Phones not getting IP address via DHCP server on same VLAN

Similar Messages

• Cisco phone not getting ip address

  Hi all , 
  Cisco 2950 switch 
  Phone and dhcp server are in the same default vlan .PC's are getting ip address from dhcp server but not the phone 
  Thanks

  Hi 
  I can see the  mac address has registered  on the switch . And i have tried couple of phones ,  result was same  . 
  Then i did run a packet sniffing using wireshark . 
  I could see  dhcp discover from the phone   and offer from the server  a couple of times . 
  i am attaching the dhcp offer part  from the  wireshark . 
  And i saw one error  also 
  Error part 
      Option: (150) TFTP Server Address
          Length: 11
          TFTP Server Address: 49.48.46.48 (49.48.46.48)
          TFTP Server Address: 46.55.49.46 (46.55.49.46)
          [Expert Info (Error/Protocol): Option length isn't a multiple of 4]
              [Option length isn't a multiple of 4]
              [Severity level: Error]
              [Group: Protocol]
      Option: (255) End
          Option End: 255
  i don't have any idea about the Tftp server address mentioned   above . 

• WinXP SP3 not getting IP from Win2012 DHCP Server

  Hi,
  I have a Windows 2012 DHCP server, and as clients we have mixed OS ie, XP & Win7 
  in Win7 we get proper IP from DHCP but in XP , in DHCP Server Address lease it shows as leased but in xp side they are not getting IP . after 20-40 minutes they are getting that IP 
  Anyone have any solutions for this behavior ?
  Best Regards,
  Shaijith KB

  Hi there,
  Last time when I have this problem is because one end user plug in his own appliance with a active DHCP service and somehow it affects the XP clients (only).
  We found this via these 2 packet monitor tools:
  Microsoft Network Monitor 
  WireShark, previously also known as Ethereal 
  Basically it is to identify the network activity at packet level on the select interface on what exactly going on for the DHCP handshaking.
  Try installing one of them on the client and observe. I am personally more familiar with WireShark though.
  Thanks.
  -- wsn

• Cisco 891 not getting IP address with DHCP with latest IOS

  Hi,
  I have a few Cisco 891 routers that are configured as DHCP clients on the WAN interface.
  For some reason when I boot the router with a late IOS, the router is not receiving an address.
  It works just as expected with the older IOSes.
  Any ideas of what changed?
  This is how the interface is configured:
  interface FastEthernet8
   ip address dhcp
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   duplex auto
   speed auto
   no cdp enable
  This IOS does not work:
  c890-universalk9-mz.154-3.M2.bin
  While these do work:
  c890-universalk9-mz.150-1.M7.bin
  c890-universalk9-mz.151-2.T2.bin
  c890-universalk9-mz.152-1.T1.bin
  Doing a "show ip interface brief" shows that FastEthernet8 is unassigned with the affected IOS.
  With the older IOSes there is an IP address.
  I had to downgrade two routers due to this issue, and did not have  plenty of time to troubleshoot.
  Both of the routers are connected to DSL from the same ISP...
  Anyone seen anything like this  before?

  Add another one to the list.
  I have a MacBookPro3,1 that connects to WIFI no problem. It used to connect to ethernet when I originally bought it, however I've been using WIFI exclusively for the past 2 years.
  Recently I had a need to connect via ethernet and it wouldn't work at home (apple airport router). I next tried connecting via ethernet at a friends house using a linksys WRT54G, no dice either. I have the computer in the lab today (University Network) and I get the same error. 3 different locations, 3 different routers, all same problem. It used to connect to home and university networks ethernet right away.
  IP address assigned is 169.xxx.xxx.xxx - subnet - 255.255.0.0
  no other info. It's showing up as connecting to the network, but unable to communicate with DHCP. It does work if I enter all of the information in manually.
  At first I thought I had messed something up in networking preferences as I tend to play around with things alot. However I did a complete system format, and fresh install of OSX Lion and I still have the same problem, without any of my meddling around to confuse things.
  What gives?

