Wrvs4400n vlans/ssid/dhcp issue

Similar Messages

• 802.1X dyanmic VLAN assignment DHCP issue (Vista client)

  I am labbing dynamic VLAN assignment and have run into a small problem.  The switchport is succesfully changing to the new VLAN, but my test PC seems to get an IP address in the native data VLAN before being moved to the new dynamic assigned VLAN.  So when the switch changes the VLAN the PC keeps its old IP address and nothing talks any more.
  Is this a Vista issue?  I thought all of these problems were just issues in XP?  Do I need to tweak any interface dot1x timers?
  (Cat3750 with 12.2.55 / ACS5.1.  Everything else is running fine by the way.)

  if i do a show run on the switchport the config hasnt changed, but i dont expect it to, as its not a permanent config change that you would want to be saved by a different admin user saving the config.  You can see the debug report it is changing the VLAN:
  Apr 19 09:22:56.263: %AUTHMGR-5-START: Starting 'dot1x' for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
  Apr 19 09:22:58.604: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/19, changed state to up
  Apr 19 09:22:59.560: %DOT1X-5-SUCCESS: Authentication successful for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID
  Apr 19 09:22:59.568: %AUTHMGR-5-VLANASSIGN: VLAN 12 assigned to Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
  Apr 19 09:22:59.585: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan12, changed state to up
  Apr 19 09:23:00.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/19, changed state to up
  Apr 19 09:23:00.315: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
  as well as checking with the show int switchport command and it is in v12 which is the dynamically assigned vlan
  DHCP server is the cat3750 for all local VLANs

• RV042 second DHCP issue

  Hy all,
  I  have a CISCO RV042 in a network with 2 subnets 192.168.1.x and  192.168.2.x and I want multiple DHCP on both subnets. How can I do that?
  If  I use a second router for the second subnet (192.168.2.x) to use its  DHCP. The bandwith management will work? Do I need port VLANs?
  The network is like this:
  The  RV042 is the main router thru it we acces the internet, it also suplies  DHCP 192.168.1.x, I enabled multiple subnet for 192.168.2.x.
  The  reason I want 2 subnets is beacause I have 2 acces points for wireless  clients and I want to use rate control on WAN with bandwith management  from RV042 too give wired clients more bandwith than wireless clients.
  I know that RV042 doesn't supply multiple dhcp like RV180,but I needed dual WAN.
  Thank You

  Hi,
  Thank you for the answer, but my issue remains, below I tried to write a little bit more
  If I make the configuration like this:
  On CISCO RV042:
  Port based VLANs:
  VLAN 1 on LAN 1
  VLAN 2 on LAN 2
  On AT-FS750/24 switch:
  Port-based VLANs:
  VLAN 1 for 2,3,4 ports where 2,3 are the AP's (TL-WA901ND) and 4 uplink to RV042
  VLAN 2 for the rest, let's say 5,6,7,8,9, etc ports that are for wired clients.
  Tagged-based (802.1q):
  VLAN ID 11 for 2,3,4 ports where 2,3 ports are tagged are the AP's (TL-WA901ND) and 4 untagged uplink to RV042.
  VLAN ID 22 for 2,3,4 ports where 2,3 ports are tagged are the AP's (TL-WA901ND) and 4 untagged uplink to RV042.
  On AP's (TL-WA901ND):
  Multi-SSID with tagged based VLAN:
  SSID 1 on VLAN ID 11
  SSID 2 on VLAN ID 22
  If I use the second router (not supporting VLANs) only for DHCP for the wired clients with the configuration:
  -In the WAN I'll plug RV042 LAN 2 (VLAN 2) and from its LAN 1 I'll connect LAN 5 (VLAN 2) in the switch.
  second router WAN:
  IP:    192.168.2.2
  SM:   255.255.255.0
  DG:   192.168.2.1
  DNS: 192.168.2.1
  For DHCP
  LAN1:
  IP:   192.168.3.3
  SM:  255.255.255.0
  It will work to split wireless from wired ?
  How can I split the 2 wireless networks in guests and business more efficient?
  Let's say the wireless clients from "SSID 1" have to have a guaranteed bandwidth.!
  How can I set it up so the wireless clients gets different IP class on the 2 wireless networks?
  Can I use the rate control from RV042 on the IP (192.168.2.2) of the second router?
  My problem is that I need all the subnet available from RV042 DHCP for the wireless clients (192.168.1.x), because RV042 can route only in class C (254).
  I configured the static IP's in 192.168.2.x subnet for Ethernet equipments, I used multiple subnets from RV042.
  Momentarily I use COS from the switch for the tagged VLAN to prioritize the traffic, but this is no longer an option for me.
  Can a CISCO RV180 make a difference in this configuration?
  Thank you,
  Dragos

