    Lee

    on the DMZ controller, what is the output of a debug client < mac address of the client>  You may also want to capture debug mobility handoff enable, from both WLC.
    For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC.  One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
    while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled.

  • Need help with ASA 5512 and SQL port between DMZ and inside

    Hello everyone,
    Inside is on gigabitEthernet0/1 ip 192.9.200.254
    I have a dmz on gigabitEthernet2 ip 192.168.100.254
    I need to pass port 443 from outside to dmz ip 192.168.100.80 and open port 1433 from 192.168.100.80 to the inside network. 
    I believe this will work for port 443:
    object network dmz
    subnet 192.168.100.0 255.255.255.0
    object network webserver
    host 192.168.100.80
    object network webserver
    nat (dmz,outside) static interface service tcp 443 443
    access-list Outside_access_in extended permit tcp any object webserver eq 443
    access-group Outside_access_in in interface Outside
    However...How would I open only port 1433 from dmz to inside?
    At the bottom of this message is my config if it helps.
    Thanks,
    John Clausen
    Config:
    : Saved
    ASA Version 9.1(2) 
    hostname ciscoasa-gcs
    domain-name router.local
    enable password f4yhsdf.4sadf977 encrypted
    passwd f4yhsdf.4sadf977 encrypted
    names
    ip local pool vpnpool 192.168.201.10-192.168.201.50
    interface GigabitEthernet0/0
     nameif outside
     security-level 0
     ip address 123.222.222.212 255.255.255.224 
    interface GigabitEthernet0/1
     nameif inside
     security-level 100
     ip address 192.9.200.254 255.255.255.0 
    interface GigabitEthernet0/2
     nameif dmz
     security-level 100
     ip address 192.168.100.254 255.255.255.0 
    interface GigabitEthernet0/3
     shutdown
     no nameif
     no security-level
     no ip address
    interface GigabitEthernet0/4
     shutdown
     no nameif
     no security-level
     no ip address
    interface GigabitEthernet0/5
     shutdown
     no nameif
     no security-level
     no ip address
    interface Management0/0
     management-only
     nameif management
     security-level 100
     ip address 192.168.1.1 255.255.255.0 
    ftp mode passive
    dns server-group DefaultDNS
     domain-name router.local
    object network inside-subnet
     subnet 192.9.200.0 255.255.255.0
    object network netmotion
     host 192.9.200.6
    object network inside-network
     subnet 192.9.200.0 255.255.255.0
    object network vpnpool
     subnet 192.168.201.0 255.255.255.192
    object network NETWORK_OBJ_192.168.201.0_26
     subnet 192.168.201.0 255.255.255.192
    object network NETWORK_OBJ_192.9.200.0_24
     subnet 192.9.200.0 255.255.255.0
    access-list outside_access_in extended permit icmp any4 any4 log disable 
    access-list Outside_access_in extended permit udp any object netmotion eq 5020 
    access-list split standard permit 192.9.200.0 255.255.255.0 
    access-list VPNT_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0 
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    mtu dmz 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static inside-network inside-network destination static vpnpool vpnpool
    nat (inside,outside) source static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24 destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup
    object network netmotion
     nat (inside,outside) static interface service udp 5020 5020 
    nat (inside,outside) after-auto source dynamic any interface
    access-group Outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 123.222.222.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.9.200.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev1 enable outside
    crypto ikev1 policy 10
     authentication crack
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 20
     authentication rsa-sig
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 30
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 40
     authentication crack
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 50
     authentication rsa-sig
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 60
     authentication pre-share
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 70
     authentication crack
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 80
     authentication rsa-sig
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 90
     authentication pre-share
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 100
     authentication crack
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 110
     authentication rsa-sig
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 120
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 130
     authentication crack
     encryption des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 140
     authentication rsa-sig
     encryption des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 150
     authentication pre-share
     encryption des
     hash sha
     group 2
     lifetime 86400
    telnet 192.9.200.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl encryption aes128-sha1 3des-sha1
    webvpn
     enable outside
     anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2 regex "Windows NT"
     anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 regex "Intel Mac OS X"
     anyconnect enable
     tunnel-group-list enable
    group-policy SSLVPN internal
    group-policy SSLVPN attributes
     dns-server value 192.9.200.13
     vpn-tunnel-protocol ssl-client 
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split
     default-domain value router.local
    group-policy VPNT internal
    group-policy VPNT attributes
     dns-server value 192.9.200.13
     vpn-tunnel-protocol ikev1 l2tp-ipsec 
     split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPNT_splitTunnelAcl
     default-domain value router.local
    username grimesvpn password 7.wersfhyt encrypted
    username grimesvpn attributes
     service-type remote-access
    tunnel-group SSLVPN type remote-access
    tunnel-group SSLVPN general-attributes
     address-pool vpnpool
     default-group-policy SSLVPN
    tunnel-group SSLVPN webvpn-attributes
     group-alias SSLVPN enable
    tunnel-group VPNT type remote-access
    tunnel-group VPNT general-attributes
     address-pool vpnpool
     default-group-policy VPNT
    tunnel-group VPNT ipsec-attributes
     ikev1 pre-shared-key *****
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect sqlnet 
      inspect skinny  
      inspect sunrpc 
      inspect xdmcp 
      inspect sip  
      inspect netbios 
      inspect tftp 
      inspect ip-options 
      inspect icmp 
    service-policy global_policy global
    prompt hostname context 
    no call-home reporting anonymous
    Cryptochecksum:36271b5a1b9382621e14c3aa635e2fbb
    : end