• Unable to get ip address from DHCP server for Aironet 1130AG Access Point

  I have a network in which DHCP server is enabled. I have read the installation guide also there it is mentioned that 1130G Access point will not have any staic ip assigned to it.So it will automatically get the ip from the DHCP server from the network. I have connected that from the network but it is unable to get the ip address from the same. The same thing i have configured in the netgear it is coming fine. I have seen the sonic wall and used the IPSU tool also from checking the ip address from Mac Address but i am not able to get the same. Please provide me some tips to check where i am wrong in configuration because the first web page also not coming because of the ip address.

  narendra,
  I would suggest that the AP be connected to a laptop or desktop pc that would run a local dhcp server with a small scope setup...plenty of free ones on the web(this pc would obviously not be connected to your currnet network). This way you can watch the dhcp server hand the AP it's address (this can take a few minutes). Once you have the address use it to access the GUI and give the AP a static address (I find it good pratice to give all my autonomous AP's static addresses for ease of troubleshooting)...Hope that helps.

• IP phone not getting IPv6 address

  Hi guys,
  I am having trouble with receiving IPv6 address from my 2811 CME router that has been configured as a DHCPv6. Could you please help me what is wrong with my configuration below? Thank you.
  Router#sh run
  Building configuration...
  Current configuration : 2327 bytes
  ! Last configuration change at 22:52:14 UTC Mon Feb 17 2014
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  no aaa new-model
  dot11 syslog
  ip source-route
  no ip cef
  no ip domain lookup
  ipv6 unicast-routing
  ipv6 cef
  ipv6 dhcp pool VOICE
  address prefix 2001::/64
  vendor-specific 9
    suboption 1 address 2001::1
    suboption 2 ascii "IP-Phone"
  multilink bundle-name authenticated
  voice-card 0
  crypto pki token default removal timeout 0
  license udi pid CISCO2811 sn FHK1213F0HN
  redundancy
  interface FastEthernet0/0
  bandwidth 50
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  encapsulation dot1Q 10
  ipv6 address 2001::1/64
  ipv6 enable
  ipv6 nd other-config-flag
  ipv6 dhcp server VOICE
  interface FastEthernet0/1
  bandwidth 50
  no ip address
  duplex auto
  speed auto
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  tftp-server flash:SCCP41.9-3-1SR2-1S.loads
  tftp-server flash:cnu41.9-3-1ES13.sbn
  tftp-server flash:cvm41sccp.9-3-1ES13.sbn
  tftp-server flash:dsp41.9-3-1ES13.sbn
  tftp-server flash:jar41sccp.9-3-1ES13.sbn
  tftp-server flash:term41.default.loads
  tftp-server flash:apps41.9-3-1ES13.sbn
  tftp-server flash:mk-sccp.jar alias English_United_States/mk-sccp.jar
  tftp-server flash:g3-tones.xml alias United_States/g3-tones.xml
  control-plane
  mgcp profile default
  telephony-service
  protocol mode dual-stack preference ipv6
  max-ephones 5
  max-dn 5
  ip source-address 2001::1
  cnf-file location flash:
  load 7941 SCCP41.9-3-1SR2-1S.loads
  max-conferences 8 gain -6
  transfer-system full-consult
  create cnf-files version-stamp Jan 01 2002 00:00:00
  ephone-dn  1
  number 1000
  ephone-dn  2
  number 2000
  ephone-dn  3
  number 7000
  ephone  1
  device-security-mode none
  mac-address 0017.9406.FD55
  type 7941
  button  1:1
  ephone  2
  device-security-mode none
  mac-address 0016.46F5.F08E
  button  1:2
  ephone  3
  device-security-mode none
  mac-address 0017.941D.BE05
  type 7941
  button  1:3
  line con 0
  logging synchronous
  line aux 0
  line vty 0 4
  login
  transport input all
  scheduler allocate 20000 1000
  end

  Duplicate posts. 
  Go here:  https://supportforums.cisco.com/thread/2267863

• IPad wont get IP address from DHCP Server

  I have an enterprise WPA2 PEAP MSCHAPv2 wireless network. It allows access via 802.1x authentication using Radius (MS IAS Server) with certificates. I can join the network, enter credentials (that I can see work) and get the certificate. The problem is that I don't get an IP address. I get a 169. APIPA address. I tried to use a static IP address and that doesn't work either. I have connected various laptops, iPhones even a Dell Streak to this wireless network without issue. My iPad won't get an IP at all. There are plenty of addresses in the pool.
  The setup is a 3COM WX3008 wireless LAN controller and 9552 access points.
  Any ideas? I went through the articles on wireless settings and none of them help at all. I guess my next step is to wipe the iPad.
  Like I said... EVERYTHING else works, every other device we try is surfing just not the iPad.

