Transparent Firewalls and DHCP on a 5510 ASA

I have a 5510 ASA running 8.2 configured in transparent mode and I am trying to allow devices on the inside network to acquire an IP address from a DHCP server on the outside.  I've seen several articles that indicate an ACL is necessary to permit outgoing traffic on port 68 and incoming traffic on port 67.  That actually works and the inside device gets an IP address.  The problem is that no other outbound traffic is allowed from the inside device.  The ACL put in place to permit DHCP, because of its implicit deny at the end of the ACL, denies all other traffic.  DHCP is now the ONLY thing allowed out.  What am I doing wrong here?

In a default configuration the difference in security levels between the inside and outside interfaces would allow the DHCP requests out, and the UDP xlate entry created for the outgoing packet would allow the DHCP reply back in.  It would just work, but you would have very little control of packet flows, static NAT, or logging.
Once you start applying ACL's to interfaces, you have to explicitly allow everything you want.  All of my firewall interfaces have inbound ACLs, and some also have outbound, so. E.g. subnets where I want to fairly permissive outbound get something like:
access-list DMZ-INGRESS extended permit ip any object-group LOCAL-NAT0
access-list DMZ-INGRESS extended deny ip any object-group RFC-5735-SPECIAL log
access-list DMZ-INGRESS extended deny ip any object-group ALL-MCAST log
access-list DMZ-INGRESS extended permit ip any any
Since I happen to be running in routed mode rather than transparent, I have to configure DHCP relay instead of something like "permit udp any any".  I won't include the object groups unless someone asks.
-- Jim Leinweber, WI State Lab of Hygiene

Similar Messages

  • Transparent ASA5505 and dhcp relay

    Team,
    I have another asa5505 configured transparently but i noticed that it does not pass dhcp by default how can i enable this feature firewall ip 10.200.200.50/24 dhcp server 10.200.200.1/24 also def gateway.

    add a line for dhcp to your access-list:
    access-list ACL-CLIENTS permit udp any eq bootpc any eq bootps
    access-list ACL-SERVER permit udp any eq bootps any eq bootpc
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Cisco ASA 5505 and DHCP Client Problems

    Hi, i have a problem. I've connected my ASA appliance to an ADSL modem, and i dont get an DHCP address on the outside interface (e0/0). I use the asa-722-19.bin firmware.
    I turned on the debugging for the DHCP client and could see that the ASA device was sending out broadcasts but a reply never came. Instead I connected the device to my internal network where the ASA got an address instantly.
    I read somewhere that if I was to use ?ip address dhcp client-id fastethernet 0″, then I got an address from the ISP.
    I tried looking for a similar command on the ASA5505 but I couldn?t find anything. I did however find a page on the Cisco site confirming my suspicions. It said some ISP?s require the client-id field of the DHCPDISCOVER request to be filled.
    I've also read that this issue has beed fixed since a few weeks, now they have released version 7.2(2).22 where you can define ?dhcp-client client-id interface outside? in global configuration mode. Im running 7.2(2).19 and i cannot find any command like that in my appaiance. How do i fix my problem ? Or how do i get about recieving the 7.2(2).22 firmware update.
    Regards !
    Leif

    Hi again! I thought I should share the solution that worked for me. I use software version 7.2(2) on this device. ASDM 5.2(2). In ASDM open configuration / Interfaces. Click in outside (my case 0/0) and press Edit. Then open the tab Advanced and set the correct Active Mac address. Fore some reason its empty by default and the ISP/modem don't like that. You will find the correct MAC address under the help menu / "About ASA". Im sure there is some another way to do this but this is a simple "how-to" that works with Swedens biggest ISP and their standard DSL modem.
    When I used a Linksys DSL modem in bridge mode without the MAC address set I got an inside IP adress (192.168.x.x) from the modem to the ASA. After setting the MAC address I just had to do a renew and got the outside address right away. /Bjorn
    (future users searchwords: no ip from isp, ASA 5505 and cable modem).

