OS X server, DHCP Server and random blocked IPs

Similar Messages

• Disable dhcp proxy for PPP VPN (outside DHCP server + NPS)

  Hi,
  Our VPN setup is to authenticate / authorize via RADIUS to a Microsoft NPS server / Active Directory and use our internal DHCP server to receive its information. We are running a Cisco 2811, with firmware release k9 15.1- 4.M5.
  However, we have been having some issues with our setup for a dial-in VPN. We managed to get almost everything working.
  The user can dial in and authenticate and it even builds the proper PPTP tunnel. However, the client machine when it sends out a DHCP requests seems to get forced to proxy through the Cisco router. Thus what the DHCP server sees is a encoded MAC address from the cisco all the time and sees the client as being the cisco router not the VPN client/user. This is rather frustrating, as in Active directory DNS tables it will show up as the router having x number of different IP addresses and the end client doesn't show up at all.
  I have tried utilizing a bunch of different configuration options to test, all with the same outcome.
  Utilizing "ip helper-address <dhcp server>", didn't work to forward correct. Thent trying to turn of all DHCP services, with the global command of "no service dhcp", didn't change any result. Neither did setting a global command of "ip dhcp-server <dhcp server>".
  What i am trying to acchive is that the cisco does NOT mess with the dhcp request and just allows it to pass through.
  Anyone have any idea?
  Here are the parts of the current configuration in respect to this:
  no service dhcp
  aaa new-model
  aaa authentication login CONSOLE local
  aaa authentication ppp default group radius local
  aaa authorization network default if-authenticated
  aaa session-id common
  no ip domain lookup
  ip domain name <domain>
  ip name-server xxx.xxx.xxx.xxx
  ip dhcp-server xxx.xxx.xxx.xxx
  vpdn enable
  vpdn-group 1
  ! Default PPTP VPDN group
  accept-dialin
    protocol pptp
    virtual-template 1
  interface Virtual-Template1
  ip unnumbered FastEthernet0/1    <-Internal Interface
  no ip proxy-arp
  ip nat inside
  no ip virtual-reassembly in
  peer default ip address dhcp
  ppp encrypt mppe auto required
  ppp authentication pap chap ms-chap ms-chap-v2
  radius-server host xxx.xxx.xxx.xxx
  radius-server key <private key>
  And the problem that i am seeing when running a debug on dhcp:
  *Jan 15 09:01:46.558: DHCP: proxy allocate request
  *Jan 15 09:01:46.558: DHCP: new entry. add to queue, interface Virtual-Access5
  *Jan 15 09:01:46.558: DHCP: Client socket is opened
  *Jan 15 09:01:46.558: DHCP: SDiscover attempt # 1 for entry:
  *Jan 15 09:01:46.558: DHCP: SDiscover: sending 284 byte length DHCP packet
  *Jan 15 09:01:46.558: DHCP: SDiscover 284 bytes
  *Jan 15 09:01:46.562: DHCP: XID MATCH in dhcpc_for_us()
  *Jan 15 09:01:46.990: DHCP: Received a BOOTREP pkt
  *Jan 15 09:01:46.990: DHCP: offer received from <DHCP SERVER>
  *Jan 15 09:01:46.990: DHCP: SRequest attempt # 1 for entry:
  *Jan 15 09:01:46.990: DHCP: SRequest- Server ID option: <DHCP SERVER>
  *Jan 15 09:01:46.990: DHCP: SRequest- Requested IP addr option: 192.168.10.100
  *Jan 15 09:01:46.990: DHCP: SRequest: 296 bytes
  *Jan 15 09:01:46.990: DHCP: SRequest: 296 bytes
  *Jan 15 09:01:46.994: DHCP: XID MATCH in dhcpc_for_us()
  *Jan 15 09:01:46.994: DHCP: Received a BOOTREP pkt
  *Jan 15 09:01:46.994: DHCP: Sending notification of ASSIGNMENT:
  *Jan 15 09:01:46.994:   Address 0.0.0.0 mask 0.0.0.0
  *Jan 15 09:01:46.994: DHCP Proxy Client Pooling: ***Allocated IP address: 192.168.10.100
  *Jan 15 09:01:46.994: DHCP: look up prim DNS for Vi5 from lease good ret: <DNS server 1>
  *Jan 15 09:01:46.998: DHCP: look up prim NBNS for Vi5 from lease any ret: fail
  *Jan 15 09:01:46.998: DHCP: look up sec DNS for Vi5 from lease good ret: <DHCP Server>
  *Jan 15 09:01:46.998: DHCP: look up sec NBNS for Vi5 from lease any ret: fail
  *Jan 15 09:01:47.018: DHCP: look up prim DNS for Vi5 from lease good ret: <DNS server 1>
  *Jan 15 09:01:47.018: DHCP: look up sec DNS for Vi5 from lease good ret: <DHCP Server>
  *Jan 15 09:01:47.038: DHCP: look up prim DNS for Vi5 from lease good ret: <DNS server 1>
  *Jan 15 09:01:47.038: DHCP: look up sec DNS for Vi5 from lease good ret: <DHCP Server>
  *Jan 15 09:01:56.826: DHCP: Interface Virtual-Access5 going down. Releasing: 192.168.10.100
  *Jan 15 09:01:56.826: DHCP: start holddown for 192.168.10.100
  *Jan 15 09:01:56.826: DHCP: Holddown and T1 remain 1792 sec
  As one can see even with the configuration to turn of any proxy or dhcp, the cisco router still try's to interject and proxy the request, aka:
  DHCP: proxy allocate request
  If anyone has any idea, please let me know
  Thanks
  S.