  I see what you are trying to say but in this case its just not true. There is a problem with the iPad. Moving away from the most secure wireless technology or changing my "router" isn't a reasonable solution. We are using a current production model enterprise wireless LAN controller with lightweight access points. Its running its latest code. Its not the Free After Rebate model from the local B&M.
  Again, when everything BUT the iPad works (iPod/iPhone/laptops of varying OS & vendor are all good) its not the routers fault. While downgrading my network may work it is not a reasonable solution to a problem with only the iPad.
  Of course I don't like hearing it. I am here to hopefully find someone else with the same issue or get some tips that lead to a solution so the next google searcher will land on a solution.

• DHCP via Hyper-V VM, Server2012r2 Hyper-V host, clients not getting IP address

  You have to authorize a dhcp server as Britv8 says. That's the only way it'll start dishing out leases. That's standard for Windows DHCP server in an AD Domain.
  Also there's 0 reason to mention Hyper-V here. The whole point of virtualization is to do hardware level abstraction.

  I recently encountered this. Setup:
  Initial setup of the system was at a different location from its final destination, with different network equipment (switches) between the two. No teaming is involved, however.
  Set up the system at its final destination, with DHCP via a Hyper-V VM (Server2012r2), Server2012r2 Hyper-V host, physical clients on the lan were not getting IP address.
  The physical server box has a 4-port Intel Gigabit ethernet card.
  I moved the setup (Hyper-V Virtual Switch manager) so that the interface for the DHCP server VM was isntead using one of two built-in Broadcom adapters.
  While this topic seemed promising,
  http://community.spiceworks.com/topic/251317-hyper-v-vm-not-leasing-ip-s-dhcp
  unfortunately, "fiddling about" was not what I was looking for as possible solution.
  My notes for the resolution:
  Hyper-V system running...
  This topic first appeared in the Spiceworks Community

• AP gets always a new IP address from DHCP server

  Hello,
  When an access points doesn't find a controller it gets always a new IP address from DHCP server.
  Does anyone know, why?
  thanks

  Hi,
  From what I know this is to do with DHCP option 60 and 43.Normally when APs request for IP address, DHCP Server also returns the management IP Address of WLC if the VCI matches.
  If the VCI sent by the AP does not match with the one configured under DHCP for that particulart AP type, the DHCP will never return the WLC IP and hence AP can not find the controller.And the AP keeps sending DHCP Req and sometimes end up getting two IP addresses!
  So may be you can check VCI on DHCP server for that AP model.
  Let me know.
  Cheers

• How get the RVS4000's DHCP server to assign another IP address other than its own as the default gateway to its DHCP clients?

  Hi,
  I have a RVS4000 router with DHCP enabled and in router mode. 
  The LAN is 192.168.2.x.  The RVS4000 static IP address is 192.168.2.8
  The router is not the RVS4000 and is at 192.168.2.1
  The RVS4000 dhcp is assigning it's clients a default gateway of 192.168.2.8 instead of what I want 192.168.2.1.
  How can I get the RVS4000's DHCP server to assign another IP address other than its own as the default gateway to its DHCP clients?
  Thanks

  Hi Gail, you cannot do this. The router, as the DHCP server will only assign a default gateway of what IP interface the DHCP server runs on. If you have the default IP, the gateway is 192.168.1.1. If you create a second vlan, by default it would be 192.168.2.1.
  There are not configuration options for the built-in DHCP server. If you'd like to expand this functionality, you would need an external dhcp server.
  -Tom
  Please mark answered for helpful posts

• APs not getting IP addresses on Server 2008r2

  Has anyone seen this?  We had about 30 APs drop off the network after a controller upgrade and had to be manually assigned an address.  We found that the APs are DHCP and have a reservation in the excluded range of the scope.  In the new version of DHCP in Server 2008r2, even with a reservation in an excluded range, DHCP will not issue those addresses to clients.  Deleting the reservation and letting the AP find a valid address in the range didn't work either.