  • Transparent wsa and https traffic

    folks
    i've deploying a S300V in transparent mode and using wccp
    i have a single policy allowing http and https
    http works fine but https doesn't
    i can see both sets of requests go out through my outer firewalls but the https handshake doesn't get past the client hello
    the VM is being used on a guest wifi network so clients won't be authenticated, won't have a common root certificate and i don't want to decrypt traffic
    tac are telling me i need to enable the https proxy but i can't as clients won't have the root certificate required
    do i need to use https proxy?
    thanks to anyone taking the time to reply

    Ken,
    If I dont to decrypt HTTPS but still want the traffic to be inspected for URL and web reputation, do I need to upload a root certificate still? I would have assume not as I do not want to decrypt HTTPS but the GUI doesn't allow me to enal HTTPS Proxy without uploading a certificate; basically I cannot "Enable HTTPS Proxy" and submit without a cert.
    Basically what I just want to do is just pass through the HTTPS traffic to be check against the Access policies that the HTTP is being checked against.
    Is this viable? If so can you let me know how I can achieve the above?
    Thanks

  • I want to use Back to my mac. When I try to turn it on, it says "Back to My Mac may be slow because more than one device on your network is providing network services.   Turn off NAT and DHCP on one of the devices and try again." How do I fix this?

    Not sure if I am doing this right. This is my first time in the support community.
    I imagine what I put in my heading was supposed to go in here.
    I want to use Back to my mac. When I try to turn it on, it says "Back to my mac may be slow because more than one device on your network is providing network services. Turn off NAT and DHCP on one of the devices and try again. See the documentation that came with your device for information about turning off network services"
    Does anyone know how I do this? I contacted my ISP (Telus in Canada) and they did not know anything (not that they usually do).

    Why do ISPs insist upon making things so difficult for their customers?
    If you cannot get them to understand that you would prefer to use your own router over their piece of cheap junk, perhaps the information in the following will be useful:
    http://keithbalomben.wordpress.com/2012/03/29/telus-actiontec-v1000h-hacks-and-i nformation/
    Scroll down to DHCP Settings
    You will need to log in with proper "technician" credentials. They are provided in the above link as
    Username: tech
    Password: t3lu5tv
    ... but these may or may not work. Try it, and if you cannot get anywhere at least now you know what to ask Telus to do in return for your business.

  • Transparent Tunneling and Local Lan Access via VPN Client

    Remote users using Cisco VPN 4.2 connect successfully to a Cisco Pix 515 (ver. 6.3). The client is configured to allow Transparent Tunneling and Local Lan access, but once connected to the Pix, these two options are disabled. What configuration changes are required on the Pix to enable these options? Any assistance will be greatly appreciated.
    Mike Bowyer

    Hi Mike,
    "Transparent Tunneling" and "Local Lan Access" are two different things. "Transparent Tunneling" is dealing with establishing an IPSec Tunnel even if a NAT device is between your client and the VPN-Headend-Device. "Local LAN Access" is dealing with access to devices in the LAN your VPN-Client-Device is connected to.
    What do you mean exactly with "disabled once the connection is made" ?
    You can check the local LAN Access by having a look at the Route-Table of the VPN-Client:
    Right Click the yellow VPN-lock Icon in System-Tray while the VPN-Connection is active and select "Statistics ...". Have a look at the second register page "route details".
    Are any local LAN routes displayed when your are connected ?
    And - always remember two important restrictions the Online Help of the VPN-Client is mentioning:
    1: This feature works only on one NIC card, the same NIC card as the tunnel.
    2: While connected, you cannot print or browse the local LAN by name; when disconnected, you can print and browse by name.
    Carsten
    PS: Removing Split Tunnel won't enable local LAN access as all traffic would be sent into the IPSec tunnel.

  • Does java has "Transparent" look and feel?????

    I want to know whether there is a transparent look and feel developed for java,
    if it is there please post an link to download the API
    Thank you very much..

    As far as I know, NO.
    There is a way to do this, using robot to get desktop image and draw it using paint object when you render your component, but, performance is not good.