  Hello Stephen.
  How is this behaviour in 7.5? It's weird because in the individual interfaces you might change the value, but it doesn't get accepted. So it still seems that it's a global setting... but then: why showing this item to be changed on each interface?
  Kind regards,
  Flavio.

• Snow Leopard Server dhcp assigns IP to clients, but sometimes that IP is blocked from reaching network

  I have a problem that is driving me batty.
  I have a Mac Mini Server acting as a gateway to the Internet. The cable modem is connected to the built in Ethernet, and the local net is configured with a USB Ethernet. I am running  DHCP on the local network, and all of the clients get IP's from the server with no problem. Sometimes an random IP appears to get blocked from accessing the network (can get the file servers on the local net, and cannot reach the Internet.) We can manually assign a different IP, and it might start working, but it might not. We just keep picking until we find one that works. Rebooting the server will fix the problem as well.
  I see no indication of a problem in any of the logs on the server.
  This setup has worked with no problem in the past, but I must have done something to the configuration as some point.
  Any help will be appreciated!
  Mark.

  The proper way to set up your system is to set up the server's DNS as your primary DNS, entering into it all of your local devices and support, and use your ISP's DNS as forwarding DNS's. For help in doing this follow Mr. Hoffman's instructions.
  Use your ISP's modem in bridge mode to provide you with a static IP. Use the server's DHCP system to provide all internal addresses, otherwise you won't have dynamically updated DNS information at the server level.
  User your airport extreme as an AP. Set it up to use an internal static address as it's WAN address and shut down it's DHCP server allowing anything connected to it to receive it's IP address from the server. If you can't do that, then set up the Airport to provide DHCP with a reduced subset of addresses for only wireless devices. Let the server's DHCP provide all wire-based equipment addresses.
  Turn off the wireless on the mac mini server and run wired from your ISP's modem. Before you do, however, you need to enter a static address into the TCP/IP section, including mask and gateway. This will avoid VPN and other service issues caused by having it turned on and receiving a DHCP address (at server can not, by nature, be a DHCP device).
  To do remote desktop from the internet, you would connect through the WAN address provided to the server by your ISP, but you will need to open the firewall ports on the server. If you have the money, and want to most protection, you should invest in a firewall box like a SonicWall and insert this between your modem and the rest of your system. The SonicWall will provide faster, tighter attack protection and allows you to tie external service access down as tight as you want.
  Hope this helps.

• ASA as DHCP server for WLC2106 and LAP

  Hi,
  First off i aplolgize for asking something that seems to have been asked before but i am getting conflicting answers and wanted someone to give a definitive answer.
  Setup:
       ASA5505  ---------------- WS-C3750G -----------------WLC2106  -------------------------------AIR-LAP1131
  (DHCP SERVER)           (simple config)          (dhcp proxy disabled)           (is requesting dhcp from ASA)
  ASA5505 - ASA 8.2(1)
  WLC2106 - 7.0.98.0 (tried 6.0.99.4 as well)
  AIR-LAP1131 - 12.4(23c)JA
  Problem:
  The ASA5505 is giving addresses to multiple devices, i tested it with the AP plugged directly into the ASA and it worked great.  The problem is that the WLC2106 seems to be altering the DHCP requests somehow and thus making the ASA5505 not respond to them.  The AP gets an ip address and associates to the WLC if plugged into the 3750, or the ASA directly.  Just not when plugged into the WLC2106 ports.
  Research:
  https://supportforums.cisco.com/message/1268269#1268269
  https://supportforums.cisco.com/message/3037259#3037259
  https://supportforums.cisco.com/message/1302468#1302468
  https://supportforums.cisco.com/message/926529#926529
  I have read quite a few posts with people basically saying you cannot use the ASA as the DHCP server with the WLC because of how the WLC relays the requests.  BUT: (this is important)  There are some documents that say with WLC version 4.2 and above you have the option of turning off dhcp proxy mode to enable bridging mode thus elminating the probem and all DHCP requests get forwarded without modification.  Please see here for suggested solution to this issue:
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080af5d13.shtml#topic2
  *Interoperability issues can exist between a controller with DHCP proxy enabled and devices acting as both a firewall and DHCP server. This is most likely due to the firewall component of the device as firewalls generally do not respond to proxy requests. To work around this issue, disable DHCP proxy on the controller.
  Help please:
  I have tried this but maybe im missing something.  I have tried with proxy enabled and disabled.  Can anyone verify this is supposed to work for me please?  I input "config dhcp proxy disable" and verified proxy is now disabled.  Yet i do not see any responces from my DHCP server to my AP's requests when going through the WLC.  It works fine when plugging the AP into the ASA or 3750.  DHCP server is working.  Is the above suggested work around not a valid solution?  Did i miss something?  Do i need specific software versions on my devices?  Is this a bug in my software versions?
  Any help is greatly appreciated.  Let me know if anyone has questions.  Thanks,
  Kyle