  Where are your APs?  Are they directly connected to your 2106, or are they connected to a switch like normal?
  Assuming connected to a switch, the WLC config is irrelevant to an AP getting an IP address.  Whatever vlan your APs are in, they'll do a broadcast dhcp request and you'll need an ip helper-address or something to get it to your dhcp server..............
  So do you see any kind of dhcp request make it to your server?
  If this is directly connected APs, then perhaps someone else on the forum can share thier experience with this?
  -Wesley Terry

• AP not getting ip address assigned.

  Hi all,
  I have a problem with my AIR-AP1041N-E-K9, i do not seem to get an ip-address assigned after a reset to factory defaults.
  I do see the AP with CDP:
  Device-ID: ap
  Advertisement version: 2
  Platform: cisco AIR-AP1041N-E-K9
  Capabilities: TransBridge IGMP
  Interface: gi5, Port ID (outgoing port): GigabitEthernet0
  Holdtime: 163
  Version: Cisco IOS Software, C1040 Software (C1140-K9W7-M), Version 12.4(25d)JA1, RELEASE SOFTWARE (fc1)
  Technical Support:
  http://www.cisco.com/techsupport
  Copyright
  Duplex: full
  Power drawn: 15000 milliwatts
  SysObjectID: 0.0
  Addresses:
            unknown addres
  So that should mean that layer 2 connectivity is fine.
  I have the AP connected to a cisco SG300 switch,and assigned  switchport trunk allowed vlan's: 1,3,4,8.
  Can someone help me?
  Regards,
  Menno
  Message was edited by: Menno Hogenbirk
  I also noticed that when i connect to the AP via console-cable, i can see the AP boot up in the console session, but then i do not get a login prompt, but it seems like the AP is responding; if i shutdown the interconnecting link between the switch and the AP, i do see log messages appearing in the console-connection.
  I have tried to debug on the Switch, but i need a password, so i can debug, which i do not have.,

  Hi, thanks for your reply,
  I'm should be getting my ip via DHCP(as i believed that this is the way that the AP searches for an ip, when it has no config yet). The DHCP-server is configured on a cisco 871 router that is connected to the switch, as i found no option to configure it on my switch, which is in layer 3 mode. The DHCP-pool is assigned to the vlan(native) 1 address-range(in this case 192.168.0.x/24). I also have configured a range for my workstations, and here i do get Ip-addresses assigned.
  The AP does not connect to a Wireless controller. Also i have checked my inter-vlan routing on my switch, and i have connectivity to all vlans, so i believe my AP should have connectivity to the DHCP-server configured on the router.
  Ping-test from switch shows no issues:
  Swouter#ping 192.168.0.1
  Pinging 192.168.0.1 with 18 bytes of data:
  18 bytes from 192.168.0.1: icmp_seq=1. time=0 ms
  18 bytes from 192.168.0.1: icmp_seq=2. time=0 ms
  18 bytes from 192.168.0.1: icmp_seq=3. time=0 ms
  18 bytes from 192.168.0.1: icmp_seq=4. time=0 ms
  ----192.168.0.1 PING Statistics----
  4 packets transmitted, 4 packets received, 0% packet loss
  round-trip (ms) min/avg/max = 0/0/0
  Message was edited by: Menno Hogenbirk
  Problem has been resolved.

• Router connected to cable modem by Ethernet port cannot get IP address from DHCP.