  • Solaris 10 zone configuration with sysidcfg and dhcp and hostname

    Hi
    Excuse me if I look like a n00b... it's probably because I'm a n00b.
    I've been struggling in the dark for more than 2 days now and I'm wondering if I'm thinking about this all wrong...
    I have stand-alone server where I need to run zones. I want to create zones and automagically configure them at boot (read: by running a script). So here's what I need...
    A zone
    starting from unconfigured state
    whose hostname is not the same as the zone name
    using corporate DHCP to get its IP address
    with DNS config coming from the DHCP server
    registering its address the DNS
    with a preconfigured root password
    (I don't own the corporate DHCP or DNS servers, I can't put my own DHCP or DNS servers on the network.)
    I would lke to create the zone, throw some config at it, then boot the zone and walk away. I am using zones with exclusive-IP. I can construct the zones and manually configure them once they're started to have DHCP, my own name, registered IP address with DNS and everything else I have specified above. But I don't want to do it manually...
    Sysidcfg seems to do some of what I want but not entirely.
    In sysidcfg I can set the root_password, the primary interface using DHCP, DNS server. I can't set a hostname in sysidcfg AND use configure it for DHCP. So the hostname is not what I want it to be after the zone is started and ready to go. The DHCP server is providing the DNS configuration, Solaris does not seem to honour it, but i'll ignore that for the moment.
    I have tried various combinations of using sysidcfg, /etc/nodename, /etc/hostname.+interface+ and /etc/dhcp.+interface+ but I can't find any combination that actually works.
    I can write to the zonestorage/etc/nodename to set the nodename, that works. But it does not match the DHCP address, so I get prompted for a new name service because it can't find a DNS entry for the name.
    I can write to the zonestorage/etc/hostname.+interface+ and /etc/dhcp.+interface+ (to get the system to register its name with the DNS server after getting its DHCP address) but then I get a system with no root password and no DNS configuration, even though they are set in the sysidcfg file.
    I can write a script that gets part of the way using sysidcfg and /etc/... files, then boots the zone and then runs a bunch of voodoo via zlogin commands to fix all the stuff that couldn't be done 'properly', but that's not a 'boot and walk away' environment. I can write a script that uses sysidcfg and hacks around with other files in /etc (like nsswitch.conf, resolv.conf), but that just feels likes a dirty hack to fix something that wasn't done properly in the first place.
    So where am I going wrong and how do I do it right (within the constraints defined)? Why can't I configure, boot and walk away?
    Thanks

    Thanks abrante
    Thanks for your response!
    I don't think the config is messed up after the installation. I think the installation is fine, it's just not what I want :-)
    I'm trying to decouple the zonename from the system name and get DNS registrations working. After installation, a DHCP client can get its hostname from DNS but I'm trying to do it the other way around. I want the DHCP client specify its own hostname, get an address from the DHCP server and then register its hostname with DNS. If the system gets its name from DNS/DHCP then I have to configure those to provide the system name and I don't own the DHCP/DNS infrastructure. These zones are for a development/QA environment, so we create and reconfigure these frequently. Hence the need to specify the system name within the zone and register that name in the DNS.
    I have tried fiddling with the PARAM_REQUEST_LIST but it does not seem to be working as I expect. :-$ Removing 12 did not help with setting the hostname from the system. DNS does not have a registered name for this system anyway, so even if it tried to get a name for this system, it would get nothing.
    I also do want the DHCP to change the DNS server and domain name, but this does not happen even though my dhcpagent includes 6 and 15 in the PARAM_REQUEST_LIST. I still have to set them in the sysidcfg file because it is always ignored in Solaris (S10u8 with 10_Recommended 30-Jul-2010)
    As stated, I know I can hack around with the system after it has booted. But I'm trying to configure the system before it starts and let it take care of itself and not have to touch it. Frankly I'm surprised that the sysidcfg does not allow you to set a hostname name when you are using DHCP, that the default DHCP configuration does not register the system name with the DNS server, and the DNS config from the DHCP response is ignored. Even a sys-unconfiged system requires DNS configuration during initial boot, when I know that the DHCP response contains DNS information.
    FYI: Windows systems using DHCP work as expected in this respect by default, i.e. set system name, use DHCP --> system gets address from corporate DHCP, DNS settings are set from DHCP information, DNS registration is made for system name.
    I'm working around this at the moment... I call my zone by the system name I want, I hardcode the DNS settings in the sysidcfg file and I create the hostname.+nic+ and dhcp.+nic+ files in the zone storage to get the system to register its name with DNS, them boot.
    Edited by: cydonian on Aug 19, 2010 7:45 PM

  • About Transparent Tables and Views..