  I do not see any debug output on the ASA5505 when the AP is connected through the WLC.  Debug output from WLC2106 below:
  (Cisco Controller) >show debug
  MAC debugging .............................. disabled
  Debug Flags Enabled:
    dhcp packet enabled.
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >show dhcp proxy
  DHCP Proxy Behaviour: disabled bootp-broadcast disabled
  (Cisco Controller) >
  (Cisco Controller) >*DHCP Socket Task: Nov 16 10:56:39.931: 00:1d:a1:ed:c8:d4 DHCP received op BOOTREQUEST (1) (len 310,vlan 0, port 8, encap 0xec00)
  *DHCP Socket Task: Nov 16 10:56:39.932: 00:1d:a1:ed:c8:d4 DHCP processing DHCP DISCOVER (1)
  *DHCP Socket Task: Nov 16 10:56:39.932: 00:1d:a1:ed:c8:d4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Nov 16 10:56:39.932: 00:1d:a1:ed:c8:d4 DHCP   xid: 0x126b (4715), secs: 0, flags: 80
  *DHCP Socket Task: Nov 16 10:56:39.932: 00:1d:a1:ed:c8:d4 DHCP   chaddr: 00:1d:a1:ed:c8:d4
  *DHCP Socket Task: Nov 16 10:56:39.933: 00:1d:a1:ed:c8:d4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:56:39.933: 00:1d:a1:ed:c8:d4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:56:39.933: 00:1d:a1:ed:c8:d4 DHCP dropping REQUEST from STA with invalid mobility state 'Unassociated' (0)
  *DHCP Socket Task: Nov 16 10:56:42.939: 00:1d:a1:ed:c8:d4 DHCP received op BOOTREQUEST (1) (len 310,vlan 0, port 8, encap 0xec00)
  *DHCP Socket Task: Nov 16 10:56:42.940: 00:1d:a1:ed:c8:d4 DHCP processing DHCP DISCOVER (1)
  *DHCP Socket Task: Nov 16 10:56:42.940: 00:1d:a1:ed:c8:d4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Nov 16 10:56:42.940: 00:1d:a1:ed:c8:d4 DHCP   xid: 0x126b (4715), secs: 0, flags: 80
  *DHCP Socket Task: Nov 16 10:56:42.940: 00:1d:a1:ed:c8:d4 DHCP   chaddr: 00:1d:a1:ed:c8:d4
  *DHCP Socket Task: Nov 16 10:56:42.941: 00:1d:a1:ed:c8:d4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:56:42.941: 00:1d:a1:ed:c8:d4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:56:42.941: 00:1d:a1:ed:c8:d4 DHCP dropping REQUEST from STA with invalid mobility state 'Unassociated' (0)
  *DHCP Socket Task: Nov 16 10:56:46.938: 00:1d:a1:ed:c8:d4 DHCP received op BOOTREQUEST (1) (len 310,vlan 0, port 8, encap 0xec00)
  *DHCP Socket Task: Nov 16 10:56:46.938: 00:1d:a1:ed:c8:d4 DHCP processing DHCP DISCOVER (1)
  *DHCP Socket Task: Nov 16 10:56:46.938: 00:1d:a1:ed:c8:d4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Nov 16 10:56:46.938: 00:1d:a1:ed:c8:d4 DHCP   xid: 0x126b (4715), secs: 0, flags: 80
  *DHCP Socket Task: Nov 16 10:56:46.939: 00:1d:a1:ed:c8:d4 DHCP   chaddr: 00:1d:a1:ed:c8:d4
  *DHCP Socket Task: Nov 16 10:56:46.939: 00:1d:a1:ed:c8:d4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:56:46.939: 00:1d:a1:ed:c8:d4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:56:46.939: 00:1d:a1:ed:c8:d4 DHCP dropping REQUEST from STA with invalid mobility state 'Unassociated' (0)
