NAC.OOB.L2.Real IP GW.dhcp-relay issue.

Hello.
I have CAM (manager) which is configured as L2 OOB real-ip gateway. central deployment.
ethernet 0 (trusted) is L3. (ip add x.x.x.x)
ethernet 1 (untrusted) is .1q and several authentication vlans (a,b,c,d) are connected to it.
of cause managed subnets are configured for auth vlans on eth1.
Manager is configured as dhcp-relay.
Is it ok that manager changes dhcp packets to the dhcp server so that it's ethernet 0 ip address (x.x.x.x) becomes the source address of the requests to the dhcp server?
how can dhcp server recognize auth vlan a from auth vlan b if all packets have the single source (x.x.x.x)???
Where could be my mistake?
Regards

Hello varnavsky!
You have to configure vlan mapping (at the CAM) for all authentication vlan! After the authentication and posture validation, the NAC client won't give a new IP address, so the client has to have an IP address from the proper access vlan. When you configure these vlan mappings CAS always acquire an IP address from the proper range.
By(e) Miki

Similar Messages

  • SGE2000 DHCP Relay Issue

    I am looking for some help with DHCP Relay on a SGE2000 switch.
    I have configured two VLANs on the switch, VLAN2 (192.168.10.x/24) and VLAN3 (192.168.9.x/24). I have the switch in Layer 3 mode. I have configured the DHCP relay server of 192.168.10.4 and the DHCP Interfaces as VLAN3. All of the IP Static Routes were generated by the switch.
    If I put a client computer on a port that is Untagged VLAN 3 and try to get a DHCP address from the server on an Untagged VLAN 2 port I never get a response back.
    I have done some packet captures and here is what I have found:
    I see the DHCP broadcast on the client computer
    I see the DHCP Request on the DHCP server coming from the IP assiged to the switch on VLAN 3 (192.168.9.254)
    I see the DHCP server respond with a DHCP Offer
    The DHCP offer never gets to the client computer
    I can't seem to get a DHCP address to any system not on the same VLAN as the DHCP server. Option 82 is disable and I did try enabling it, which made no difference.
    Any help would be great.
    Thanks,
    Phil

    Hi phil,
    Have you created a static route on the DHCP server that points back to the 192.168.9.0/24 network.
    The gateway for that network,  from the DHCP relay servers perspective,  is the VLAN2 IP address of the SGE2000 switch.
    i would think that if you tried to ping the VLAN3 switch  IP address from the DHCP server now,  you will not get a reply.
    When you create a static or persistant route in the DHCP server,   you then should be able to ping VLAN3 IP address of the switch.
    regards Dave