• WRVS4400N - Multi SSID problem

  Hi,
  I recently purchased this router (WRVS4400N), excelent product!
  I've update the firmware to the lastest version available (WRVS4400Nv2-fw-2.0.0.8-K9).
  Now I'm trying to enable the Multiple BSSID to create a second SSID.
  I've tryed all possible combination, b/g/n, security settings, VLAN, SSID Isolation, I've tryed with WPA/WPA2, WEP, w/o security.
  All wireless client can connect to the first SSID, w/o any problem, but can't connect to the second SSID.
  Is my configuration error? Is a known firmware issues?
  Anyone know how to configure a second WLAN?
  Best Regards
  Fabio Castagnino

  The goal is to create one WLAN (wifi) with wpa2 and mac filtering that connect direcly to the physical network with server access, and the other WLAN (public) with only wpa2 protection and in isolated VLAN, for the guest.
  Suppose to have two SSID wifi and public (the second in the router web ui), both WPA2 Personal w/o MAC Filtering and w/o VLAN.
  I use only PC.
  With my laptop (windows 7) and two other laptop (win XP, win 7), I can see both SSID in wireless list, can connect to the first SSID.
  When I try to connect to the second SSID, the connection fail
  In the attachment you can see the actual router configuration.
  In the page Status -> Wireless LAN, ONLY one SSID is displayed (but is this web ui bug?).
  Thanks in advance

• 10.5 DHCP issues with Wireless - self assigned IPs?

  We're having an issue with Mac OSX 10.5.4 clients, running the latest software updates, not getting an IP address via DHCP on our wireless network.
  We're using Cisco APs, with multiple VLANs & SSIDs. They authenticate, but get automatic self-assigned IP addresses. None of our PC clients are experiencing this issue, nor older 10.4.x OSX clients. This looks like a bug, from what I was able to discover:
  http://forums.macrumors.com/showthread.php?t=384947
  Is Apple aware of this, and/or working on a fix? I've seen many issues over the last year or so with Airport clients and wireless connectivity..

  This is a "user to user" help forum that is designed as a self-help system, independent of Apple's Technical Support system. No one here can say what Apple knows or is doing about a specific issue (pure speculation is discouraged). We share experience and suggest possible solutions or workarounds.
  One way to ensure that your issue is brought to Apple's attention is to use their feedback form for OSX - http://www.apple.com/feedback/macosx.html
  Since the link you posted is from late last year, there have been many updates to Leopard. Some of the updates mention network reliability. Even though Apple has stated that the Pram chips don't control network connections, I have had some luck by Zapping The Pram - http://support.apple.com/kb/HT1379 - Remember to check your System Prefs for things like date/time settings after you Zap.

• Wierd DHCP Issue

  Hello All,
  I facing a very wierd  DHCP issue and would like to know your thoughts on it.
  I have my wired clients on vlan 1 and wireless cleints(eap-peap) on VLAN 2.
  We are facing an issue where multiple wired clients who were on access port vlan 1 are receiving IP address from wireless subnet(vlan2) -their DHCP server was the WLC virtual gateway IP address(1.1.1.1). This is causing an outage to few wired clients.
  The WLC trunk does not have vlan 1 allowed on its ports and all APs are in local mode and all on access vlan.
  I'm not entirely sure whats causing this, but only way I think this is possible is  that 'A Client' laptop has his network connections  bridged - his wired nic on VLAN 1 and wireless NIC on vlan 2, acting like a WGB, which is causing new wired clients(vlan1) DHCP broadcast request forwared through the bidge mode laptop to AP--> WLC. Do you think this is possible??
  Havent been able to identify which client is causing this issue yet.
  Has anyone faced a similar issue and anyway to block this through WLC/ACS policy?
  Thanks
  Jino