  *DHCP Socket Task: Nov 16 10:57:05.034: 00:1d:a1:ed:c8:d4 DHCP received op BOOTREQUEST (1) (len 310,vlan 0, port 8, encap 0xec00)
  *DHCP Socket Task: Nov 16 10:57:05.035: 00:1d:a1:ed:c8:d4 DHCP processing DHCP DISCOVER (1)
  *DHCP Socket Task: Nov 16 10:57:05.035: 00:1d:a1:ed:c8:d4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Nov 16 10:57:05.035: 00:1d:a1:ed:c8:d4 DHCP   xid: 0x126c (4716), secs: 0, flags: 80
  *DHCP Socket Task: Nov 16 10:57:05.035: 00:1d:a1:ed:c8:d4 DHCP   chaddr: 00:1d:a1:ed:c8:d4
  *DHCP Socket Task: Nov 16 10:57:05.036: 00:1d:a1:ed:c8:d4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:57:05.036: 00:1d:a1:ed:c8:d4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:57:05.036: 00:1d:a1:ed:c8:d4 DHCP dropping REQUEST from STA with invalid mobility state 'Unassociated'
  It keeps seeing the Discover messages but never gets any responce from the ASA.  What does that message mean "dropping REQUEST from STA with invalid mobility state 'Unassociated'" ?  I know the STA is the AP but why is it dropping the request?
  Here is the debug output from the ASA:
  ASA5505lab#  show debug
  debug dhcpd packet enabled at level 128
  debug dhcpd event enabled at level 128
  ASA5505lab#
  DHCPD: checking for expired leases.
  DHCPD: checking for expired leases.
  DHCPD: checking for expired leases.
  DHCPD: checking for expired leases.
  DHCPD: checking for expired leases.
  DHCPD: checking for expired leases.
  (IT NEVER SEE'S ANY MESSAGES OR SHOWS ME ANY BLOCKED REQUESTS OR ANYTHING)
  (Now if i move the AP to the PoE ports directly on the ASA5505 you will see the AP get an IP)
  DHCPD: Server msg received, fip=ANY, fport=0 on inside interface
  DHCPD: DHCPDISCOVER received from client 0100.1da1.edc8.d4 on interface inside.
  DHCPD: Sending DHCPOFFER to client 0100.1da1.edc8.d4 (192.168.143.4).
  DHCPD: Total # of raw options copied to outgoing DHCP message is 0.
  DHCPD: broadcasting BOOTREPLY to client 001d.a1ed.c8d4.
  DHCPD: Server msg received, fip=ANY, fport=0 on inside interface
  DHCPD: DHCPREQUEST received from client 0100.1da1.edc8.d4.
  DHCPD: Sending DHCPACK to client 0100.1da1.edc8.d4 (192.168.143.4).
  DHCPD: Total # of raw options copied to outgoing DHCP message is 0.
  DHCPD: broadcasting BOOTREPLY to client 001d.a1ed.c8d4.
  ASA5505lab#
  ASA5505lab# show dhcpd binding
  IP address       Hardware address        Lease expiration        Type
    192.168.143.4    0100.1da1.edc8.d4            3581 seconds    Automatic
    192.168.143.5  0063.6973.636f.2d30.           1911 seconds    Automatic
                   3031.662e.3965.6234.
                   2e35.3034.302d.566c.
                   31
  ASA5505lab#
  ASA5505lab#
  So the ASA5505 is working when the AP is plugged directly into the ASA or a 3750 on the same network.  Only when connected through the WLC i do not see any messages on the ASA.  Is there something else i need setup on the WLC2106 besides turning off dhcp proxy?
  Thanks,