  • DHCP relay issues - WLC4400 series

    Hi all,
    I'm experiencing some strange problems with my WLC 4400 – and hope you guys can give me a hand.
    There is an issue while connecting a WLAN Client to the WLC for the first time. I pinpointed the source of the problem to the dhcp, but I wondering why this happens…
    As stated above – the issue occurs only during the first time registration of a WLAN client with the WLC. If I do another registration right after the failed connection attempt, the session is established and I can start working in my network environment.
    Because we use 802.1x authentication, my first idea was that there is an issue – but the authentication process completes successfully.
    Another debug for the dhcp process showed an issue during the initial registration process. I'll paste an extract of the NOT working connection attempt below (DHCP DISCOVER msg and DHCP OFFER msg passed successfully – I'll focus on the DHCP REQUEST msg):
    ###### Extract one ######
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c dhcpProxy: Received packet: Client 00:21:6a:00:35:9c
                            DHCP Op: BOOTREQUEST(1), IP len: 303, switchport: 29, encap: 0xec03
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c dhcp option len, including the magic cookie = 67
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c dhcp option: received DHCP REQUEST msg
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c dhcp option: skipping option 61, len 7
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c dhcp option: requested ip = 10.64.153.66
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c dhcp option: server id = 1.1.1.1
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c dhcp option: skipping option 12, len 12
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c dhcp option: vendor class id = MSFT 5.0 (len 8)
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c dhcp option: skipping option 55, len 12
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c dhcpParseOptions: options end, len 67, actual 67
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c dhcpProxy: dhcp request, client: 00:21:6a:00:35:9c:
                            dhcp op: 1, port: 29, encap 0xec03, old mscb port number: 29
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c Determing relay for 00:21:6a:00:35:9c
                                                                                                            dhcpServer: 10.49.143.8, dhcpNetmask: 0.0.0.0,
                            dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0  VLAN: 0
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c Relay settings for 00:21:6a:00:35:9c
                                                                                                            Local Address: 0.0.0.0, DHCP Server: 10.49.143.8,
                            Gateway Addr: 10.64.153.1, VLAN: 0, port: 29
    Tue Mar  9 09:51:31 2010: 00:21:6a:00:35:9c dhcpProcessPacket return an error,chaddr: 00:21:6a:00:35:9c
    The process stops working after the last line above. The client reports connection successfully, but no IP address was assigned to the client. A second connection attempt was successful (again – I'll focus on the dhcp REQUEST msg – ignoring DISCOVER, OFFER and ACK msg):
                            DHCP Op: BOOTREQUEST(1), IP len: 303, switchport: 29, encap: 0xec03
    Tue Mar  9 09:53:02 2010: 00:21:6a:00:35:9c dhcp option len, including the magic cookie = 67
    Tue Mar  9 09:53:02 2010: 00:21:6a:00:35:9c dhcp option: received DHCP REQUEST msg
    Tue Mar  9 09:53:02 2010: 00:21:6a:00:35:9c dhcp option: skipping option 61, len 7
    Tue Mar  9 09:53:02 2010: 00:21:6a:00:35:9c dhcp option: requested ip = 10.64.153.66
    Tue Mar  9 09:53:02 2010: 00:21:6a:00:35:9c dhcp option: server id = 1.1.1.1
    Tue Mar  9 09:53:02 2010: 00:21:6a:00:35:9c dhcp option: skipping option 12, len 12
    Tue Mar  9 09:53:02 2010: 00:21:6a:00:35:9c dhcp option: vendor class id = MSFT 5.0 (len 8)
    Tue Mar  9 09:53:02 2010: 00:21:6a:00:35:9c dhcp option: skipping option 55, len 12
    Tue Mar  9 09:53:02 2010: 00:21:6a:00:35:9c dhcpParseOptions: options end, len 67, actual 67
    Tue Mar  9 09:53:02 2010: 00:21:6a:00:35:9c dhcpProxy: dhcp request, client: 00:21:6a:00:35:9c:
                            dhcp op: 1, port: 29, encap 0xec03, old mscb port number: 29
    Tue Mar  9 09:53:02 2010: 00:21:6a:00:35:9c Determing relay for 00:21:6a:00:35:9c
                                                                                                            dhcpServer: 10.49.143.8, dhcpNetmask: 0.0.0.0,
                            dhcpGateway: 0.0.0.0, dhcpRelay: 10.64.153.6  VLAN: 300
    Tue Mar  9 09:53:02 2010: 00:21:6a:00:35:9c Relay settings for 00:21:6a:00:35:9c
                                                                                                            Local Address: 10.64.153.6, DHCP Server: 10.49.143.8,
    The major difference seems to be in line 16:
    Not Working:
                            dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0  VLAN: 0
    Working:
                            dhcpGateway: 0.0.0.0, dhcpRelay: 10.64.153.6  VLAN: 300
    For me it seems that the WLC is not able to forward this request to the appropriate dhcp server.
    Does anyone of you have an idea, why this happens? And why does this happen only during the first time login of every client? Or am I misinterpreting the debug output?!
    Thx a lot in advance!
    Cheers
    Martin

    Hi,
    thx for your comment so far.
    I did some additional troubleshooting yesterday and I guess I fixed the problem. The management interface was configured with two dhcp server IPs (0.0.0.0 and 1.1.1.1).
    Within the Cisco documentation it is stated that the dhcp relay proxy feature uses a virtual IP 1.1.1.1.
    0.0.0.0    seems to be used for the internal communication.
    When I changed the dhcp address (primary & secondary) to IP 1.1.1.1 the problem was solved. We tested it yesterday evening and this morning.
    My assumption is that the virtual 1.1.1.1 IP is mandatory to match the dhcp responses to the proxy relaying feature. Or the WLC uses the DHCP addresses on the management interface to forward the traffic to the appropriate feature (where 1.1.1.1 triggers the proxy feature and 0.0.0.0 is used to forward the traffic to the internal dhcp service). But this is just a guesswork – I do not know the Cisco WLAN good enough to provide a valuable explanation.
    Cheers
    Martin

  • NAC OOB VIRTUAL GW PROBLEM

    Hi,
    I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):
    Switch: 3550 (ios 12.2(46) adv ip serv)
    NAC 4130 appliances: v4.1.6 (also tried v4.5)
    Switch Configuration of the trunks to the CAS):
    - int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)
    - int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)
    - SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)
    The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:
    - Login Page
    - Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
    - Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)
    - vlan mapping between untrusted vlan 100 and trusted vlan 10
    - tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)
    - also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets
    Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.
    I would be very thankful for any hints to help me solve this issue.
    Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?
    Thanks in advance for any help.