  Hi,
  Might we consider to make use of network monitor to take a look at the traffics for the 1.1.1.1 address?
  How to use Network Monitor to capture network traffic
  Download link here:
  Microsoft Network Monitor 3.4
  Best regards
  Michael Shao
  TechNet Community Support

• Very weird dhcp issue

  We've started 're-vlanning' our main location here, breaking up depts
  into their own vlans.
  All seems ok so far, aside from a real doozy.
  For the IT vlan, we have one address that will not talk to our web
  content mgmt appliance. It's the 2nd address in our assignable pool,
  and it doesn't matter if it's dhcp or statically assigned, that address
  will not talk to that device.
  That is the *only* device that cannot be reached from this particular
  address in our dept vlan, every other one works fine.
  Any ideas on this?
  Stevo

  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1
  > and it doesn't matter if it's dhcp or statically assigned, that
  > address
  So.... the title of this thread should actually be 'Very weird non-DHCP
  issue', since your own testing confirms this has nothing to do with DHCP?
  If you do a LAN trace on this machine as well as your web content
  management appliance do you see packets on either side? Both sides? If
  not on both sides but you do on the source (workstation) side see
  packets going out, then get LAN traces after each network device
  (switch, router, firewall, etc.) to see when the packets disappear.
  Feel free to post the LAN traces somewhere with descriptions of IPs,
  ports, and what you should be seeing, if you want to post them somewhere
  for review.
  Good luck.
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v2.0.18 (GNU/Linux)
  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
  iQIcBAEBAgAGBQJP4jFPAAoJEF+XTK08PnB55aMP/3Rg9u6LX6jFCXGYuex/oXdS
  NZ/liqfCgjyIcykWWeKGgdtm2I7JZOcFiG8YW2le55mcltvCL1VJW +1VGng4kZER
  0f4hjfyQ3CcQ6HIU3RM6VL5U2Pblb80MsEQe0qo0xgtPXipmjs i7Q0xIv9p0wT7A
  7JMkfgM9tfuI5Yro+BDLfSIkFWicKuKs1sKpNugKalPuyyRrzW IiznoalIKFshon
  a40ETLJVZmngBYfqfeZL9nPNsFlveFNXrDkdbl2WbaprsHtNnA NwZfVUIlc5kOCT
  MknY0GXof4/tk149OVCCLgjEzoRtTIZH0BJTHQwW7ANkWUUNYwi49+Mk46V0o awl
  oe1aA+NK9gl2bWXWLCtTro4ERSVMvkcI0OffytrfcBsqdCKg/g3QPMjV3kiVEULI
  xnSTsqFgOl2qO8qGaL6FJtk39ZBnCwqDPtmoNt93OK4hAhWBuA Xihc+kiQHrwkpO
  O04quZu8qQG6A6qwFDr+r+QqarFR3kielfvi7H6o5iLfZn/sDhvijGOAknJVctH8
  j8fezki9PMznkcT+of2Oe4T99K9fChN2WFSgUKdlpkYSjbkmjP fdbWloou+WBjCm
  7hHwnAbKPPgoN8aPPfw9rG9E+K/0YW2kt4wRu79BEDvF6eMv0UdDPE1qPuw1ttmm
  jg2zzMZDkgIG39A0P3u7
  =+fCy
  -----END PGP SIGNATURE-----

• VRF and DHCP issue

  VRF and DHCP issue
  We have a 6500 ( 12.2 (33) SXH5 ) that has a VRF running for our guest network. On this 6500 resides the DHCP pool with a range defined for our guest network. We have a stack of 3750's (12.2 (46) SE) connected to the 6500 with a L3 connection. The 3750's have a local guest VLAN with its gateway defined in a VLAN interface. This VLAN on the 3750 has an IP helper address pointing to an IP within the VRF on the 6500. When debugging DHCP on the 6500, a request is received and sent back out. The client never receives this request.
  If a static IP is applied, the client is able to communicate anywhere within the VRF successfully (including pinging the IP within the helper-address. As many posts have pointed out - there is no VRF <name> under the ip dhcp pool <name> within the 6500. I am just wondering if anyone else has run into this and what their solution was.
  Thanks.