    Hi Vibor. Apologies if my comment was misunderstood.  What I meant to say was that the security level of the dmz interface should probably be less than 100. 
    And therefore traffic could be controlled between DMZ and inside networks. 
    As per thr security level on the DMZ interface. ....... that command is correct. :-)

  • I want to use Back to my mac. When I try to turn it on, it says "Back to My Mac may be slow because more than one device on your network is providing network services.   Turn off NAT and DHCP on one of the devices and try again." How do I fix this?

    Not sure if I am doing this right. This is my first time in the support community.
    I imagine what I put in my heading was supposed to go in here.
    I want to use Back to my mac. When I try to turn it on, it says "Back to my mac may be slow because more than one device on your network is providing network services. Turn off NAT and DHCP on one of the devices and try again. See the documentation that came with your device for information about turning off network services"
    Does anyone know how I do this? I contacted my ISP (Telus in Canada) and they did not know anything (not that they usually do).

    Why do ISPs insist upon making things so difficult for their customers?
    If you cannot get them to understand that you would prefer to use your own router over their piece of cheap junk, perhaps the information in the following will be useful:
    http://keithbalomben.wordpress.com/2012/03/29/telus-actiontec-v1000h-hacks-and-i nformation/
    Scroll down to DHCP Settings
    You will need to log in with proper "technician" credentials. They are provided in the above link as
    Username: tech
    Password: t3lu5tv
    ... but these may or may not work. Try it, and if you cannot get anywhere at least now you know what to ask Telus to do in return for your business.

  • Solaris 10 zone configuration with sysidcfg and dhcp and hostname

    Hi
    Excuse me if I look like a n00b... it's probably because I'm a n00b.
    I've been struggling in the dark for more than 2 days now and I'm wondering if I'm thinking about this all wrong...
    I have stand-alone server where I need to run zones. I want to create zones and automagically configure them at boot (read: by running a script). So here's what I need...
    A zone
    starting from unconfigured state
    whose hostname is not the same as the zone name
    using corporate DHCP to get its IP address
    with DNS config coming from the DHCP server
    registering its address the DNS
    with a preconfigured root password
    (I don't own the corporate DHCP or DNS servers, I can't put my own DHCP or DNS servers on the network.)
    I would lke to create the zone, throw some config at it, then boot the zone and walk away. I am using zones with exclusive-IP. I can construct the zones and manually configure them once they're started to have DHCP, my own name, registered IP address with DNS and everything else I have specified above. But I don't want to do it manually...
    Sysidcfg seems to do some of what I want but not entirely.
    In sysidcfg I can set the root_password, the primary interface using DHCP, DNS server. I can't set a hostname in sysidcfg AND use configure it for DHCP. So the hostname is not what I want it to be after the zone is started and ready to go. The DHCP server is providing the DNS configuration, Solaris does not seem to honour it, but i'll ignore that for the moment.
    I have tried various combinations of using sysidcfg, /etc/nodename, /etc/hostname.+interface+ and /etc/dhcp.+interface+ but I can't find any combination that actually works.
    I can write to the zonestorage/etc/nodename to set the nodename, that works. But it does not match the DHCP address, so I get prompted for a new name service because it can't find a DNS entry for the name.
    I can write to the zonestorage/etc/hostname.+interface+ and /etc/dhcp.+interface+ (to get the system to register its name with the DNS server after getting its DHCP address) but then I get a system with no root password and no DNS configuration, even though they are set in the sysidcfg file.
    I can write a script that gets part of the way using sysidcfg and /etc/... files, then boots the zone and then runs a bunch of voodoo via zlogin commands to fix all the stuff that couldn't be done 'properly', but that's not a 'boot and walk away' environment. I can write a script that uses sysidcfg and hacks around with other files in /etc (like nsswitch.conf, resolv.conf), but that just feels likes a dirty hack to fix something that wasn't done properly in the first place.
    So where am I going wrong and how do I do it right (within the constraints defined)? Why can't I configure, boot and walk away?
    Thanks