• I want to block DHCP Server

  Hi i want to block on an ap where wlan clients are connected, dhcp server from the clients. bc the clients are getting the ip from my dhcp server. but when he also starts an dhcp server i ahve two server in my wlan. so i want to block dhcp ports on my ap.
  i have tried it:
  i made an port filter: port 67 and 68 (bootp server and client) then i places the filter on RADIO recive site. but then the client doenst get an ip. so i tried it only with port 67 or 68 it also doesnt work.
  hope anybody can help me with this issue.
  regards Bernhard

  DHCP client requests are sent from DHCP client (68) to server's DHCP server port (67). Server replies using port 67 to client's port 68. All above are UDP obviously. So to block rogue DHCP servers put an input ACL 'deny any eq 68 any' to AP radio interface and this should work. Also remember that DHCP client for initial message exchanges uses 0.0.0.0 as src IP and 255.255.255.255 as dest IP so do not replace 'any' with your IP subnets. Hope this helps.

• Windows DHCP Server and Linux DHCP Relay Agent

  We are trying to organize a VLAN (say VLAN 1) for guests who must be assigned IP addresses from a DHCP server in a different VLAN (VLAN 2). This DHCP server is configured with two scopes - 172.16.0.0/24 (for VLAN 2) and 172.16.4.0/24 (for the Guests
  VLAN 1). The DHCP server successfully distributes addresses to clients in its VLAN (it has the IP address 172.16.0.2). For the clients in the other VLAN a DHCP Relay Agent has been setup on the router. It is DHCRELAY running on Linux (CentOS) which has
  been configured to accept the DHCPDISCOVER broadcasts coming on the VLAN1 interface of the router and forward these to the DHCP server. The IP address of the VLAN1 interface of the router is 172.16.4.254 and on the VLAN2 interface - 172.16.0.254
  The problem is that the DHCP server won't respond with a DHCPOFFER message to the relay agent. I have traced the frames on the router and on the DHCP server. They arrive on the DHCP server with the correct GIADDR of the relay agent. According to all documentation,
  if a scope has been configured on the DHCP server and it receives a unicast message with the GIADDR set by a relay agent that matches one of the configured scopes, the DHCP server must send a unicast DHCPOFFER to the relay agent. But it doesn't.
  Here is what Wireshark reports (ignore the Destination port unreachable messages, the DHCP service was stopped at the time Wireshark was running)
  When the service is running, there are just DHCPDISCOVERs - no OFFER. You can see that the server has the two scopes configured:
  The relay agent seems to work normally - it forwards the DHCPDISCOVERs to the server continuously (tried many times with ipconfig /renew on the client).
  I read many posts about this problem. Some users had other services running on the DHCP server that used the DHCP port, but I don't have such an issue (you see that when the service is stopped, an ICMP port unreachable is sent which is correct). Others however
  did not find a solution. Am I missing something? Is there something specific when using the DHCRELAY agent from DHCPD? Can I turn on some verbose logging to track this down? Thanks in advance.

  WIth DHCP, there is really nothing to configure. If the Relay Agent/IP Helper is pointing to it, and the VLAN subnet exactly matches the scope subnet, then it should just work.
  What I've seen in the VLAN config is either a static route back to the subnet the DHCP server itself is sitting on is not configured or incorrectly configured, or there are ports blocked (need UDP, too, since that's what DHCP uses to pass the OFFER), and
  other necessary ports are opened, then it should just work.
  Sometimes NIC teaming on the DHCP server will cause it. Not sure. Microsoft doesn't support teaming prior to Windwos 2012, but it doesn't mean that it doesn't work. Don't get me wrong, teaming works nicely, but they just don't support it because they never
  certified the drivers, that's all.
  The issues I've seen with DHCP relays and VLANs in the forums are usually based on misconfigs in the VLAN or ports blocked. Sometimes we'll refer to call Microsoft Support for specific, hands-on assistance. And searching the threads, from what
  I've found that if they did call support, they've never posted back what the problem was based on or the resolution. I can post a couple of them for you to read through, but there were never any response with the actual resolution.
  If you like, you also have the option to contact Microsoft Support. Here's a list of phone numbers if you choose this option:
  http://support.microsoft.com/contactus/
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• 1941w - Need help with IP address assigning, and relay wireless to a DHCP server.

  Hope someone can point me in the right direction -
  Basically have a Win08 R2 DHCP server, and a 1941w router.
  I've got the internet, got the lan clients getting DHCP ok (with ip helper-address set on the 0/0 internal interface).
  Also have the SSID, and wireless clients can connect - but no IPs are being handed out, also not sure if I understand or did the bridging correctly or assigned IPs to the vlan or bvi1 correctly.
  for ex:
  DHCP server IP:
  10.10.2.4
  Router Ethernet internal interface 0/0 IP:
  10.10.2.1
  with helper-address 10.10.2.4 (lan clients are resolving IPs correctly from the DHCP server)
  Vlan1 IP address:
  10.10.3.1
  Does this interface need the helper-address as well? (10.10.2.4)?
  wlan-ap 0 IP address:
  unnumbered
  interface BVI1 IP address (static):
  10.10.2.2
  am i totally off? not even sure if i have the vlan bridged to the 0/0 adapter or not correctly - but as I said, i can get a wireless client to connect with the SSID.
  would appreciate any advice/pointers, thanks