    It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.
    Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
    For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
    Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.
    For further details, refer to switch IOS caveat CSCdu27506:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdu27506
    See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).
    Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
    Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
    Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature
    Cisco Catalyst Switch Model Virtual Gateway
    Central Deployment
    (both interfaces into same switch) Edge Deployment
    (each interface into different switch)
    6000/6500 Yes Yes
    4000/4500 Yes Yes
    3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1
    Yes
    3550 (L3 switch) No 1
    Yes
    3750/3560 (L2 switch) Yes Yes
    3550 (L2 switch) Yes Yes
    2950/2960 Yes Yes
    2900XL No 2
    Yes
    3500XL Yes Yes
    28xx NME Yes with 12.2(25) SEE and higher 1
    Yes
    1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
    2 2900 XL does not support removing VLAN 1 from switch trunks.

  • NAC OOB Logoff feature workaround ?

    Hi,
    We have a NAC OOB, Real-Ip Layer2 setup and the new option "Logoff Clean Access Agent users from network on their machine logoff or shutdown" does not apply when using OOB mode (which is annoying). Anybody found a way to make sure that when a users logs off from his PC he's automatically put back to the authentication VLAN ? We thought of maybe put a program in Windows XP logoff script that would disable/enable the NIC card but it seems a bit tricky...
    I'm sure I'm not the only one who's trying to find a solution for this. Hopefully Cisco will support this feature right from the clean access agent in a future release...
    Thanks.
    Dominic

    for now we are waiting for the feature to become available from Cisco in Q2 or Q3 of 2007.
    And yes, we are using SSO in a Windows XP - Windows 2003 environment.
    Dominic

  • NAC OOB Configuration

    Hi!
    I'm implementing an NAC oob solution. tTe CAS and CAM are in the Data-center on an remote network, and i need to control the vlan's that my users access on my remote sites.
    How do i make them authenticate on the remote CAS? (the Cas is on an remote network)
    TKX
    Miguel

    Hi,
    Well, it looks like you are starting now, so I would advise to get in touch with the OOB concept and guidelines:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
    You have L2/L3 mode.
    You have OOB/InB mode.
    You have Real-Ip/Virtual gateway mode.
    You have 2 main VLANs for the clients: authentication (untrusted) and access (trusted) vlans.
    The goal is to make the client fall into the auth vlan prior to login, and the traffic flow through the CAS so that the CAS can permit/deny the client from passing traffic.
    You have also, nice chalk-talks where you can see VODs explaining the steps for configuring several features/deployments:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Setting up a DHCP relay agent

    Hello,
    I'm trying to setup a relay agent for an XP client to obtain configuration through 2 routers on a VM LAB
    I have 3 Segments/subnets 1,2 and 3
    the topology is the following:
    1- server 2008 R2 AD DS DC on subnet 1 (192.168.1.0) and a DHCP server with 2 scopes
    Internal 192.168.1.0 (subnet1)
    external 192.168.3.0 (subnet 3)
    2- server 2008 R2 with RRAS installed
    Interface 1 pointing to the internal subnet1 192.168.1.0
    Interface 2 pointing to subnet2 192.168.2.0
    3- server 2003 with RRAS installed
    Interface 1 pointing to subnet2 192.168.2.0
    Interface 2 pointing to subnet3 192.168.3.0
    relay agent installed on Interface 2
    (servers/Routers 2 and 3 running RIP v2)
    4-  XP client on subnet3 (192.168.3.0) and the client trying to obtain config.
    The XP client is unable to contact the DHCP to obtain config.
    server 2003 relay agent receiving requests with no replies.
    How do i get this to work?