    Thanks abrante
    Thanks for your response!
    I don't think the config is messed up after the installation. I think the installation is fine, it's just not what I want :-)
    I'm trying to decouple the zonename from the system name and get DNS registrations working. After installation, a DHCP client can get its hostname from DNS but I'm trying to do it the other way around. I want the DHCP client specify its own hostname, get an address from the DHCP server and then register its hostname with DNS. If the system gets its name from DNS/DHCP then I have to configure those to provide the system name and I don't own the DHCP/DNS infrastructure. These zones are for a development/QA environment, so we create and reconfigure these frequently. Hence the need to specify the system name within the zone and register that name in the DNS.
    I have tried fiddling with the PARAM_REQUEST_LIST but it does not seem to be working as I expect. :-$ Removing 12 did not help with setting the hostname from the system. DNS does not have a registered name for this system anyway, so even if it tried to get a name for this system, it would get nothing.
    I also do want the DHCP to change the DNS server and domain name, but this does not happen even though my dhcpagent includes 6 and 15 in the PARAM_REQUEST_LIST. I still have to set them in the sysidcfg file because it is always ignored in Solaris (S10u8 with 10_Recommended 30-Jul-2010)
    As stated, I know I can hack around with the system after it has booted. But I'm trying to configure the system before it starts and let it take care of itself and not have to touch it. Frankly I'm surprised that the sysidcfg does not allow you to set a hostname name when you are using DHCP, that the default DHCP configuration does not register the system name with the DNS server, and the DNS config from the DHCP response is ignored. Even a sys-unconfiged system requires DNS configuration during initial boot, when I know that the DHCP response contains DNS information.
    FYI: Windows systems using DHCP work as expected in this respect by default, i.e. set system name, use DHCP --> system gets address from corporate DHCP, DNS settings are set from DHCP information, DNS registration is made for system name.
    I'm working around this at the moment... I call my zone by the system name I want, I hardcode the DNS settings in the sysidcfg file and I create the hostname.+nic+ and dhcp.+nic+ files in the zone storage to get the system to register its name with DNS, them boot.
    Edited by: cydonian on Aug 19, 2010 7:45 PM

  • No traffic from Outside1 (Security level 100) attached Networks to DMZ and Viceversa