  of course - here is the router config:
  =======================================================
  Using 5591 out of 262136 bytes
  version 15.1
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname router
  boot-start-marker
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging buffered 51200
  logging console critical
  enable secret 5 $1$JWwK$.04.NFg7tQ82UTy68/hyv.
  no aaa new-model
  service-module wlan-ap 0 bootimage autonomous
  no ipv6 cef
  no ip source-route
  ip cef
  no ip bootp server
  ip name-server 10.10.2.4
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-975501586
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-975501586
  revocation-check none
  rsakeypair TP-self-signed-975501586
  crypto pki certificate chain TP-self-signed-975501586
  certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
  license udi pid CISCO1941W-A/K9 sn FTX155085QG
  hw-module ism 0
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  interface Embedded-Service-Engine0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  shutdown
  interface GigabitEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
  ip address 10.10.2.1 255.255.255.0
  ip helper-address 10.10.2.4
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  no mop enabled
  interface wlan-ap0
  description Service module interface to manage the embedded AP
  ip unnumbered GigabitEthernet0/0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  arp timeout 0
  no mop enabled
  no mop sysid
  interface GigabitEthernet0/1
  description $ES_WAN$$FW_OUTSIDE$
  ip address dhcp client-id GigabitEthernet0/1
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  no mop enabled
  interface Wlan-GigabitEthernet0/0
  description Internal switch interface connecting to the embedded AP
  no ip address
  interface Vlan1
  ip address 10.10.3.1 255.255.255.0
  ip helper-address 10.10.2.4
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 1 interface GigabitEthernet0/1 overload
  logging trap debugging
  access-list 1 remark INSIDE_IF=GigabitEthernet0/0
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 10.10.2.0 0.0.0.255
  no cdp run
  control-plane
  line con 0
  login local
  transport output telnet
  line aux 0
  login local
  transport output telnet
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line 67
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  line vty 0 4
  privilege level 15
  login local
  transport input telnet ssh
  line vty 5 15
  privilege level 15
  login local
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  =======================================================
  and the ap config:
  =======================================================
  Using 2067 out of 32768 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  enable secret 5 $1$xKDT$GdLGeA6h.H9LKL9l3dPmj.
  no aaa new-model
  dot11 syslog
  dot11 ssid WIFI1
     vlan 1
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 044B1E030D2D43632A
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 1 mode ciphers aes-ccm
  broadcast-key vlan 1 change 30
  ssid WIFI1
  antenna gain 0
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption vlan 1 mode ciphers aes-ccm
  broadcast-key vlan 1 change 30
  ssid WIFI1
  antenna gain 0
  dfs band 3 block
  channel dfs
  station-role root
  interface Dot11Radio1.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface GigabitEthernet0
  description  the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
  no ip address
  no ip route-cache
  interface GigabitEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.10.2.2 255.255.255.0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  no activation-character
  line vty 0 4
  login local
  end
  ============================================

• How share ADSL Internet connection to all machines without RRAS but using Windows Server DHCP and DNS

  Hello!
  I have this scenario on my small network with 10 PCs (connecting from outside to inside my network):
  1) Modem with ADSL connection
  2) Wireless Router with public IP on WAN interface 
  3) Switch 
  4) Server 2012 with DC/DHCP/DNS (with 2 NICs) and others servers/desktops machines 
  I want to share internet to servers and desktops.
  I was able to share internet by 2 methods searching on google, but I am not satisfied with them:
  First method - Using the Wireless Router and its DHCP Server
  I turned on the DHCP inside the Wireless Router. All machines will get an IP and be able to go to Internet, but I don’t have the ability to control the DHCP and DNS in the router
  how I would like to have, because the server DHCP and DNS must be turned off on Windows Server.
  Second method - Using the Windows Server RRAS NAT, DHCP and DNS server
  I have 2 NICs on the server:
  NIC1 - CONNECTED TO SWITCH
  IP: 192.168.1.1
  MSK: 255.255.255.0
  GTW:192.168.1.1
  DNS:192.168.1.1
  NIC2 - CONNECTED TO WIRELESS ROUTER
  (the LAN IP of the wireless router is 172.16.0.1)
  IP: 172.16.0.2
  MSK: 255.255.0.0
  GTW: 172.16.0.1
  DNS: 172.16.0.1
  After installing and setting the RRAS with NAT at the Server, the internet began to work on all machines but at some times the internet stop to load some
  random webpages, and if you hit a couple of times the F5 button, the webpage open sometimes, but very, very slow.
  I saw other people in foruns saying that RRAS is not very good, and could cause weird things at internet connection, so, now I think the internet is horrible
  because of RRAS. After notice that internet is bad I tested it connecting a cable direct to the lan ports of the Wireless Router, and the internet works fast and perfect.
  What is the best thing to do in my case to maintain Windows Server DHCP and DNS turned on and Internet be shared without loss of quality?
  Thank you!