  Hi,
  I have tested the dhcp server and vrf on Cisco 3640 and it is working without VRF under the ip dhcp pool. Please ensure that you have configured routing for the dhcp-relay agent(VLAN facing dhcp client on 3750 in your case).

• New 7821 DHCP Issues

  We are trying the new 7821 and it won't pull an address from the dhcp server/router. It's set up as standard dhcp with option 150 for voice. Our 7962s receive an address right away, so the only difference one is using the skinny protocol and the other SIP. Should I be using a different option?

  This was an issue in phone firmware as it  turns out:
  This is the BugID that is the most likely cause of the issues:
  78xx Cannot join VLAN if broadcast over 30kbps
  CSCun23612
  Description
  Symptom:
  78xx Devices are not able to process CDP response to gain VLAN knowledge from switch when large amount of broadcasts (30kbps / approx 40 to 60 pps) on VLAN/Subnet are occurring.
  The phone looks like it will still follow through with DHCP requests but will not accept the offered DHCP address due to the phone not knowing the VLAN structure.
  ** Issue does not occur when same amount of traffic is sent directly to the phone; only when it is broadcast traffic.
  Conditions:
  78xx on a switch port with a VLAN with a large amount of broadcasts occurring in subnet.
  Workaround:
  Reduce Broadcast traffic below 30kbps and reboot phone
  or
  Remove VLAN from Switch port that has the high Broadcast traffic.
  Confirmed by only have access vlan on the switch port and phone registered and upgraded all perfectly fine.
  Neil

• Dynamic VLAN/SSID assignment using 4402/MS IAS

  Greetings,
  In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).
  This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)
  We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.
  Any input/information would be greatly appreciated.
  Joe

  Shaun,
  My LAG - etherchannel interface
  interface Port-channel8
  description WLC-portchannel
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  end
  My 2 WLC Fiber ports:
  Current configuration : 382 bytes
  interface GigabitEthernet7/47
  description CiscoWLC-LAG-Ports
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  spanning-tree bpdufilter enable
  channel-group 8 mode on
  end
  2200-3A#sh run int g7/48
  Building configuration...
  Current configuration : 382 bytes
  interface GigabitEthernet7/48
  description CiscoWLC-LAG-Ports
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  spanning-tree bpdufilter enable
  channel-group 8 mode on
  end
  I use vl1 for ap mgmt, vl3 for hotspot, and vl24-26 for WPA2 clients and wireless voip devices.
  One of my AP switchports on the same switch. I let the trunk port to the AP carry a range of vlan's, and then a manage the vlans assigned to clients with IAS and the WLC.
  interface FastEthernet4/48
  description AP-PoE
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1-1004
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  end
  Jim

• Dynamic VLAN/SSID assignment w/IPv6

  I have followed the answer in this discussion which instructs on how to get Dynamic VLAN/SSID assignments using WLCs + MS IAS:
  https://supportforums.cisco.com/thread/339396
  This works great for IPv4.  This does not appear to work for IPv6.
  I have CT2504 WLCs running v7.0.116.0 and AP 3502s.  I have a Windows 2003 IAS working for 802.1x authentication using PEAP and per-user/group dynamic VLAN/SSID assignments.  Based on who you authenticate as, you are placed on the appropriate VLAN.
  However, IPv6 does not function properly.  I believe this is due to the nature that the WLC only bridges IPv6 from the Interface Group that the WLAN is assigned to and/or whatever Multicast VLAN you assign.
  If I connect as a user assigned to the same matching VLAN as the WLAN Interface / Multicast VLAN, IPv6 works just fine.  I do not even have to have the "Enable IPv6" box checked in the Advanced tab, nor does the "Multicast Vlan Feature" need to be enabled - IPv6 still works.
  If I connect as a user that is assigned to a different VLAN than the WLAN Interface / Multicast VLAN, I see the IPv6 Router Advertisement from the WLAN Interface / Multicast VLAN, and not the VLAN that "Allow AAA Override" switched me to.  Naturally since I'm getting as IPv6 prefix for a different VLAN, when I try to route traffic through the IPv6 default gateway (which isn't on the VLAN I'm connected to), it doesn't work.
  One work-around to have IPv6 support is to use distinct, non-dynamic per VLAN/SSID assignments.  This is ugly and doesn't scale (16 max SSIDs).
  Has anyone else experienced this and know of a solution?
  For now I'll just have to set the WLAN Interface to a VLAN which does not have IPv6 enabled and my wireless users won't have IPv6 unless they VPN on top of Wifi.  Rather disappointing.