  I have an ethernet cable on Fa0/0 connecting my 1841 router to my cable modem. The issue is that the router cannot obtain an IP address via DHCP when I have the "ACL-OUTSIDE-IN" ACL applied inbound on the Fa0/0 interface. I tried to allow all BOOTP and BOOTPS traffic in my ACL, but still no luck. I really don't want to run the router without a simple ACL firewall and connect it to the internet. When I take off the ACL off of Fa0/0, the router is able to get an IP address via DHCP.
  Router#sh run
  Building configuration...
  Current configuration : 10736 bytes
  ! Last configuration change at 18:14:42 MST Fri Nov 16 2012 by matt.chan
  version 12.4
  service nagle
  service timestamps debug datetime msec localtime show-timezone year
  service timestamps log datetime msec localtime show-timezone year
  service password-encryption
  hostname Router
  boot-start-marker
  boot system flash:c1841-advipservicesk9-mz.124-25f.bin
  boot-end-marker
  logging count
  logging userinfo
  logging buffered 1048576 informational
  enable secret 5 <removed>
  aaa new-model
  aaa authentication login AUTH-LOCAL local-case
  aaa session-id unique
  memory-size iomem 25
  clock timezone MST -7
  ip cef
  ip nbar pdlm flash:directconnect.pdlm
  ip nbar pdlm flash:citrix.pdlm
  ip nbar pdlm flash:bittorrent.pdlm
  ip nbar custom steam destination udp range 27000 27030
  ip nbar custom rdp destination tcp range 3389 3391 55402
  ip domain lookup source-interface FastEthernet0/0
  ip name-server 8.8.8.8
  ip inspect name fa0/0_inspect_ou icmp router-traffic timeout 10
  ip inspect name fa0/0_inspect_ou ftp timeout 300
  ip inspect name fa0/0_inspect_ou udp router-traffic timeout 120
  ip inspect name fa0/0_inspect_ou tcp router-traffic timeout 300
  login block-for 60 attempts 4 within 60
  login quiet-mode access-class ACL-ACCESS-QUIET
  password encryption aes
  crypto pki trustpoint TP-self-signed-1755372391
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1755372391
  revocation-check none
  rsakeypair TP-self-signed-1755372391
  crypto pki certificate chain TP-self-signed-1755372391
  certificate self-signed 01
    3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31373535 33373233 3931301E 170D3132 31313137 30313130
    35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37353533
    37323339 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100D53F 9EB5B123 3103A4D5 82E786F7 F91C2DE5 9E409A22 80AF78F6 812F624A
    89FE9103 73C4AAAB 13FF880D F628607D 6888AC49 18BEDD77 778F0DB1 F9A796E9
    E92717CD 6DD19450 5066620A 91278C33 E38349EA 92B8C671 80761609 0AC46E6F
    2C8C6BCF ABC7E1F7 A64BD28C C85477FE B23F8A7C 555ECDF9 CE461B8D 6C017370
    0ED70203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
    551D1104 0B300982 074E5543 4C455553 301F0603 551D2304 18301680 146CA2E0
    936C651F E2ED4DCD D7025FF3 2AB029E0 95301D06 03551D0E 04160414 6CA2E093
    6C651FE2 ED4DCDD7 025FF32A B029E095 300D0609 2A864886 F70D0101 04050003
    8181004A AFA4D07C 1424DE0E EF3F17F2 BB1EA63B CB17C13D 1AEA31A1 BAB6AF77
    DB6EA8A2 2117DCD1 5530A18C 3618D568 CC7EF520 E039ACBD DA906352 BB7E51BD
    0954490C B2AB30C2 FBBE4738 C214BE1C CB63FFEA BAFC46E0 3DC419EE 714B9ABD
    144A21E3 3E54C103 FF47FAF1 412FE5C4 59ACD1FE FD72356B C8DC04C3 E2EDF275 45954C
    quit
  username <removed secret 5 <removed>
  ip ssh maxstartups 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  ip ssh port 2226 rotary 1
  ip ssh version 2
  class-map match-all Zuri-YouTube-Class
  match access-group name NAT-Pool-Zuri-WLAN
  match protocol http host "*youtube.com*"
  policy-map PMAP-QOS-VTI-IN
    description QOS FOR TU0
  class class-default
    shape peak 1512000
  policy-map PMAP-QOS-VTI-OUT
    description QOS FOR TU0
  class class-default
    shape peak 512000
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
  lifetime 43200
  crypto isakmp key 6 <removed> address <removed>
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 10 5 periodic
  crypto ipsec transform-set EDGE-TS ah-sha-hmac esp-aes 256
  crypto ipsec profile EDGE
  set security-association lifetime kilobytes 256000
  set transform-set EDGE-TS
  set pfs group5
  interface Loopback0
  no ip address
  interface Tunnel0
  description "VTI Link"
  bandwidth 4000
  ip address 172.20.0.2 255.255.255.0
  ip mtu 1400
  ip nbar protocol-discovery
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1360
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 7 12090011003E5A0C0F186E752220211B4A