    I have an ASA5510, i configured an Outside, 1 DMZ and 2 interfaces 100 security level (Outside1 and Inside). I can ping and have fluid traffic between DMZ and Inside interface, but don't have any kind of traffic between DMZ and the Outside1. I wrote the same configuration for both 100 Security Level interfaces. Also I have connected a Cisco 892 router to Outside1. When i have attached a computer instead of 892, traffic between Outside1 and DMZ is fluid. i need to have fluid traffic between networks connected to 892
    Someone can help me? Here are the 2 configs:
    ASA5510:
    : Saved
    ASA Version 8.2(1)
    hostname ASAFCHFW
    domain-name a.b.c
    enable password 6Jfo5anznhoG00fM encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
     nameif Outside
     security-level 0
     ip address x.y.z.162 255.255.255.248
    interface Ethernet0/1
     nameif Outside1
     security-level 100
     ip address 192.168.2.1 255.255.255.0
    interface Ethernet0/2
     nameif DMZ
     security-level 10
     ip address 172.16.31.1 255.255.255.0
    interface Ethernet0/3
     nameif Inside
     security-level 100
     ip address 192.168.0.1 255.255.255.0
    interface Management0/0
     nameif management
     security-level 100
     ip address 192.168.1.1 255.255.255.0
     management-only
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
     domain-name farmaciachavez.com.bo
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq domain
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq www
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq https
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000
    access-list Inside extended permit ip any any
    access-list Inside extended permit icmp any any
    access-list 100 extended permit tcp any host x.y.z.163 eq smtp
    access-list 100 extended permit udp any host x.y.z.163 eq domain
    access-list 100 extended permit tcp any host x.y.z.163 eq https
    access-list 100 extended permit tcp any host x.y.z.163 eq www
    access-list 100 extended permit tcp any host x.y.z.163 eq 3000
    access-list 100 extended permit tcp any host x.y.z.163 eq 1000
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    mtu Outside 1500
    mtu Outside1 1500
    mtu DMZ 1500
    mtu Inside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit host 192.168.0.22 Outside
    icmp permit 192.168.0.0 255.255.255.0 Outside1
    icmp permit 192.168.2.0 255.255.255.0 Outside1
    icmp permit 172.16.31.0 255.255.255.0 Outside1
    icmp permit 192.168.2.0 255.255.255.0 DMZ
    icmp permit 192.168.2.0 255.255.255.0 Inside
    icmp permit 192.168.0.0 255.255.255.0 Inside
    icmp permit 172.16.31.0 255.255.255.0 Inside
    asdm image disk0:/asdm-647.bin
    asdm history enable
    arp timeout 14400
    global (Outside) 101 interface
    nat (Outside1) 101 0.0.0.0 0.0.0.0
    nat (DMZ) 101 0.0.0.0 0.0.0.0
    nat (Inside) 101 0.0.0.0 0.0.0.0
    static (DMZ,Outside) x.y.z.163 172.16.31.0 netmask 255.255.255.255
    static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
    static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
    static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
    static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
    static (Outside1,Inside) 172.1.1.0 172.1.1.0 netmask 255.255.255.0
    static (DMZ,Outside1) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
    static (Outside1,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
    static (Outside1,Inside) 172.1.2.0 172.1.2.0 netmask 255.255.255.0
    static (Outside1,Inside) 172.1.3.0 172.1.3.0 netmask 255.255.255.0
    static (Outside1,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
    static (Outside1,DMZ) 172.1.1.0 172.1.1.0 netmask 255.255.255.0
    access-group dmz_in in interface DMZ
    route Outside 0.0.0.0 0.0.0.0 x.y.z.161 20
    route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1
    route Outside1 172.1.2.0 255.255.255.0 192.168.2.2 1
    route Outside1 172.1.3.0 255.255.255.0 192.168.2.2 1
    route Outside1 192.1.0.0 255.255.192.0 192.168.2.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.0.0 255.255.255.0 Inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 192.168.0.0 255.255.255.0 Inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:7441424d1fcf87c3eb837b569e84aa9e
    : end
    Cisco 892:
    Current configuration : 3296 bytes
    ! Last configuration change at 01:15:13 UTC Tue Apr 29 2014 by eguerra
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname RouterHQFCH
    boot-start-marker
    boot-end-marker
    enable secret 4 
    no aaa new-model
    ip cef
    no ipv6 cef
    multilink bundle-name authenticated
    crypto pki trustpoint TP-self-signed-1580540949
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-1580540949
     revocation-check none
     rsakeypair TP-self-signed-1580540949
    crypto pki certificate chain TP-self-signed-1580540949
     certificate self-signed 01
      3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31353830 35343039 3439301E 170D3134 30343134 31393433
      30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383035
      34303934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100BC61 7D5F7F47 65203EC9 1207B83F 19EC7AC3 00404F99 A89FD64B 1F0F659F
      E99062C2 3BB1E517 075BAF59 D361FFC9 4F872A14 A7528061 CF936F40 D03F234B
      5641147F D2B4AB7D 9E10F36A 087F511B F68ABC6E 98F96C74 8EF5084B F490D91B
      0EC05671 D8C5B7DD EE8F48C2 CD76F7C9 B8405DD6 42375B3C 8D04FDEF 555D0FA0
      0FDF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
      551D2304 18301680 14FCB587 54EE2C1B 2B6DB648 A6FC0ECF 85062C8F 6A301D06
      03551D0E 04160414 FCB58754 EE2C1B2B 6DB648A6 FC0ECF85 062C8F6A 300D0609
      2A864886 F70D0101 05050003 81810033 A196E361 A273E890 146EF605 D7AB9235
      52BA28F8 A526D8AE CD903257 E4E81C76 C85FBCD4 201DFF90 11FB1617 9210037E
      B66299B3 FB2173D2 AFEC9B52 D2221BEA 9B8CC180 BE36F3AB D5811F9F 401043B0
      4BDA8647 897D8FE7 6D753C4F 3C76A493 2C260C22 24E966EB BEE54A2A 51D58F21
      23080B9D 9C5FD690 62C6B0C9 30C3AA
            quit
    license udi pid C892FSP-K9 sn FTX180484TB
    username servicios privilege 15 password 7 
    username eguerra privilege 15 password 7 
    interface GigabitEthernet0
     no ip address
    interface GigabitEthernet1
     switchport access vlan 2
     no ip address
    interface GigabitEthernet2
     no ip address
    interface GigabitEthernet3
     no ip address
    interface GigabitEthernet4
     no ip address
    interface GigabitEthernet5
     no ip address
    interface GigabitEthernet6
     no ip address
    interface GigabitEthernet7
     no ip address
    interface GigabitEthernet8
     ip address 172.1.1.1 255.255.255.0
     duplex auto
     speed auto
    interface GigabitEthernet9
     ip address 172.1.2.1 255.255.255.0
     duplex auto
     speed auto
    interface Vlan1
     ip address 192.168.2.2 255.255.255.0
    interface Vlan2
     ip address 192.168.100.200 255.255.255.0
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    ip route 172.16.31.0 255.255.255.0 192.168.2.1
    ip route 192.168.0.0 255.255.255.0 192.168.2.1
    control-plane
    line con 0
     password 7 
     login
     no modem enable
    line aux 0
    line vty 0 4
     password 7 
     login local
     transport input all
    scheduler allocate 20000 1000
    end
    Thanks in advance

    Maybe I did not understand what you are trying to accomplish. What I mentioned was to make your ACL configuration better, meaning more secure. Changing the security level just helps understand that you are not coming from a site that does not require ACLs, thus from lower to higher security interfaces you need to place ACLs, then there is a hole other world regarding NAT/PAT that involve same security interfaces that sometimes confuse customers so I also wanted to avoid that for you.
    To enforce security between interfaces you need to know what protocols and ports are being used by servers that reside behind the higher security interface so you only open what is needed then block the rest to that higher security interface.