  this sounds alot like another implication of IPv6 with "more than one VLAN on the same SSID".
  see this thread:
  https://supportforums.cisco.com/thread/2157621?tstart=60
  not with dynamic vlan, but vlan select - which, on the L2/L3 on SSID-side is essentially the same.
  as mentioned in the thread, 7.2 has a feature that "automatically sends the correct RA to the correct clients via L2  wireless unicast. By unicasting the RA, clients on the same WLAN, but a  different VLAN, do not receive the incorrect RA."
  lucky for you, 7.2 is available for the 2504 - with my WiSM1s I am out of luck :-(
  so this feature *could* solve this problem, as the problem is that the wrong IPv6-RAs are broadcasted for the client (because the SSID is the same)

• 4500X L3 MEC + VRF + DHCP issue

  Good morning -
  I have a pair of 6513 in a VS40 (VSS quad sup) connected via L3 MEC to a VSS pair of 4500X. Active to Active and Standby to Standby connected in a L3 MEC port-channel that is also a vnet trunk:
  (Core)
  interface Port-channel5
  description Distribution Uplink
  no switchport
  vnet trunk
  ip dhcp snooping limit rate 100
  ip address 172.20.68.1 255.255.255.252
  ip ospf message-digest-key 1 md5 XXX
  spanning-tree guard root
  (4500 Distribution)
  interface Port-channel1
  description Core Uplink
  vnet trunk
  ip arp inspection trust
  ip address 172.20.68.2 255.255.255.252
  ip ospf message-digest-key 1 md5 XXX
  The interfaces are all using LACP mode Active inside the channels
  On the 4500 we have a global routing table and a vrf. Both have helper addresses pointing to the DHCP server which is extranet service behind the 6513 Core.
  interface Vlan2301
  description Global Routing Table
  ip address 172.19.68.1 255.255.255.0
  ip helper-address 10.4.16.222
  interface Vlan2512
  description VRF
  vrf forwarding RED
  ip address 10.217.5.1 255.255.255.0
  ip helper-address 10.4.16.222
  DHCP for the Global Routing Table subnet works. DHCP for the VRF does not.
  What is interesting is if we shut down the link that is connected to the standby 4500 (Te2/1/1) DHCP starts to work for the VRF.
  Using <debug ip dhcp server packet detail> at the 4500 here is what I am seeing.
  When both links are up and DHCP is failing for the VRF:
  Mar 10 20:02:02.419: DHCPD: BOOTREQUEST from 0100.1a6b.3a56.13 forwarded to 10.4.16.222.
  Mar 10 20:02:10.473: DHCPD: Reload workspace interface Vlan2512 tableid 3.
  Mar 10 20:02:10.473: DHCPD: tableid for 10.217.5.1 on Vlan2512 is 3
  Mar 10 20:02:10.474: DHCPD: client's VPN is RED.
  Mar 10 20:02:10.474: DHCPD: using received relay info.
  When I shut the Te2/1/1 link down in the L3 MEC at the 4500 DHCP starts to work for the VRF RED:
  Mar 10 20:04:41.354: DHCPD: BOOTREQUEST from 0100.1a6b.3a56.13 forwarded to 10.4.16.222.
  Mar 10 20:04:41.369: DHCPD: Reload workspace interface Port-channel1.2002 tableid 3.
  Mar 10 20:04:41.369: DHCPD: tableid for 172.20.68.2 on Port-channel1.2002 is 3
  Mar 10 20:04:41.369: DHCPD: client's VPN is .
  Mar 10 20:04:41.369: DHCPD: forwarding BOOTREPLY to client 001a.6b3a.5613.
  Mar 10 20:04:41.369: DHCPD: no option 125
  Mar 10 20:04:41.369: DHCPD: broadcasting BOOTREPLY to client 001a.6b3a.5613.
  Mar 10 20:04:41.369: DHCPD: no option 125
  Mar 10 20:04:44.808: DHCPD: Reload workspace interface Vlan2512 tableid 3.
  Mar 10 20:04:44.808: DHCPD: tableid for 10.217.5.1 on Vlan2512 is 3
  Mar 10 20:04:44.808: DHCPD: client's VPN is RED.
  It is like there is a bug that is treating the L3 MEC as a L2 MEC when both links are present; or the VNET trunk is not being processed correctly.
  Has anyone else used a L3 MEC with a VRF and a DHCP helper with success? Is this a bug?
  03.05.01.E is the code we are running on the 4500X-32(SPF+)
  This is also with TAC but I thought I would share with the community in case anyone else has a similar environment or if Cisco experts want to comment.