    Hi,
    First, let’s see how DHCP relay agent works:
    1. The DHCP client broadcasts a DHCPDISCOVER packet.
    2. The DHCP relay agent on the client’s subnet forwards the DHCPDISCOVER message to the DHCP server by using unicast.
    3. The DHCP server uses unicast to send a DHCPOFFER message to the DHCP relay agent.
    4. The DHCP relay agent broadcasts the DHCPOFFER packet to the DHCP client’s subnet.
    5. The DHCP client broadcasts a DHCPREQUEST packet.
    6. The DHCP relay agent on the client’s subnet forwards the DHCPREQUEST message to the DHCP server by using unicast.
    7. The DHCP server uses unicast to send a DHCPACK message to the DHCP relay agent.
    8. The DHCP relay agent broadcasts the DHCPACK to the DHCP client’s subnet.
    We can see in the second step, DHCP relay agent send unicast to DHCP server after receiving DHCP request. So confirm unicast communication between DHCP server
    and DHCP relay agent works fine. At least ping should be working. You can use the following commend to add the route entry.
    Add a static IP route
    http://technet.microsoft.com/en-us/library/cc757323(v=ws.10).aspx
    The result should be based on your test. If it doesn’t work it just indicates that we cannot configure another DHCP relay agent behind a relay agent.
    Hope this helps.

  • DHCP Relay forwarded to Secondary when Scope is not available in Primaray

    Two ip helper-addresses (let suppose DHCPServer1 and DHCPServer2) are defined on each of the branch router, and customer want to divide the load of DHCP request on two different DHCP Servers. The propose solution by customer is to disable some scope from one DHCP Server (DHCPServer1) and define the similar scope in second DHCP Server (DHCPServer2). Does the DHCP Relay request would be forwarded to secondary server (DHCPServer2), if the scope is disabled on first DHCP Server (DHCPServer1)?

    The DHCP request is forwarded to all the addresses defined with the ip helper-address command.
    So if you have 2 ip helper-addresses then the DHCP request is sent to both at the same time by the router. First one to respond is usually the one accepted by the client.
    Jon

  • ASA 5512-X - VPN & local clients DHCP relaying (DHCP Proxy vs. DHCP Relay conflict)

    Hey all,
    I have ASA-5512-X serving as general firewall/router. It also serves as AnyConnect SSL VPN gateway (webvpn).
    It has ~10 VLANs connected over 1 trunk port. One of the VLANs has DHCP server that shall serve all the VLANs (192.168.16.2).
    I'm trying to have the ASA relay DHCP requests from all VLANs to the DHCP server and to also serve VPN clients.
    However, according to bug https://tools.cisco.com/bugsearch/bug/CSCsd22469 both DHCP Proxy (webvpn) and DHCP Relay (local interfaces) can't be enabled at the same time.
    As VPN clients connect to the same VLANs as local users (eg. VLAN 2 - 192.168.2.0/24) I want to have the very same DHCP server serving both, otherwise it's gonna become a mess.
    Note: if I configure DHCP Relay functionality and disable DHCP Proxy - local clients are served fine. If I configure DHCP Proxy (webvpn) and disable DHCP Relay VPN clients are served fine. I therefore consider setup to be correct, just the ASA limitation won't allow me to make it serve both.
    Can DHCP Relay also serve VPN clients (no DHCP Proxy enabled)? did I miss something?
    Thanks!

    Hi,
    The only workaround for this issue is to configure the ASA itself to act as DHCP server for vpn clients. You also have the flexibility of using local pool and AAA server. Why exactly do you want to use the same DHCP server for both?
    AM

  • DHCP Relay Cisco SG500X

    Hi, 
    I've create 2 vlan in a cisco SG500X-24 and a DHCP server on vlan 2. I just want to dhcp server assign ip to devices on vlan 3. I've configured the vlan and dhcp server relay commands.
    ip dhcp relay address 192.168.1.11
    ip dhcp relay enable
    ip dhcp information option
    interface vlan 2                                      
     ip address 192.168.1.250 255.255.255.0
    interface vlan 3
     ip address 192.168.51.254 255.255.255.0
     ip dhcp relay enable
    The dhcp server gets the request from pc, and sends a new address, but the offer packet not comes to device. With Wireshark a see like offer dhcp packet can't jump to vlan 3.
    It's the first time a work with SMB series, and this never happens with catalyst. I'm turning crazy.
    Anyone can help me? Thank you in advances.
    Victor.

    Hi,
    Yes, also I configured ip dhcp relay on intefaces.
    Yesterday I found the trouble. I was using the tftpd32 dhcp server, and I tested with a Windows DHCP server and everything works like a champ. I didn't know what have do, and i turned crazy, so I began to change every element on solution, finally the DHCP server that it was the key.
    Thank you so much for your answer.
    KR!