  • Default Host (DMZ) and Port Mapping together

    Hi all,
    I have the G5 set as a default host for all my web services through the Airport Extreme.
    In the Airport Extreme's Port Mapping tab, a user is not prevented from using the port mapping tab even when the Default host is set. I want to serve video through another port not on the G5.
    Does this mean I can set up port mapping for ports I do not want to go to the default host? (my G5 in this case)
    I asked this on the airport forum and never got an answer, maybe you G5 folks might know. (Or maybe there is a setting that will redirect from the G5.)
    Thanks in advance,
    Jamy

    I figured it out. I can't have a DMZ and separately port mapping on the Airport.

  • DNS and DHCP Roles

    Hi
    does Snow Leopard have DNS & DHCP services in it ? how to make those role run and configure them ?
    and how to make a server a domain controller "silly Windows History in my mind"

    does Snow Leopard have DNS & DHCP services in it
    You mean Snow Leopard Server, right? In which case, yes.
    how to make those role run and configure them ?
    Click a checkbox or two in Server Admin (and add your domain/network-specific data, of course).
    and how to make a server a domain controller "silly Windows History in my mind
    Do you intend to make a Windows domain controller? If so, you can't. Mac OS X Server includes a Samba server which can handle parts of a Windows directory system, but it can't emulate a full Windows Active Directory server which has way more elements.
    On the other hand, if you just mean to create a directory server for your network then, just like the DNS and DHCP server response above, you click a couple of checkboxes in Server Admin and add your directory-specific data via Workgroup Manager (one of the bundled Server apps).

  • What are the endpoints attributes collected by NAC Profiler through SNMP and DHCP?

    Hi Everyone,
    Please help on this.
    I want to know what are the endpoints attributes collected by NAC Profiler to discover and profile the endpoints.through SNMP protocol and DHCP protocol.
    Also if anybody can explain a simple used case on this.
    Please guide me on this.
    Thanks in advance.
    Thanks,
    Abuzar.

    Hi,
    SNMP
    =====
    NetMap queries network devices via SNMP for:
    System information
    Interface information
    Bridge information
    802.1X information (PAE MIB)
    Routing/IP information
    CDP MIB Information
    This information is used to Build and maintain a model of the network topology and endpoint discovery.
    NetMap uses SNMP Get, GetNext and GetBulk (when available) requests to  query the SNMP agents running on the network infrastructure devices to  gather specific Management Information Base (MIB) objects about their  status based on device type (Layer 2 or Layer 3).
    In addition to polling each network device for all MIB data at a regular  interval, NetMap may also be commanded to poll port-specific  information when the NAC Profiler system is notified that an endpoint  has joined or left the network via SNMP traps sent by devices at the  network edge, switches typically.
    Upon receipt and verification of a link state (link up, link down) or  MAC notification trap, NetTrap will notify the NAC Profiler Server that a  change has occurred on the network edge (endpoint joined or left a  network port). If the trapping device is in the NAC Profiler  configuration, the NetMap component module assigned to poll the device  that sent the trap will be commanded by the Server module to initiate a  poll of the device's port information to determine the change to the  endpoint topology that resulted in the trap being sent by the network  device.
    The information gathered by NetMap is processed by the Server  accordingly to update the network topology, noting the endpoint joining  or leaving a port. Note that NetMap SNMP polling of network devices  resulting from a trap is localized to the port specified in the trap.  This is unlike the regular polling that occurs at the frequency  specified for each device type (L2 and L3) which gathers all SNMP  information from the device used by the NAC Profiler system.
    DHCP:
    =====
    The NetWatch module listens for traffic including DHCP traffic.
    The module will collect all the DHCP information on the traffic collected, like mac address, ip address,  DHCP Vendor Class Identifier in DHCP request, host name in DHCP request, requested specified options in DHCP request (option 55) and full list of DHCP options supported by the DHCP client as specified in the DHCP request.
    All the endpointe data can then be used to map endpoints with profiles.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • DMZ and open ports

    Hi all!
    This is my first post on this forum I've been tinkering around with honey pots and set one up on my home network. A tutorial I was following mentioned about putting it in the DMZ. So I did. When I was at work I conducted a nmap scan of my home router. SO MANY OPEN PORTS! Of course setting up a DMZ this is to be expected. HH being HH only the honeypot is in it but I'm a little worried that even though I have only put the honey pot in the DMZ, are all the opened ports open to the rest of my network? As I understad it I am wrong but I am concerned just want to double check! Also when I turned of the DMZ and did another scan I found port 4567 to be open. I quick search flagged up a few results. Many people seem to say ignore it but others have said its possible for to be a back door. If I type in my public ip:4567 I get faced with a login page! I have heard that BT install a backdoor on their routers for the NSA and GCHQ normally I'd fob such things off but would be interested to know what is going on with that open port! 
    Thanks in advance guys!

    When you have anchor/foreign, the web auth traffic always go to the anchor, so  with CWA, the traffic from the anchor to the ISE will need to be permitted . go through the following link this may of help
    https://supportforums.cisco.com/docs/DOC-26442

  • How to synchronize between DHCP binding table and DHCP snooping table ?