  Hi,
  I have tested the dhcp server and vrf on Cisco 3640 and it is working without VRF under the ip dhcp pool. Please ensure that you have configured routing for the dhcp-relay agent(VLAN facing dhcp client on 3750 in your case).

• Managment VLAN - SSID mapping

  I'm implementing a large WLAN for a hospital. they will be using Cisco VPN and RSA OTP to provide authentication and data confidentiality/integrity. They also desire a Wireless LAN Solution Engine.
  I wish to create a "user" VLAN-SSID mapping, and a "wireless network management" VLAN-SSID mapping, so I can require users to use VPN to get off their local segment, but also use WLSE & HPOV to manage the WAPs via a managment interface.
  To trunk the mgmt vlan, I think i need to map it to an ssid on the WAP. However, I do not want the mngmt vlan/ssid to accept client associations. I basically only want the mngmt vlan to exist on the wire and at the AP, not on the RF.
  How would I accomplish this?

  It is a little bit of a kludge to do this but.
  On the vlan SSID page set the max allowed associations to 1 ( 0 will mean max number of associations will be 2047) This will allow only on client to associate, now you can block this one by creating a MAC address filter on that VLAN that has no MAC address in it and the default action for both multicast and unicast is discard.
  You could do just the filter but if the filtre is ever turned off then you have the added bonus of only one client getting through
  David

• 6500 DHCP ISSUE

  Hello All,
  I am having an issue do DHCP from the 6500, and was hoping someone cant help. So, I tried to setup DHCP from the FWSM to the clients and this worked fine with giving out the IP, however the gateway for devices on the inside is supposed to be the 6500, not the FWSM, which is why the clinets wouldn't get out to the internet. Do I need to set up DHCP relay on the FWSM or does anyone know the way I can setup DHCP on the 6500 to give out IP's to the clients. Again just to reiterate, when I setup DHCP on the FWSM the clinets get the IP's but do not get out to the internet and when I setup DHCP on the 6500 the clients do not get an IP. Also I know tghis is a dhcp issue becasue when I assign a static address on the network the clients get out fine. Thanks in advance for the help!
  6500 Config
  ip dhcp pool TEST
     network 1.1.1.0 255.255.255.0
     default-router 1.1.1.1
     dns-server x.x.x.x y.y.y.y
  FWSM Config
  FWSM/TEST# show run
  interface Vlan3
  nameif outside9
  bridge-group 1
  security-level 0
  interface Vlan203
  nameif inside9
  bridge-group 1
  security-level 100
  interface BVI1
  ip address 1.1.1.4 255.255.255.0
  passwd 2KFQnbNIdI.2KYOU encrypted
  access-list INSIDE1_IN extended permit ip any any
  global (outside1) 1 x.x.x.x
  nat (inside1) 1 1.1.1.0 255.255.255.0
  access-group INSIDE1_IN in interface inside1
  route outside1 0.0.0.0 0.0.0.0 1.1.1.1 1
  FWSM/TEST#