    Greetings SAP Gurus...
    How does one differentiate between Tables, Views (are they the same as table views) and logical views?  What are the differences, if ever?
    Why is it better to create a view rather that create a table?
    Cheers!
    Philips

    Hi Phillips,
    The Different Types of SAP Tables
    What is transparent, cluster and pool table? Where and when we use these tables?
    Transparent Table : Exists with the same structure both in dictionary as well as in database exactly with the same data and fields.
    Pooled Table : Pooled tables are logical tables that must be assigned to a table pool when they are defined. Pooled tables are used to store control data. Several pooled tables can be cominied in a table pool. The data of these pooled tables are then sorted in a common table in the database.
    Cluster Table : Cluster tables are logical tables that must be assigned to a table cluster when they are defined. Cluster tables can be used to strore control data. They can also be used to store temporary data or texts, such as documentation.
    Could anyone tell me what is the major difference between Standard tables, Pooled tables and Clusterd Tables?
    A transparent table is a table that stores data directly. You can read these tables directly on the database from outside SAP with for instance an SQL statement.
    Transparent table is a one to one relation table i.e. when you create one transparent table then exactly same table will create in data base and if is basically used to store transaction data.
    A clustered and a pooled table cannot be read from outside SAP because certain data are clustered and pooled in one field.
    One of the possible reasons is for instance that their content can be variable in length and build up. Database manipulations in Abap are limited as well.
    But pool and cluster table is a many to one relationship table. This means many pool table store in a database table which is know as table pool.
    All the pool table stored table in table pool does not need to have any foreign key relationship but in the case of cluster table it is must. And pool and cluster table is basically use to store application data.
    Table pool can contain 10 to 1000 small pool table which has 10 to 100 records. But cluster table can contain very big but few (1 to 10) cluster table.
    For pool and cluster table you can create secondary index and you can use select distinct, group for pool and cluster table. You can use native SQL statement for pool and cluster table.
    A structure is a table without data. It is only filled by program logic at the moment it is needed starting from tables.
    A view is a way of looking at the contents of tables. It only contains the combination of the tables at the basis and the way the data needs to be represented. You actually call directly upon the underlying tables.
    Regards

  • DNS and DHCP Roles

    Hi
    does Snow Leopard have DNS & DHCP services in it ? how to make those role run and configure them ?
    and how to make a server a domain controller "silly Windows History in my mind"

    does Snow Leopard have DNS & DHCP services in it
    You mean Snow Leopard Server, right? In which case, yes.
    how to make those role run and configure them ?
    Click a checkbox or two in Server Admin (and add your domain/network-specific data, of course).
    and how to make a server a domain controller "silly Windows History in my mind
    Do you intend to make a Windows domain controller? If so, you can't. Mac OS X Server includes a Samba server which can handle parts of a Windows directory system, but it can't emulate a full Windows Active Directory server which has way more elements.
    On the other hand, if you just mean to create a directory server for your network then, just like the DNS and DHCP server response above, you click a couple of checkboxes in Server Admin and add your directory-specific data via Workgroup Manager (one of the bundled Server apps).

  • Difference between Oracle Transparent Gateway and Golden Gate

    Hi Guys
    Could you please clear the confusion, What is the difference between Transparent gateway and Golden gate? are they same? In which situation which one to use?
    Thanks in advance

    user8896122 wrote:
    >
    Satish Kandi said :
    Transparent gateways are a cross-RDBMS "querying" mechanism
    >
    So you mean if an application (designed to work with oracle only ) can actually access SQL server or DB2 without any modificaton. If i am having transparent gateway on top of DB2 or SQL server ??You caught me. I should have used different words.
    No. TG is a mechanism to query other RDBMS from Oracle. GG is a mechanism to have replication between any RDBMS.

  • What are the endpoints attributes collected by NAC Profiler through SNMP and DHCP?

    Hi Everyone,
    Please help on this.
    I want to know what are the endpoints attributes collected by NAC Profiler to discover and profile the endpoints.through SNMP protocol and DHCP protocol.
    Also if anybody can explain a simple used case on this.
    Please guide me on this.
    Thanks in advance.
    Thanks,
    Abuzar.