    I clear DHCP snooping table with command "clear ip dhcp snooping binding " , and PC can't communicate with other any more. So how to synchronize between DHCP binding table and DHCP snooping table ?
    dhcp-test#sh ip dhcp bind
    IP address Client-ID/ Lease expiration Type
    Hardware address
    99.1.65.32 0100.1125.353c.25 Mar 02 1993 01:05 AM Automatic
    99.1.65.33 0100.1438.059f.85 Mar 02 1993 12:01 AM Automatic
    dhcp-test#sh ip dhcp snooping binding
    MacAddress IpAddress Lease(sec) Type VLAN Interface
    Total number of bindings: 0
    thanks!

    ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds
    Add binding entries to the DHCP snooping binding database. The vlan-id range is from 1 to 4904. The seconds range is from 1 to 4294967295.
    Enter the above command for each entry that you add
    To delete the database agent or binding file, use the no ip dhcp snooping database interface configuration command. To reset the timeout or delay values, use the ip dhcp snooping database timeout seconds or the ip dhcp snooping database write-delay seconds global configuration command.To renew the database, use the renew ip dhcp snooping database privileged EXEC command.

  • IPoE BNG and DHCP on the ASR9K

    Hi,
    can some one tell me if this is possible.
    I have a bundle Interface -using ambiguous VLANS:
    interface Bundle-Ether100.1
    vrf customers_1
    ipv4 unnumbered lo2
    ipv4 point-to-point
    arp learning disable
    service-policy type control subscriber UFB_DHCP
    ipsubscriber ipv4 l2-connected
      initiator dhcp
    encapsulation ambiguous dot1q any second-dot1q any
    I have two loopback interfaces:
    interface lo2
    vrf customers_1
    ipv4 address 100.64.0.1 255.255.128.0
    interface lo3
    vrf customers_1
    ipv4 address 200.200.200.1 255.255.254.0
    I am authenticating users using option82 remote-id, and DHCP for address allocation.  I want to use RADIUS to send back attributes, to set the users template, and, somehow set the dhcp giaddr so that the user gets an address from the correct pool.
    ie. put the user into this template:
    dynamic-template
    type ipsubscriber CUSTOMER
      vrf customers_1
      ipv4 unnumbered Loopback3
    and have them then given an address in the lo3 (200.200.200.0) range.  No matter what i do the dhcp giadd remains the address of the Bundle Interface.
    I have tried all sorts of radius attributes:
    Cisco-AVPair = 'subscriber:service-name=CUSTOMER'
    Cisco-AVPair = 'subscriber:command=activate-service'
    I have tried:
    Cisco-AVPair= 'ipv4:ip-unnumbers=Loopback3'
    Cisco-AVPair= 'subscriber:classname=lo192'  - and creating a dhcp class to set giaddr
    I get a "aaa_type invalid attribute, flags 0x21"
    I am at a bit of loss, and am not sure if what I am wanting to do is even possible.
    though if set the template statically via an onboard policy things seem to work, and my user gets an address from the correct loopback.
    any help would be appreciated.
    ta.