  Hi,
  please deploy according to this network topology. please turn off DHCP from router and use internal NAT function to share internet. Detailed configurations:
  Router part:
  LAN address: 192.168.1.1/24
  DHCP part:
  scope name : site name
  address pool: 192.168.1.3-192.168.1.254
  scope options:
  router:192.168.1.1
  DNS server:192.168.1.2
  DNS part:
  configure a forwarder to point to the public DNS address such as 8.8.8.8
  with these settings, you can maintain Windows Server DHCP and DNS turned on and Internet be shared via hardware router.
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Can I use DHCP snooping and IOS DHCP server on the same switch stack

  Hello,
  I am shortly going to be deploying a Cisco CallManager solution for a customer whose network comprises stacks of Catalyst 3850 switches.
  There is no separate core/server farm switch so the CallManager servers, voice gateways and IP phones will all plug into the same stack and be in the same VLAN (not my choice!).
  For security we want to enable DHCP snooping and were planning on using the IOS DHCP server on the Catalyst switch stack.
  Will this work? - when I enable DHCP snooping in networks with separate access layer switches I set the uplinks to the core as trusted links.
  I am not sure whether DHCP snooping will work in this case. Do I need to set the VLAN interface on the switch as trusted, is this even possible?
  Unfortunately I do not have access to a layer 3 switch to test this at the moment.
  Thanks

  Nope.  That's the issue.
  They'll sync on a third device acting as a hotspot, but the device sending a signal is not "on" the network it creates so the airport is all by itself on that network.  At least that is what it looks like to me.  Anyone have another take on it?  Seems pretty silly that an iPad can put out a wifi signal, an Airport Express can receive a wifi signal, and yet there is no simple way to get them to communicate under this particular condition.

• Can you use the Airport Express A1264 as an AP and a DHCP server at the same time?

  Can you use the Airport Express A1264 as an Access Point and a DHCP server at the same time?
  I would like to use it as a DHCP server and AP at the same time in my LAN (no internet, just local machines through a few switches). I was lead to belive this could be the case from a few networking friends that haven't been friendly enough to help me out setting it up.

  I need it to act as a dLink/Cisco/Linksys/etc basic wifi router, in the fact that you can access it via wifi, and it will spit out DHCP addresses (192.168.1.xxx) to everything wired downstream of it.
  I want to simultaniously provide a Wifi connection and a LAN connection at the same time
  Thanks,
  BRad

• AEBS and Lion Server DHCP

  Hi All!
  I have a scenario I want some input on.
  1 Mac Mini Lion Server 10.7.2
  1 TC 2nd Gen
  x iPads
  x iPhones
  2 Lion clients
  I want to use the Lion Server for all collaboration services, and use Profile Manager to provide central management of iOS and Lion clients, and I want to use network accounts on the server.
  All is set up and working well, mail, ical, wiki, addressbook, VPN servers, profile manager settings, apart from one thing. how do I best push DNS server settings to the client to point to the server?
  In the TC there are no way to set what DNS server is served to clients. That would solve my case in an instant. Now all clients get the ISPs DNS servers, or pass-through of whatever DNS server is set up on the TC.
  I have 2 possible solutions:
  1. Set up TC to only provide 1 DHCP address reserved for the server, and then use DHCP on the Lion Server for the internal clients. This will work as it has been tested by other users here on this forum.
  2. Set the DNS server on the TC to point to the local Lion Server. I actually just came up with this idéa as I was typing.... maybe that is the answer? The inernal clients get the internal server as DNS and the server uses forwarders or roothints.
  What do you think? If you have this combo, TC/AEBS and Lion Server, how did you solve it?
  /Hasse

  Hi All!
  I actually found the solution myself. Soluton 2 does the trick brilliantly! I can't imagine why I didn't think of this before. I have searched this forum for a solution too, but this just was too easy . The Lion Server advanced admin guide didn't mention this either, even in the chapter about AEBS coexistance.
  /Hasse

• Communication between the DNS/DHCP Manager and OES Server

  No communication between the DNS/DHCP Manager Console and OES server (status,start,stop)
  The screenshot shows the tab "DHCP (OES Linux)" in the DNS / DHCP Manager console
  in the bottom of the image it shows the state of the DHCP servers.
  allDHCP.JPG
  The dhcp service is started on all these servers
  You can see that the status is known only for four servers.
  The button "start/stop DHCP service" works fine on this servers and
  the dhcp service can be canceled and also restarted
  But the status of the "dhcp service" is not recognized for all the other DHCP servers
  and so we can not start or stop dhcp service on these servers.
  All servers were installed at different times (last three years) with OES11 and
  are upgraded to OES11SP2 with all patches.
  The server keto (DHCP_keto) is a new installation OES11SP2 few days ago.
  All OES servers were set up identically from me. LDAP, LUM, DMS, DHCP works fine.
  Which service on the OES server is responsible for
  communication (status indicator) between the DNS/DHCP Manager and the OES serve?
  How the status query is performed by the DNS/DHCP Manager?
  How can I test the communication to the server on the client (console)?
  Which configurationfiles I should be compare on the server?
  Thanks in advance
  Gernot

  gernot,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://www.novell.com/support and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Forums Team
  http://forums.novell.com