  • NAC - OOB - Virtual IP - users lost connecti

    Hi.
    So my problem is the follow:
    I have i my customer a NAC OOB - Virtual Ip Gateway.
    So, we have a many port profiles. Each Port profile witch its own authentication vlan and access vlan, for example:
    TI -  auth vlan 585 -  access vlan 85
    ENGINEERING - auth vlan 586 - access vlan 86
    And works very very fine.
    BUT
    There is a common location called PLATFORM (auth vlan 587, access vlan 87) where, to put port profile on each User interface on the switch after 20 minutes or less, the machines that are on this profile (VLANs 587, 87) lose network connectivity, without bounce.
    I checked and, some machines for no reason, are changed to vlan authentication without snmp Linkdown and even get stuck in with User certifield device list.
    Other machines remain in vlan access, but lose all connectivity to the network without ping gateway and any other device.
    Another vlan (for ex: vlan 1) that is not controlled by NAC continues to communicate normally.
    I tried to see any logs on the switch but could not see anything abnormal (yet).
    Other locations with others port profiles work normally.
    The uplinks on this switches and interfaces users dont have any CRC or errors.
    Could anyone help me? This is causing problems in my account.

    Hi,
    I understand then that the clients are not connecting through local or SSO mode, is that correct?
    I would suggest 3 things so far:
    1. Check the logs on the switches where the CAS's are connected, I had a similar problem where CAS would stop responding and the switches would complain about vlan mismatch or mac flapping, if you notice errors on the switches verify that you have:
    * Vlan mapping enabled correctly
    * Different native VLAN on the switch interface for trusted and untrusted CAS ethx.
    * The correct vlans configured on each port: for untrusted just the authentication (layer 2) vlans, for trusted interface the access vlan (20) and the management vlan.
    2. Enable the management vlan tag on the trusted interface of the CAS and use your CAS management vlan.
    3. On the CAM go to the Clean access server section, manage one of your CAS's, the first window will show the services currently running on the CAS, verify if the SSO service is running, if it's not running, verify the configuration. If it's not allowing you to enable it, verify the time settings on your devices, the AD user and all the other settings needed for this to work.
    Hope this helps,
    Regards,

  • WRVS4400Nv2 DHCP Relay on 2nd VLAN

    Hi,
    Here's what I'm trying to figure out:
    My network is set up such that I have a Wireless Network in VLAN 1, which is the primary network that we use.  The subnet is 10.5.1.x.
    My goal is to set up a completely isolated Guest Wireless Network, however it would work best.  What I am trying to do now is I created a seperate VLAN (VLAN 2, IP range 10.5.2.x) and turned on DHCP on the WRVS4400N.  However, in the Guest Network, it is always picking up a 10.5.1.x IP which is handed out by the DHCP server (10.5.1.5, Win 2003) and still routing all of the traffic to/from our private network.
    Here's What I have set:
    Wireless>Security Settings>Guest Network (SSID 2)
    Wireless Isolation (between SSID w/o VLAN): Enabled
    Wireless Isolation (within SSID): Enabled
    Setup>LAN>VLAN 1
    Router IP 10.5.1.1, WLAN IP 10.5.1.3
    DHCP Relay for 10.5.1.5
    Setup>LAN>VLAN 2
    Router IP 10.5.2.1
    DHCP Enabled for 10.5.2.x subnet
    DHCP Relay option is grayed out (not sure why)
    Setup>Advanced Routing
    Inter-VLAN Routing: Disabled
    Any way to solve this would be fine.  I just do not want traffic routing through our internal network.  Ideally, if I could get the Windows server to hand out 10.5.2.x addresses, that would be perfect, but I'm not sure how to configure it for such. 
    If anyone has any ideas, that'd be great- thanks!
    Matt

    Yes...here's an answer I got from Cisco's Engineering support:
    The issue you reported is a know issue.
    Engineering and development are aware of this issue, and have provided  the following information:
    PROBLEM DESCRIPTION:
    If the WRVS4400N is configured with multiple VLANs, and these VLANs are  mapped to different SSID, the user cannot use an external DHCP server to  provide IP scopes for these VLANs.
    Hosts connected to both SSID will obtain IP address from native DHCP  server only.
    The workaround for this is to use the embedded DHCP server for all VLANs  defined on the WRVS4400N.
    Note: This is not considered a bug but rather a product limitation. The  developer has confirmed the WRVS4400N is functioning as designed.
    Regarding a fix:
    Due to wireless and trunk switch port using different chip set, it is  not possible to provide a fix for this issue.
    In future product, Engineering & Dev teams will strive to use the  same chip set (same vendor). 
    This functionality has been targeted for next new Product.  No fix will  be made on the current hardware. 
    Note: If this feature/function is mission critical to your deployment,  and you would like to recover the cost of the WRVS4400N, please forward  the serial number and a copy of the proof of purchase, and we will  gladly provide a refund.
    Best regards,
    Alex Delano