    Alexander,
    thanks for your reply,
    If I use
    Cisco-AVPair = 'subscriber:sa=UFB_CUSTOMER'  -> sets dynamic template
    Cisco-AVPair += 'ipv4:ipv4-unnumbered=Loopback3' -> sets ipv4 loopback
    I get the following form the RADIUS debug (showing template, and loopback understood by RADIUS)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: Radius packet decryption complete with rc = 0
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS: Received from id 195 202.74.33.109:1812, Access-Accept, len 121
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS:   Vendor-Specific    [26]    34             
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS:  authenticator F2 4D D3 E7 B1 E8 90 D3 - F8 77 F1 1C 28 36 E9 6C
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS:   Vendor-Specific    [26]    41             
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS:  Reply-Message       [18]    26      User authenticated - UBA
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: pack_length = 121 radius_len = 121
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: rad_nas_reply_to_client: Received response from id : 195,packet type 2
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Total len = 121, Radius len = 121
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: filter not found
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Decoding the attribute: Vendor-Specific, aaa_type invalid attribute, flags 0x21
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Decoding the attribute: Vendor-Specific, aaa_type invalid attribute, flags 0x21
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: This is sub-string of the Loopback interface name
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Loopback attribute value: Loopback3
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Decoding the attribute: Reply-Message, aaa_type reply-message, flags 0x100
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Reply-Message fragments, 24
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: , total 24 bytes
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: RADIUS: parsing sevice 'UFB_CUSTOMER' (len 12)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: (rad_nas_reply_to_client) Successfully decoded the response No error: PASS
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: (rad_nas_reply_to_client) Successfully stored the preferred server info
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: Freeing server group transaction_id (B1000047)
    output from show subscriber running:
    Subscriber Label: 0xff
    % No such configuration item(s)
    dynamic-template
    type ipsubscriber UFB_CUSTOMER
      vrf customers_1
    The subscriber shows up as a session:
    RP/0/RSP0/CPU0:tpisp-cr02-h#show subscriber session all
    Thu Nov 28 13:38:05.389 UTC
    Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
           ID - Idle, DN - Disconnecting, ED - End
    Type         Interface                State     Subscriber IP Addr / Prefix                             
                                                    LNS Address (Vrf)                             
    IP:DHCP      BE100.1.ip71             AC        100.64.0.98 (customers_1) 
    However..
    the ip address range is from the loopback 2 address, (this is the loopback bound to the unbundled BNG interface)
    My understanding is that the giaddr address should have been changed to the ip address of lo3, which is the loopback specified in the RADIUS attribute.
    dhcp debug: (this is the dhcp debug that follows directly after the RADIUS debug)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.484 : dhcpd[1080]: DHCPD PACKET: TP1225: Process packet event, client mode: PROXY
    RP/0/RSP0/CPU0:Nov 28 13:33:11.484 : dhcpd[1080]: DHCPD PROXY: TP1955: FSM called for chaddr 000c.4270.6e7c with event DPM_SUCCESS state INIT_DPM_WAIT
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD PROXY: TP1917: Process client request called for chaddr 000c.4270.6e7c
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD PACKET: TP1883: Giaddr not present, Set giaddr 100.64.0.1, chaddr 000c.4270.6e7c
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD PACKET: TP571: L3 packet TX unicast to dest 202.74.33.108, port 67, source 100.64.0.1, vrf 0x60000003 (1610612739), tbl 0xe0000012 (3758096402)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: ---------- IPv4 DHCPD --- dhcpd_iox_l3_unicast_packet -------
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: VRF name (id): customers_1 (0x60000003)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: L3 src: 100.64.0.1
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: L3 dst: 202.74.33.108
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: L3 dst port: 67
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: L3 input Intf: Bundle-Ether100.1
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Output Intf: Null
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: FROM: L3
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: NETWORK_ORDER
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Info
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan EtherType 1: 0x8100
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Priority 1: 0 (0x0)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Format 1: 0 (0x0)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan ID 1: 101 (0x65)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan EtherType 2: 0x8100
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Priority 2: 0 (0x0)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Format 2: 0 (0x0)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan ID 2: 23 (0x17)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666:
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: op:     BOOTREQUEST
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: chaddr: 000c.4270.6e7c
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: xid:    0x303751ed
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: flags:  0x8000 (broadcast)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: ciaddr: 0.0.0.0
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: yiaddr: 0.0.0.0
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: siaddr: 0.0.0.0
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: giaddr: 100.64.0.1
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: cookie: 0x63825363
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: MESSAGE_TYPE: DISCOVER
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: PARAMETER_REQUEST data: "0x01-79-03-21-06-2a"
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: CLIENT_IDENTIFIER data: "0x01-00-0c-42-70-6e-7c"
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: HOST_NAME data: "MikroTik"
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: RELAY_INFORMATION
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: RELAY_INFORMATION: CIRCUIT_ID: 0x01-0f-43-48-4f-52-55-53-31-30-30-30-30-30-34-35-33
    I tried changing the dynamic template to service rather than ipsubscriber, this did not make a difference.  You make a reference to DHCP classname.  I have defined a DHCP class, however do not know how to match or force the use of a particular class by using a RADIUS attribute.
    Thanks,
    Mike

  • WLAN and DHCP with WLC controller

    Hi,
    I've a question about how works dhcp for wifi clients.
    On the WLAN edit I've seen that my option are:
    1) DHCP override-> i insert the dhcp server address here
    2) without DHCP override -> the WLAN will use the DHCP server configured under the management interface
    Based upon these informations: why I can configure DHCP server also in other interfaces and not only in the "management" interface ?
    If I configure 2 DHCP servers on a "user interface" ( without the "override" option in WLAN ) my clients will use these DHCP or the DHCP on the "management" interface ?
    Many thanks in advance
    Luigi

    from the on-line help it seems different ;-/
    =====
    DHCP Server (Override)
    When selected, you can enter the IP address of your DHCP server. This is a required field for some WLAN configurations. There are three valid configurations:
    DHCP Server Override ON, a valid DHCP Server IP address, and DHCP Address Assignment Required: Requires all WLAN clients to obtain an IP address from the DHCP Server.
    DHCP Server Override ON, a valid DHCP Server IP address, and DHCP Address Assignment Not Required: Allows all WLAN clients to obtain an IP address from the DHCP Server or use a static IP address.
    DHCP Server Override OFF: Forces all WLAN clients to use the DHCP setting in the Management Interface, not the static address.
    ===========
    It seems that i can Use external DHCP server, putting the address :
    - in the box that appair when i flag the "override" option
    - or in the management interface
    I think documentation is not so clean
    many thanks
    Luigi

  • WET200 and DHCP

    Hi there,
    I noticed a few discussion about Cisco Wireless bridges not being able to pass DHCP requests from clients.
    In my case I have a WET200 successfully associated with a Deliberant DLB2700 access point. When client computers are configured with static IP addresses they can browse the network, connect to e-mail etc. Problem starts when a computer will try to obtain the IP address via DHCP while connected to the wireless bridge. It simply doesn't work.
    Is there a newer firmware or a secret settings which will allow me to make it working? I have a quite few of these WET200 units ...
    Thanks in advance for any suggestions.