  keepalive 10 5
  tunnel source FastEthernet0/0
  tunnel destination <removed>
  tunnel mode ipsec ipv4
  tunnel path-mtu-discovery
  tunnel protection ipsec profile EDGE
  service-policy output PMAP-QOS-VTI-OUT
  hold-queue 75 out
  interface FastEthernet0/0
  description "Link to ISP"
  bandwidth 4000
  ip address dhcp
  ip access-group ACL-OUTSIDE-IN in
  no ip proxy-arp
  ip nbar protocol-discovery
  ip nat outside
  ip inspect fa0/0_inspect_ou out
  ip virtual-reassembly
  ip ospf cost 1
  duplex auto
  speed auto
  no keepalive
  no cdp enable
  interface FastEthernet0/1
  description "Link to LAN"
  ip address 172.16.0.1 255.255.255.248
  ip access-group ACL-INSIDE-IN in
  no ip proxy-arp
  ip nbar protocol-discovery
  ip nat inside
  ip virtual-reassembly
  ip ospf cost 1
  ip ospf priority 255
  duplex auto
  speed auto
  no keepalive
  router ospf 1
  log-adjacency-changes
  redistribute static subnets
  passive-interface default
  no passive-interface Tunnel0
  network 172.20.0.0 0.0.0.3 area 0
  ip forward-protocol nd
  ip route 10.0.0.0 255.0.0.0 Null0 name "Class A Private"
  ip route 172.16.0.0 255.240.0.0 Null0 name "Class B Private"
  ip route 172.17.0.0 255.255.0.0 FastEthernet0/1 172.16.0.2 name "Home WLAN"
  ip route 172.19.73.31 255.255.255.255 Null0
  ip route 172.27.0.0 255.255.0.0 Tunnel0 172.20.0.1 name "IPsec GRE Tunnel"
  ip route 192.168.0.0 255.255.0.0 Null0 name "Class C Private"
  ip route 192.168.0.0 255.255.255.0 Tunnel0 172.20.0.1 name "VLAN 70"
  ip route 192.168.100.1 255.255.255.255 FastEthernet0/0 70.162.0.1 permanent name "CABLE MODEM MANAGEMENT"
  ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp 253
  ip dns server
  no ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat translation tcp-timeout 300
  ip nat translation udp-timeout 120
  ip nat translation max-entries 2048
  ip nat inside source list ACL-NAT-172.16.0.0/29 interface FastEthernet0/0 overload
  ip nat inside source list ACL-NAT-MANAGEMENT interface FastEthernet0/0 overload
  ip nat inside source static tcp 172.16.0.4 22 interface FastEthernet0/0 2227
  ip nat inside source static tcp 172.16.0.5 3389 interface FastEthernet0/0 3391
  ip nat inside source static tcp 172.16.0.3 3389 interface FastEthernet0/0 3390
  ip nat inside source static tcp 172.16.0.4 80 interface FastEthernet0/0 8084
  ip access-list standard ACL-ACCESS-QUIET
  permit 216.161.180.16
  permit 172.16.0.0 0.1.255.255
  permit 172.27.0.0 0.0.127.255
  permit 172.20.0.0 0.0.0.3
  ip access-list standard ACL-NAT-172.16.0.0/29
  permit 172.16.0.0 0.0.0.7
  ip access-list standard ACL-NAT-172.17.0.0/24
  permit 172.17.0.0 0.0.0.255
  ip access-list standard ACL-NAT-172.17.1.0/24
  permit 172.17.1.0 0.0.0.255
  ip access-list standard ACL-SNMP
  permit 172.16.0.4
  ip access-list extended ACL-CRY-MAP
  ip access-list extended ACL-INSIDE-IN
  deny   ip host 172.16.0.2 172.27.0.0 0.0.127.255
  deny   ip host 172.16.0.2 172.20.0.0 0.0.0.3
  permit ip 172.17.0.0 0.0.0.255 any
  permit ip 172.16.0.0 0.0.0.7 any
  permit ip 172.17.1.0 0.0.0.255 any
  ip access-list extended ACL-NAT-MANAGEMENT
  permit tcp host 172.27.10.11 eq 3389 host 72.166.77.196
  ip access-list extended ACL-OUTSIDE-IN
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  permit tcp any any range 3390 3391
  permit udp any any eq bootpc
  permit udp any any eq bootps
  permit tcp any any range 2226 2228
  permit tcp any any range 8081 8084
  permit icmp any any echo
  permit icmp any any net-unreachable
  permit icmp any any host-unreachable
  permit icmp any any port-unreachable
  permit icmp any any parameter-problem
  permit icmp any any packet-too-big
  permit icmp any any administratively-prohibited
  permit icmp any any source-quench
  permit icmp any any ttl-exceeded
  deny   icmp any any
  deny   ip any any
  ip access-list log-update threshold 10
  logging history informational
  logging trap debugging
  logging 172.17.228.17
  logging 172.17.228.10
  control-plane
  line con 0
  exec-timeout 15 0
  privilege level 15
  logging synchronous
  login authentication AUTH-LOCAL
  line aux 0
  login authentication AUTH-LOCAL
  line vty 0 4
  exec-timeout 60 0
  privilege level 15
  logging synchronous
  login authentication AUTH-LOCAL
  rotary 1
  transport input ssh
  scheduler allocate 20000 1000
  ntp clock-period 17178311
  ntp source FastEthernet0/0
  ntp server 148.167.132.201
  end