  • DHCP Relay using Brocade Switches

    Hi
    I have a large project with 3 UCM cluster with unity cluster and UCCX
    The network is a Brocade switch environement,
    The Core is using OSPF and distribution is Layer 2.
    I have configured the Cluster with a dedicated DHCP and TFTP service.
    DHCP relay is not working, but when i configure one of the phones with a static IP address it registers and I have full functionality
    When I connect my server dirrectly to the core which is not the design then the dhcp relay works and I get an IP address, but when i traverse the layer2 then i do not get an address.
    In the same topology I connected a Windows DHCP server on the same vlan as my UCM cluster and change the relay address to point to the windows dhcp the i do get an address.
    In an additional test i configured the same setup on cisco switches then the relay works great.
    If anyone has seen or knows of any bug regarding DHCP relay i would be greatful for info
    Thanks
    Lance

    Hi Experts,
    i forgot to mention that i was reading an interesting document on Cisco website "network virtualization design guide",  and they clearly mentioned the below:
    """VRF-awareness for DHCP-relay functionality is currently not supported on any Catalyst platform, but it is required only for supporting overlapping IP addresses"""
    So i would like to ask you if you have any workaround to be done in such deployments
    Thank you in advance
    Samer Labaky
    CCIE # 24675

  • Urgent-NAC OOB VG Deplyment

    hi all,
             Iam in the middle of design of NAC OOB Virtual Gateway.
    I have the following doubts regading the placement of NAC Server to my existing Network
    I have two Core ( redundancy -HSRP ) running VTP & 25 Edge Switches ( VTP Client )
    According to CISCO , we can place NAC Server either in the Core or distribution Switches only , not on the edge switches, in OOB Virtual Gateway deployment.
    But currently my existing core switches is not having copper connectivity, customer don't want to invest on core switches.
    so I have to forcefully move the NAC server to one of the EDge Switches with both interfaces ( trusted & untrusted ) connected to same Edge switch, but CISCO is not recommending to do so in NAC OOB VG Deployment.
    I need to know why we cannot place NAC server at one of the Edge Switches. ( NAC OOB VG Deployment ) , what are the issues behind that ?
    One more thing is that , as my Network is running VTP , what are the things to be consider during the design of NAC OOB VG Deplyment.
    Iam attaching the Network Diagram, Please go through that.
    Expecting your valuable suggestions.
    Regards
    Dileep

    Dileep,
    You can put them on the edges, but you have to make sure you extend all the VLANs necessary to that edge. It's just bad design, but I don't see why it won't work.
    Unfortunately you don't have enough details in the map you provided to get a more detailed answer :-)
    HTH,
    Faisal

  • NAC OOB and 6500 in Virtual Switch Mode

    Is there any issue or special care to implement NAC OOB in Central Deploy, VGW, using AD SSO for wired clients where the Core Switch is a pair of 6500 in Virtual Switch Mode?
    The customer uses Radius IAS for authentication. How does it fit with the AD SSO?

    Hi Bruce,
    I am afraid there are some arguments missing in your db command.
    To manually add the OID of  Cat4507R+E to CAM's database here is the  procedure to do this.
    [root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "INSERT INTO supported_switch VALUES ('1.3.6.1.4.1.9.1.1286', '4', 'Cisco Catalyst 4507 R+E')" INSERT 0 1
    psql: warning: extra command-line argument "INSERT" ignored
    psql: warning: extra command-line argument "0" ignored
    psql: warning: extra command-line argument "1" ignored
    INSERT 0 1
    Then to make sure it is there:
    [root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "SELECT * FROM supported_switch" | grep 1286
    The output should be:
    1.3.6.1.4.1.9.1.1286      |     4 | Cisco Catalyst 4507 R+E
    Restart perfigo service on NAC Manager and try to manage the switch  using the model used by the above command.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Maybe you are looking for