    Hi Mr 2,
    Please check the following link;
    1.  http://support.deliberant.com/forums/p/1069/4889.aspx#4889  does this sound familiar ?
    But my thoughts are  at this stage,  sure look like there is a question hanging over  the deliberant model number you mentioned, at least that what the deliberant forum might be suggesting.
    2. But does a WET200 in place of the deliberant result in DHCP requests being dropped?
    (Since you have multiple WET200, it would be interesting to peruse this approach for diagnostic reasons and to confirm this in your mind.)
    But,  if you can't do step 2 above, and  are adventurous, maybe you can capture the DHCP server interaction.
    I'm guessing your network may look like the following, excuse the rough network diagram;
    PC---WET200~~~~~~~~~deliberant-------managed switch------------router
                                                                      |                |         |
                                                                   HUB              |        |------DHCP Server
                                                                               mirror port
    Beg borrow or steal a 'HUB' and they are hard to find these days, NOT a switch.
    Or as an alternative, if connected to a managed switch, mirror the Ethernet switch port that leads to  the deliberant AP to a PC running ethereal.
    Using ethereal or similar application,  just checkout the state  of ARP and DHCP packets that egress in and out of the switch port that is connected to the deliberant AP.  (I'm guess ARP is working otherwise you would not be getting anywhere from behind the WET200.)
    But  if you wish to post a ethereal trace, it would be fun to quickly check it out.
    If you do this please don't capture megabytes, try to capture just a bit before and after a DHCP request.
    The other option is to just keep doing what you are doing and statically define IP addresses.
    regards Dave

  • Why all packets dropped with %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs error msg for arp inspected vlans for DMZ and Backup

    Hi,
    We have got cisco 3759 switch where the followign line was configrued only
    ip arp inspection vlan 6,100
    And on those vlans no arp inspection trust was configrued. DMZ and backup servers were connected on that switch. Switch got restarted wihtin 5 minutes for the power outage and when the swithc came online it was denying all the packets coming through the vlan 100 adn 6 althought it was allowing packets before the power outage.
    It took me 30 minutes to find out that arp inspection was enables which might cause the issue, but I am still unsue why it would block all packets for vlan 100 & 6.After taking out the command ' ip arp inspection vlan 6,100' all started working fine.
    What is the reason the switch had this issue? Is there any resolution for this? thanks
    FYI: The error messages-
    0:48:32: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.182/14:48:32 AEST Sun Feb 28 1993])
    00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/3, vlan 6.([000c.2915.1abe/220.233.31.184/0000.0000.0000/220.233.31.177/14:48:32 AEST Sun Feb 28 1993])
    00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.178/14:48:33 AEST Sun Feb 28 1993])
    00:48:33: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/1, vlan 6.([001e.0b5f.3a8c/220.233.31.177/0000.0000.0000/220.233.31.184/14:48:33 AEST Sun Feb 28 1993])
    Regards,
    Arman

    Code version:
    System image file is "flash:c3750-ipservicesk9-mz.122-50.SE3/c3750-ipservicesk9-mz.122-50.SE3.bin"
    I don’t have any etherchannel running from the switch. It is connected to vmware machines which are on DMZ.
    rgds,
    arman

Maybe you are looking for

  • Svrmgrl segmentation fault!

    Hi everyone. I installed Oracle 8.0.5.1 Enterprise Edition on a RedHat 6.0 box with 2 Pentium III processors. The installation went smoothly but when I ran the svrmgrl the familiar message "segmentation fault (core dumped)" appears. The funny thing i

  • Search for a file name by time stamp

    Powershell allows us to append the date faily easily to a file name (eg. "test.txt $(get-date -f dd-MM-yyyy).txt").  I'm looking for a simple script to search for a powershell script by a static name with todays date appended.  I then want to move th

  • MDP HDMI on a Samsung 7000 series

    I just can not get this to work using a MDP > HDMI cable. I have tried everything I know. Just wondering if anyone has had any success? The computer recognizes the TV, but the TV does not display anything. Thoughts........

  • Making a stop motion movie

    Hi, i've recently shot a stop motion movie. I have transferred the pictures into Iphoto, and opened them up in Imovie, but when i try to add them with a 0:03 frame rate via the photo settings, it does nothing! HELP!

  • Erreur : aTab is null Fichier Source : chrome://browser/content/tabbrowser.xml Ligne : 1937

    I have this error: Erreur : aTab is null Fichier Source : chrome://browser/content/tabbrowser.xml Ligne : 1937 Can you help? Thanks for your kind help.