    Hi,
    SNMP
    =====
    NetMap queries network devices via SNMP for:
    System information
    Interface information
    Bridge information
    802.1X information (PAE MIB)
    Routing/IP information
    CDP MIB Information
    This information is used to Build and maintain a model of the network topology and endpoint discovery.
    NetMap uses SNMP Get, GetNext and GetBulk (when available) requests to  query the SNMP agents running on the network infrastructure devices to  gather specific Management Information Base (MIB) objects about their  status based on device type (Layer 2 or Layer 3).
    In addition to polling each network device for all MIB data at a regular  interval, NetMap may also be commanded to poll port-specific  information when the NAC Profiler system is notified that an endpoint  has joined or left the network via SNMP traps sent by devices at the  network edge, switches typically.
    Upon receipt and verification of a link state (link up, link down) or  MAC notification trap, NetTrap will notify the NAC Profiler Server that a  change has occurred on the network edge (endpoint joined or left a  network port). If the trapping device is in the NAC Profiler  configuration, the NetMap component module assigned to poll the device  that sent the trap will be commanded by the Server module to initiate a  poll of the device's port information to determine the change to the  endpoint topology that resulted in the trap being sent by the network  device.
    The information gathered by NetMap is processed by the Server  accordingly to update the network topology, noting the endpoint joining  or leaving a port. Note that NetMap SNMP polling of network devices  resulting from a trap is localized to the port specified in the trap.  This is unlike the regular polling that occurs at the frequency  specified for each device type (L2 and L3) which gathers all SNMP  information from the device used by the NAC Profiler system.
    DHCP:
    =====
    The NetWatch module listens for traffic including DHCP traffic.
    The module will collect all the DHCP information on the traffic collected, like mac address, ip address,  DHCP Vendor Class Identifier in DHCP request, host name in DHCP request, requested specified options in DHCP request (option 55) and full list of DHCP options supported by the DHCP client as specified in the DHCP request.
    All the endpointe data can then be used to map endpoints with profiles.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Iso5 download error, network timed out, how do i stop this, all of my firewalls and security on my pc are currently swiched off but this still didnt help

    iso5 download error, network timed out, how do i stop this, all of my firewalls and security on my pc are currently swiched off but this still didnt help>
    trid multiple times over the last few weeks, after waiting 45 minutes for the download to comlete the network times out whilst processing the download

    The router is in your house.
    In a nutshell, a modem communicates with the Internet and brings a single communications link to your house,  The router takes that single link and divides it up among many links, both wired and wireless, to support many devices in your house.  The router and the modem may be separate physical boxes or, more commonly, they're in the same enclosure.
    Unfortunately, if there is a firewall in the router, you will need help.  I don't think that it's a good idea to try to walk you through it via the forum.  You should contact the router supplier and have them walk you through the investigation.

  • How to synchronize between DHCP binding table and DHCP snooping table ?

    I clear DHCP snooping table with command "clear ip dhcp snooping binding " , and PC can't communicate with other any more. So how to synchronize between DHCP binding table and DHCP snooping table ?
    dhcp-test#sh ip dhcp bind
    IP address Client-ID/ Lease expiration Type
    Hardware address
    99.1.65.32 0100.1125.353c.25 Mar 02 1993 01:05 AM Automatic
    99.1.65.33 0100.1438.059f.85 Mar 02 1993 12:01 AM Automatic
    dhcp-test#sh ip dhcp snooping binding
    MacAddress IpAddress Lease(sec) Type VLAN Interface
    Total number of bindings: 0
    thanks!

    ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds
    Add binding entries to the DHCP snooping binding database. The vlan-id range is from 1 to 4904. The seconds range is from 1 to 4294967295.
    Enter the above command for each entry that you add
    To delete the database agent or binding file, use the no ip dhcp snooping database interface configuration command. To reset the timeout or delay values, use the ip dhcp snooping database timeout seconds or the ip dhcp snooping database write-delay seconds global configuration command.To renew the database, use the renew ip dhcp snooping database privileged EXEC command.