  Hi Matt,
  Try adding below line
  ip access-list extended ACL-OUTSIDE-IN
  permit udp any eq bootpc any eq bootps
  Regards
  Najaf
  Please rate when applicable or helpful !!!

• Guest users not getting IP address

  I am setting up Cisco wireless along with ISE 1.3 for guest wireless.  The client is going to use the self-registration portal for guest wireless users.  I followed this Cisco doc to configure the self-registration portal:
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118742-configure-ise-00.html
  I tested this in my home lab and everything works fine.  However, at the client users are not getting IP addresses from the DHCP server.  This is the same DHCP server that is used for corporate wireless and if you connect that SSID, you get an IP address.  I have looked what I configured at home and the client and everything looks the same.  In the back of my mind, I feel something is missing, but I can't figure out what it is.  
  Edit: Not sure if this makes a difference or not, but they are using a Nexus 5K for their core switch and it hosts the SVI for this network.  
  Let me know what information you need and I will post it.
  TIA,
  Dan

  Hello,
  Some verifications below :
  Did you verify if DHCP Proxy is enabled in wlc's wlan interface ? Case DHCP proxy is disabled, did you verify if the ip helper address is enabled in Nexus SVI ?
  DHCP Scope is enabled in the DHCP Server or is enabled in the WLC ?
  Verify if Trunk in the switch is enabled correctly passing all VLANs to WLANs ?
  Verify if ACL to redirect configured in the WLC is allowing DHCP Server and DHCP Client to client receive IP Address and ports 8443 to Cisco ISE and DNS to resolve some address and get access to ISE Portal ?
  The scenario is Local Switching or Central Switching ?
  Regards

• Cisco Flex Connect and users can not get IP Address by WAN

  Hello my name is Ivan
  I have a wlc 5508 with license base to 50 aps, i use a deployment flex connect. I already registered all my access points, I use web authentication to authenticate users guest, and the service dhcp is in the central site.
  My issue is the users in each remote site, can not get an ip address by dhcp from the central site, they can authenticate in the guest ssid, but any users can not get an ip.
  The request is passing by the wan in this way
  Central Site DHCP - Router WAN - Remote Site - Users with notebooks. I use flex connect central deployment (all the traffic consulting to the wlc) .
  perhaps i should use local deploy? The wlc is in the central site.
  Can you help me to resolving this issue please? , perhaps any advice?
  Regards
  Ivan.

  Thanks Osita
  If I configure Central Authentication and  I configure central switching I need to create a dynamic interafce for each remote site and each dynamic interface associated with a different VLAN ID, because I can not associate a single interface dynamic to the same  VLAN ID, but in my case the client remote in each remote site have the same network segment with the same VLAN ID with the same SSID for guests. My goal is to configure web authentication with the local DHCP server at each remote site, will this work?.Each remote site have its own server dhcp.
  If I configure authentication central authentication with central switching with web authenticacion as I set in my scenario?
  My issues are the interfaces dynamics, because I have the same network to the customer guest with the same ID VLan in each remote site
  Regards