• E1200 stops serving DHCP all of a Sudden (affects both wireless and wired)

   Greetings All,
  I have a 2 year E1200 router that has given me very good service uptil now. Now, it appears to suddenly stop serving DHCP at least once daily. This results in a situation where all my devices (3 over wifi, 2 directly wired) suddenly all cannot talk over the local LAN or reach the Internet (WAN).
  This issue started about a week ago when the build I live in had an issue with its network - they won't give a full explanation of what the exact issue was but somehow some media gateways were requesting MAC addresses (ARP?) from every single device in the building constantly. Since then, my E1200 gets into a funk daily, typically at night when it is idle, though I have seen it get into this condition during the day when I am actively connected to a VPN at work.
  My network consists of 3-4 wireless devices, 2 wired devices connecting to the E1200 (wpa2-psk) and the E1200 is connected to a Digital-to-Analog GW that converts fiber input to 100Mb Ethernet. I have the latest firmware on it.
  I realize this is very scant information to begin a hypothesis so any suggestions on whether this is a know problem and if so, how to rectify it? If it is not known, I'm all ears on how to debug it.
  So far, my work around has been to reboot the E1200 and that clears up the issue but clearly that is not a good long term solution.
  Thanks,
  H

  Hi,
  If you have time, you can try to perform a hardware reset on your E1200 then reconfigure it back manually. Since you are running on the latest firmware, there's no need to reflash that. You might still have the same issue if there's really a problem from your gateway.
  If everyone needs to believe in something, I believe I'll have another beer..

• DHCP Server does not work after Exporting and Importing Using Netsh Command

  Hello Friends :
  I had two dhcp servers in windows server 2003 server , I have upgraded one of them to windows server 2008 32 bit and again i installed a windows server 2008 R2 as an additional Domain Controller , the last scenario was like this :
  srv-1 : windows server 2003 + DHCP = working with no problem
  srv-2 : windows server 2003 + DC + DHCP = Worked without problem
  srv-3 : windows server 2008 R2 + DC = worked without any problems
  I exported the DHCP server configuration on the srv-2 using netsh dhcp server export and Imported them to srv-3 using the
  netsh dhcp server import command , the command completed successfully and i can see all of the scopes without any problems and errors , i have authorized the new server without any problem , all scopes are activated without any problem so i
  disabled the srv-2 DHCP service and unauthorized it from active directory , the problem is that the new server semms that does not lease any address to clients !!!
  1- I have authorized it
  2- I used Rogue Checker tool in client computers they see authorized server without any problems
  3- The same tool in workgroup only shows srv-1 as the DHCP server and does not see other DHCP servers
  4- Bindings are OK and DHCP servers only have one NIC installed on them
  What can i do to make sure my srv-3 DHCP server will work on the network ?
  thanks ...
  MIMO

  Are the clients on another network so you need to configure a DHCP relay agent?
  If you load up perfmon on the dhcp server and remove all counters and then add DHCP counters. Do you see any dhcprequests when you reboot your dhcp clients? This will determine if your server actually receives any dhcp requests.
  Have you check event viewer for any warnings or errors?
  And the classic one restarted the dhcp server service (or reboot)?
  Regards Per-Torben Sørensen http://pertorben.wordpress.com/

• Solaris 10 x86 PXE and jumpstart using Linux DHCP server !!

  Hi,
  I am trying to get a my Solaris 10x86 jumpstart rolling.
  I have created the images for the OS, but the only issue I have ahead is using a Linux box as a DHCP server for my X86 box to get the image.
  Is it possible to have a linux host that serves as a dhcp server to jumstart X86 host with Sol 10 x86
  or do I need to have a solaris host that runs DHCP service on it.
  Any advice on this issue.
  Thanks.

  Well, if you don't think the online Documentation helpful, then the better way is reading step-by-step instructions from a book. Get to local bookstore, i.e Barne&Nobles or Border or any big local bookstore, there should be pretty good book for Unix Administrator (Solaris version).
  If you have time and think you can memorize then, read on the spot; otherwise, buy the book for future reference.
  If that's not what you had in mind, then this link of free online book might help : http://www.oreilly.com/catalog/solaris8/chapter/ch04.html
  Normally, oreilly online bookstore offers free books to accredited universities, colleges, and organizations. However, if that option isn't for you, it might even offer free sample chapters that might just suit your needs.
  hoep it helps.
  -van.