  • IPoE BNG and DHCP on the ASR9K

    Hi,
    can some one tell me if this is possible.
    I have a bundle Interface -using ambiguous VLANS:
    interface Bundle-Ether100.1
    vrf customers_1
    ipv4 unnumbered lo2
    ipv4 point-to-point
    arp learning disable
    service-policy type control subscriber UFB_DHCP
    ipsubscriber ipv4 l2-connected
      initiator dhcp
    encapsulation ambiguous dot1q any second-dot1q any
    I have two loopback interfaces:
    interface lo2
    vrf customers_1
    ipv4 address 100.64.0.1 255.255.128.0
    interface lo3
    vrf customers_1
    ipv4 address 200.200.200.1 255.255.254.0
    I am authenticating users using option82 remote-id, and DHCP for address allocation.  I want to use RADIUS to send back attributes, to set the users template, and, somehow set the dhcp giaddr so that the user gets an address from the correct pool.
    ie. put the user into this template:
    dynamic-template
    type ipsubscriber CUSTOMER
      vrf customers_1
      ipv4 unnumbered Loopback3
    and have them then given an address in the lo3 (200.200.200.0) range.  No matter what i do the dhcp giadd remains the address of the Bundle Interface.
    I have tried all sorts of radius attributes:
    Cisco-AVPair = 'subscriber:service-name=CUSTOMER'
    Cisco-AVPair = 'subscriber:command=activate-service'
    I have tried:
    Cisco-AVPair= 'ipv4:ip-unnumbers=Loopback3'
    Cisco-AVPair= 'subscriber:classname=lo192'  - and creating a dhcp class to set giaddr
    I get a "aaa_type invalid attribute, flags 0x21"
    I am at a bit of loss, and am not sure if what I am wanting to do is even possible.
    though if set the template statically via an onboard policy things seem to work, and my user gets an address from the correct loopback.
    any help would be appreciated.
    ta.