  Hello Alain,
  Thanks for your quick response. I attached a Diagram of the layout. Just to let you know this is an FWSM with many virtual contexts and most including this one that are Transparent. I understand that I need an access-list on both ends to specifiy so the FWSM opens it, I am just having issue because the FWSM sees this as unsual traffic and the access-list needs to be on-point to work. Thank you for the response and I'll look forward to hearing back from you.

• Heads Up: Private VLAN Sticky-ARP DHCP Issues

  Here is the scenario:
  Private VLANs are configured on a 6500 Sup720 with SVIs routing for the PVLANs.
  DHCP Snooping and IP ARP Inspection are also configured for the PVLAN subnets.
  A DHCP Server is offering 3 day leases.
  A laptop connects to the network and receives a 3-day lease. The user leaves the office and returns 4 days later. The DHCP server offers a new lease with a different IP address. Furthermore, the previous IP address leased to the laptop has been handed out in a new lease to another host. Both systems receive their DHCP lease but have no network connectivity.
  The problem occurs because, by default, PVLAN SVIs use Sticky-ARP and never age out their ARP cache. Since the laptop has a different IP address to MAC address mapping than recorded in the Sticky-ARP cache, a violation occurs and the switch prevents the new IP address from populating the ARP table on the switch.
  Sticky-ARP is a security feature that prevents one system from stealing another systems IP address.
  Log messages show the following:
  %IP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry
  The 6500 PVLAN configuration guide Restrictions and Guidlines section suggests that Sticky-ARP is fundamental to Private-VLANs, and the only work-around for this problem is to create manual arp entries for the new IP address. This is clearly not a viable workaround for this scenario.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979
  However, the 6500 Command Reference shows that Sticky ARP can be disabled, but makes no reference to PVLANs
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/i1.htm#wp1091738
  There appears to be two sensible solutions to this problem:
  1) Disable Stick-ARP on the 6500 for the PVLANs. Since DHCP Snooping and IP ARP Inspection are configured, sticky-arp can be disabled without relaxing network security. This is assuming the 6500 will accept the command and will not break the existing PVLAN functionality.
  2) Extend the DHCP lease longer, to 45 or 90 days perhaps. This will catch most transient activity and keep the IP address to MAC address relationships the same, wherever possible. The downside here is that DHCP address pools could collect stale entires that would take the lease time to flush, thus reducing the overall available IPs in the pool.
  Has anyone else run into this problem? If so, what was your solution? Did you attempt either option above? I am planning on using solution #1 above, but I wanted to ping the NetPro community with this as I am sure we are not the first customer to run into this. Or are we??
  Regards,
  Brad

  Excellent question.
  Sticky-ARP is NOT intended to be a pain-in-the-butt that should disabled right away, rather, it is a security mechanism that prevents a system from stealing an active IP address on the subnet and causing a lot of problems. Sticky-ARP works best on subnets that have all static IP addressing where there is no expectation that a host would frequently change its IP address.
  Yes, I would recommend keeping Sticky-ARP on subnets with all static IP addresses.
  In DHCP subnets with no static IP addressing, DHCP Snooping and IP ARP Inspection provide the same security coverage that Sticky-ARP does, they prevent a system from claiming an illegitimate IP and MAC address. Furthermore, in DHCP subnets, it is reasonable to expect that a host would change its IP address from time to time when its lease expires.
  Sticky-ARP does not provide any addtional securtity benefits when DHCP Snooping and IP ARP Inspection are active and it only causes problems when a lease expires.
  When Cisco made Stick-ARP the default behavior for Private VLANs, they certain did not have DHCP in mind.
  In Summary, it should be known as a Best Practice that when using Private VLANs on user segments with DHCP that DHCP Snooping and IP ARP Inspection should be enabled and Sticky-ARP be disabled.
  Brad