    Alexander,
    thanks for your reply,
    If I use
    Cisco-AVPair = 'subscriber:sa=UFB_CUSTOMER'  -> sets dynamic template
    Cisco-AVPair += 'ipv4:ipv4-unnumbered=Loopback3' -> sets ipv4 loopback
    I get the following form the RADIUS debug (showing template, and loopback understood by RADIUS)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: Radius packet decryption complete with rc = 0
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS: Received from id 195 202.74.33.109:1812, Access-Accept, len 121
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS:   Vendor-Specific    [26]    34             
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS:  authenticator F2 4D D3 E7 B1 E8 90 D3 - F8 77 F1 1C 28 36 E9 6C
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS:   Vendor-Specific    [26]    41             
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]:  RADIUS:  Reply-Message       [18]    26      User authenticated - UBA
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: pack_length = 121 radius_len = 121
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: rad_nas_reply_to_client: Received response from id : 195,packet type 2
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Total len = 121, Radius len = 121
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: filter not found
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Decoding the attribute: Vendor-Specific, aaa_type invalid attribute, flags 0x21
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Decoding the attribute: Vendor-Specific, aaa_type invalid attribute, flags 0x21
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: This is sub-string of the Loopback interface name
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Loopback attribute value: Loopback3
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Decoding the attribute: Reply-Message, aaa_type reply-message, flags 0x100
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Reply-Message fragments, 24
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: , total 24 bytes
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: RADIUS: parsing sevice 'UFB_CUSTOMER' (len 12)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: (rad_nas_reply_to_client) Successfully decoded the response No error: PASS
    RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: (rad_nas_reply_to_client) Successfully stored the preferred server info
    RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: Freeing server group transaction_id (B1000047)
    output from show subscriber running:
    Subscriber Label: 0xff
    % No such configuration item(s)
    dynamic-template
    type ipsubscriber UFB_CUSTOMER
      vrf customers_1
    The subscriber shows up as a session:
    RP/0/RSP0/CPU0:tpisp-cr02-h#show subscriber session all
    Thu Nov 28 13:38:05.389 UTC
    Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
           ID - Idle, DN - Disconnecting, ED - End
    Type         Interface                State     Subscriber IP Addr / Prefix                             
                                                    LNS Address (Vrf)                             
    IP:DHCP      BE100.1.ip71             AC        100.64.0.98 (customers_1) 
    However..
    the ip address range is from the loopback 2 address, (this is the loopback bound to the unbundled BNG interface)
    My understanding is that the giaddr address should have been changed to the ip address of lo3, which is the loopback specified in the RADIUS attribute.
    dhcp debug: (this is the dhcp debug that follows directly after the RADIUS debug)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.484 : dhcpd[1080]: DHCPD PACKET: TP1225: Process packet event, client mode: PROXY
    RP/0/RSP0/CPU0:Nov 28 13:33:11.484 : dhcpd[1080]: DHCPD PROXY: TP1955: FSM called for chaddr 000c.4270.6e7c with event DPM_SUCCESS state INIT_DPM_WAIT
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD PROXY: TP1917: Process client request called for chaddr 000c.4270.6e7c
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD PACKET: TP1883: Giaddr not present, Set giaddr 100.64.0.1, chaddr 000c.4270.6e7c
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD PACKET: TP571: L3 packet TX unicast to dest 202.74.33.108, port 67, source 100.64.0.1, vrf 0x60000003 (1610612739), tbl 0xe0000012 (3758096402)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: ---------- IPv4 DHCPD --- dhcpd_iox_l3_unicast_packet -------
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: VRF name (id): customers_1 (0x60000003)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: L3 src: 100.64.0.1
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: L3 dst: 202.74.33.108
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: L3 dst port: 67
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: L3 input Intf: Bundle-Ether100.1
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Output Intf: Null
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: FROM: L3
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: NETWORK_ORDER
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Info
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan EtherType 1: 0x8100
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Priority 1: 0 (0x0)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Format 1: 0 (0x0)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan ID 1: 101 (0x65)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan EtherType 2: 0x8100
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Priority 2: 0 (0x0)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Format 2: 0 (0x0)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan ID 2: 23 (0x17)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666:
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: op:     BOOTREQUEST
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: chaddr: 000c.4270.6e7c
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: xid:    0x303751ed
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: flags:  0x8000 (broadcast)
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: ciaddr: 0.0.0.0
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: yiaddr: 0.0.0.0
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: siaddr: 0.0.0.0
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: giaddr: 100.64.0.1
    RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: cookie: 0x63825363
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: MESSAGE_TYPE: DISCOVER
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: PARAMETER_REQUEST data: "0x01-79-03-21-06-2a"
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: CLIENT_IDENTIFIER data: "0x01-00-0c-42-70-6e-7c"
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: HOST_NAME data: "MikroTik"
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: RELAY_INFORMATION
    RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: RELAY_INFORMATION: CIRCUIT_ID: 0x01-0f-43-48-4f-52-55-53-31-30-30-30-30-30-34-35-33
    I tried changing the dynamic template to service rather than ipsubscriber, this did not make a difference.  You make a reference to DHCP classname.  I have defined a DHCP class, however do not know how to match or force the use of a particular class by using a RADIUS attribute.
    Thanks,
    Mike

Maybe you are looking for

  • Adobe connect asking for flash v10.3 or higher but I have v11.4 installed????

    I never had this problem before, but recently upgraded my flash and yesterday (Sept. 5) while testing a connection to a meeting room received this message: Adobe connect requires flash v10.3 or higher and provided a button to download the latest vers

  • Word output from smartform

    Moved to correct forum Hi, Is there any way to convert a smartform output to a word document? The document contains some graphics, lines and table objects in it. Do you have any suggestions about it? Edited by: Matt on Apr 15, 2009 8:45 AM

  • Dynamic Selection Screen In Transaction

    Hi all, My first post here, and i got a good problem. I try to create a specific transaction , At the top: I got a LISTBOX with a pushbutton. When you select datas into the listbox, i wish to create a dynamic selection screen dependant on the selecte

  • I am trying to compile an example class that imports a lot

    of classes. These classes are contained in a jar file. I think i need to set the class path correctly. I am using eclipse as the IDE. How do i set the class path in my project?

  • Safari unable to locate microsoft download site

    Need help downloading Flip4Mac for Quicktime. Need this 3rd party for streaming music from local radio station. Had it before repairs being done to both G4 Desktop and G4 Powerbook. Get the following error message: Safari can't find the server. Safar